Digital Forensics
Mastering Digital Forensics with Cyrin’s NICE Specialty Area Package Collects, processes, preserves, analyzes, and presents computer-related evidence in support of network vulnerability mitigation and/or criminal, fraud, counterintelligence, or law enforcement investigations. Cyrin’s Digital Forensics NICE Specialty Area Package – Tailored …
Overview
Mastering Digital Forensics with Cyrin’s NICE Specialty Area Package
Collects, processes, preserves, analyzes, and presents computer-related evidence in support of network vulnerability mitigation and/or criminal, fraud, counterintelligence, or law enforcement investigations.
Cyrin’s Digital Forensics NICE Specialty Area Package – Tailored Training for Modern Cyber Investigators. Dive into advanced skills, conduct investigations, and master the art of digital forensics. Your journey to becoming a Digital Investigative Maestro starts here!
This package consists of CYRIN labs focusing on the NIST National Initiative for Cybersecurity Education (NICE) Digital Forensics specialty area. Completing these labs will help you learn the skills needed for a job in the area.
PREREQUISITES
Prerequisites vary by lab, but are generally: familiarity with the Unix/Linux command line and basic networking concepts (TCP/IP, DNS, etc.).
EXPECTED DURATION
21.0 hours, self-paced. Pause and continue at any time.
21.0 CPEs awarded on successful completion.
PACKAGE CONTENTS
-
Analyzing Potential Malware
Students will learn to use the Cuckoo sandbox to determine if an executable or document is potential malware. If the executable is packed (compressed), they will learn to use a debugger to unpack it.
-
Intrusion Analysis using Network Traffic
Examine packet captures from actual intrusions and dive deeper into how attackers operate! Students will learn the details of protocols such as SMB and SSH by examining network traffic captures in Wireshark®, then will proceed to build network packets “by hand” in order to tunnel secret data in normal-looking traffic. Finally, students will learn the details of “web shell” payloads commonly used by attackers.
-
Advanced Analysis of Malicious Network Traffic
Continue your exploration into malware’s behavior on the network! Students will analyze network captures containing real, malicious network traffic, both by hand and using tools such as Security Onion and Sguil. Both malware spreading methods and command and control operations will be explored. In addition, students will create web shell payloads of their own to see how they operate from the inside.
-
Introductory File System Forensics
Disk-based analysis is the cornerstone of cyber forensics, whether it be to track what a suspect was doing or simply to recover accidentally deleted files. This lab introduces students to the process of imaging and forensically analyzing disks, including finding artifacts such as deleted files. The free Autopsy® forensic browser will be used in addition to command-line programs from the open-source Sleuth Kit® tool set.
-
Live Forensics using GRR
GRR Rapid Response is an open source live forensics tool originally created by Google. GRR allows an investigator to collect data about running systems on a network, anywhere from one system to thousands. In this lab, students will perform live remote forensic investigations against running systems. Without having to take the systems offline for imaging, students will examine running processes and network connections, files and disk artifacts, and registry keys across multiple target machines in a forensically-sound manner.
-
Introduction to Memory Analysis with Volatility
Analyzing a suspect system “live”, before disconnecting it and imaging the disks, often yields valuable forensic evidence. Further, it can help you determine whether a crime has been committed at all, or whether the system contains evidence at all, thereby avoiding time-consuming examination of irrelevant machines. The Volatility® framework is the dominant open-source memory analysis framework, examining RAM snapshots from a large variety of operating systems in multiple formats. This lab introduces students to the process of capturing a live RAM image and analyzing it using Volatility. Students will learn about several Volatility plugins for analyzing a Windows memory image, then analyze actual RAM images, including one with active malware, and view the results.
-
Introduction to Memory Analysis with Rekall
Analyzing a suspect system “live”, before disconnecting it and imaging the disks, often yields valuable forensic evidence. Further, it can help you determine whether a crime has been committed at all, or whether the system contains evidence at all, thereby avoiding time-consuming examination of irrelevant machines. Rekall is an advanced, open-source memory capture and analysis framework that has expanded to include a variety of live incident response tools. This lab introduces students to the Rekall framework, both for extracting evidence from memory images and for analyzing the current live state of the system. Students will learn about several Rekall tools, both on the command line and via the interactive console, for analyzing memory images. Students will then analyze several images of Windows systems with in-memory malware.
-
Windows Forensics Artifacts
A security analyst will likely be asked some time in his or her career to conduct a forensic analysis of a Windows workstation or server. In this lab the student will learn about forensic artifacts commonly found on Windows computers. Forensic artifacts are traces of user activity left behind on a computer even after the user logs out or the computer is shut down.
In this lab, students will investigate a suspected data breach by an employee of an organization. They will be given a disk image of the employee’s Windows workstation. They will learn where to look for forensic artifacts and the use of tools such as Autopsy®, Registry Editor, RegRipper, LECmd, JumpList Explorer, RecentFileCacheParser, PECmd, and ShellBags Explorer to extract information from these artifacts.
-
Conduct a Data Leak Investigation
Get experience conducting an internal investigation on a realistic corporate network.
You are a security officer for a shipping company whose trucks have repeatedly been hijacked by a criminal organization. The criminals appear to have advance information on the routes of the trucks, despite the company changing routes frequently. Company executives suspect someone within the company is leaking truck route information to the criminals. Students will have to determine who is leaking the information, how, and to whom.