Incident Analysis

This practical 3-days incident analysis workshop puts one’s mind on the analysis of Windows systems including a bit of network traffic and contains several hands-on exercises. The training serves as an introduction to many areas which are relevant for an incident. Topics like incident handling and the incident response process are not part of the course.

During the course participants will learn a lot about windows/ malware internals, and how to:

• identify indicators of compromise
• analyze network traffic abnormalities
• analyze hard disks and core images forensically
• distinguish malware from harmless software
• analyze malware (behavior)
• correlate log data with a special Incident

Day 1:

• Conceptual basis
• Analysis of network traffic: Connection oriented

• Correlation of several log sources for an accurate analysis of a certain event
• Windows Analysis Basics: Windows architecture

Day 2:

• File system analysis using the example of NTFS: Investigating and restoring deleted files

• Extracting files from Disk Dump
• Malware analysis – part 1: Tools and techniques of static analysis

Day 3:

• Malware analysis – Part 2: Shellcode basics

• Memory analysis with Volatility: Operating system data in RAM

• Members of a CERT
• IT-Security Officers
• Interested parties on this topic

• Network and programming experience and knowledge about popular hacking methods are of advantage. 
• For practical exercises, Virtual Box should be already preinstalled on the laptop.
• Course participant should have administrative rights on the host computer for potential configurations. 
• As the majority of the exercises will take place on the Linux command line, experience in this respect is helpful, but not necessary.