Windows Forensics Advanced

Transcription

1 Windows Forensics Advanced Index: CF102 Description Windows Forensics - Advanced is the next step for forensics specialists, diving deeper into diverse processes on Windows OS serving computer investigators. This course provides participants with tools and techniques to perform various technical procedures on an advanced level. The training will also feature multiple lab-exercise sessions and is practiced hands-on to enable participants to acquire as much experience as possible in running forensic operations, and to challenge their thinking. Duration: 40 hours Target Audience The course is intended for participants with basic background in computer forensics or incident response, and preferably some experience in the field, who wish to advance their knowledge beyond the basics of the profession and enrich their forensics capabilities. Primarily: Cyber forensics investigators Incident responders Law enforcement officers & intelligence corps IT/network administrators IT security personnel Pre-requisites Background knowledge in computer forensics or incident response Participants should be familiar with most concepts and tools provided on CF101, among them: o Hacking into Windows systems o Windows forensics basics o Steganography o FTK Objectives Acquiring a deeper understanding of the forensics process and incident response lifecycle. Learning advanced techniques of accessing locked or encrypted computers, files and data and retrieving information from them. Practicing different methods of internet forensics to perform a full analysis of a user s online activity. Utilizing steganography and file carving techniques to identify tampered files with malicious content. Mastering techniques for cracking password-protected data.

2 Course Outline Module 1: The Forensics Process 8 hours During this module, students will become familiar with the lifecycle of the forensics process, and acquire a deeper understanding of various approaches to the world of forensic investigations, focusing on understanding the background mechanisms. They will master techniques for collecting evidence, accessing and retrieving volatile and non-volatile information, and practice incident response procedures. Building a forensics workstation o Setting-up a virtual machine o Installing and configuring the VM Collecting evidence o Imaging o Acquiring evidence from storage devices o Using hash against tampering Analyzing data Types of digital data o Hard Disk Drive (HDD) explained o Solid State Drive (SSD) explained o Disk partitions and boot process o Understanding file systems o Registry data: Examining registry data Extracting registry information using commercial tools Incident response procedures o Roles of first responder o First responder toolkit dd HxD Sysinternals NirSoft FTK Imager HxD Autopsy Volatility Bulk Extractor o Dealing with powered-on computers o Dealing with powered-off computers o Labs: Extracting data from an image Recovering lost or deleted files

3 Case study: deep examination of a recent cyber-attack and the corresponding forensics processes that took place Collecting volatile data o Logged-on users o Net sessions command o Open files o Network information o Network connections o Process information o Process memory Collecting non-volatile information o Prefetch files o Registry settings o Event logs o Index.dat file o Slack space o Swap file o Hidden ADS streams o Virtual memory Module 2: Subnetting 4 hours Subnetting is the practice of dividing a network into multiple networks; this module will enable students to better understand the attack vectors through the network, when the primary focus will be on how to reach one computer from another, where the sought-after information is stored. Understanding IP addresses Public vs. private IP addresses Network masks o Classes o CIDR o Binary o Subnet Understanding subnetting Subnetting by network Subnetting by hosts Subnetting VLSM Lab: Subnetting forensics participants will be faced with a compromised machine and will be required to perform a thorough investigation to determine who was the hostile factor within the network. Module 3: Advanced Hacking into Windows Systems 4 hours

4 Throughout this stage, participants will master different techniques used to bypass locked or encrypted systems, to enable access to the computer. Cain and Able o SAM o System John the Ripper EFS bypass Extracting EFS from memory Hacking locally into Windows Module 4: Steganography 4 hours Cyber criminals use steganography to install malware on the computer by hiding malicious code or concealing content inside another piece of content. During this module, participants will learn the correct approach to tempered files, and how to recognize other files hidden beneath them. Students will experience how malware can be stored and hidden on image and audio files, and discover the different tools used for uncovering them. Image steganography Audio steganography Steganography tools o StegoStick o QuickCrypto o PSM Encryptor Module 5: Internet Forensics 4 hours Internet forensics evolves around the extraction, analysis and identification of a user s online activities; the findings include artifacts such as log and history files, cookies, cached content, and any remnants of information left in the computer s volatile memory. During this module, participants will identify different user-behavior patterns, even after they tried to cover their tracks. Upon completion of this stage, they will be able to perform a detailed forensics analysis on the web domain. Open-source tools for internet forensics o NirSoft o Github DNS and web forensics TOR o Installing and using The Onion Router o Identifying the use of TOR in the organization Extracting web information from memory MiTM attacks Firewall findings Lab: investigating an image

5 Module 6: File Carving 8 hours File carving is used to extract data from any storage device without the assistance of the file system that created the file in the first place. The use of file carving in computer forensics enables the investigator to decipher which files or data is concealed behind other files. During this module, students will master advanced methods for manual file carving. File carving o Principles of data carving o Slack space o File metadata o File carving tools Foremost Scalpel Bulk FTK Imager Carving from memory, pagefile, and unallocated space analysis Manual carving o Demo: file carving from existing file o Magic numbers o Headers and footers o Using HxD for forensics carving Module 7: Application Password Cracker 4 hours During this module, participants will study the diverse types of passwords protecting applications, and the corresponding techniques to crack password-protected data. The focus of the module will be on various types of offline hacking, that will be widely used in following modules and during the overall forensics process. Password types Password cracking techniques Cracking Windows passwords Cracking offline passwords o RAR/Zip files o Pdf files o Office files Module 8: Writing Reports 4 hours During the final module, students will study different forensics reports prepared by investigators following past incidents. They will learn how to write a professional report, and which points to consider when addressing the documentation of findings of an incident. Known reports Writing reports o MD5 and SHA1

6 o o o o Capturing images Logging your data Reporting with automation Finalizing your report Final lab challenge: As the summery of the course, students will perform a general analysis of files that infected the system, and detail their finding on a final report.