The Host Forensics class focuses on understanding the incident response lifecycle and how forensic analysis fits in that process from the collection of evidence to the analysis of that evidence investigating whether a device is compromised uncovering details of the incident. The class contains a combination of lecture, hands-on lab exercises, challenges, and instructor-led demonstrations. Participants will learn how to forensically collect memory from a system and how to instrument endpoints for live collection of forensic artifacts. Participants will then analyze that data learning topics such as fundamentals of the windows executive process, critical system processes, objects being accessed by running processes, loaded modules and DLLs, extraction of files out of memory, network communications, registry analysis, windows services, persistence mechanisms, and other windows artifacts useful for analysis. The class will also look at how the Solarwinds Orion compromise could have been detected and analyzed, how to operationalize threat intelligence, how to find evidence of exfiltrated data, and some fundamental considerations for working in operational technology environments. After this class, participants will be equipped with the essential skills to understand how the compromised occurred by reconstructing attacker activity and produce actionable information to respond to the incident by containing and eradicating the threat.

• Security Operation Center Staff
• Incident Responders
• Reverse Engineers
• Software Engineers
• System Administrators
• Site Reliability Engineers

This class is geared toward anybody wishing to learn more about forensic artifacts from Windows systems, how Windows operates internally, and common file systems. This includes incident responders, security operations center staff, red teamers, penetration testers, computer technicians looking to start in forensics, and more.

• Forensics and incident response process
• Data collection processes: memory, live response data, forensic images
• Memory Analysis
• Solarwinds Compromise
• Endpoint logging with Sysmon
• Operationalizing Threat Intel
• Identifying Exfiltration
• OT Forensics Considerations

1. Install a Hypervisor that supports x64 Windows. We highly discourage the use of M1, M2, M3, etc. based Apple computers for this course because of virtual machine we use.
   • We recommend VMWare Workstation Pro or VMWare Fusion for macOS.
   • VirtualBox or other hypervisors may work, but you may be limited on advanced virtual machine functionality and may encounter issues
2. Download CyberFire Host Forensics Virtual Machine .ova file
   • The .ova file linked will be emailed before class and the .ova will be avilable on flash drives at the event)
3. Import into hypervisor
   • VMWare Workstation Instructions
   • VMWare Fusion Instructions
4. Turn on virtual machine to ensure that it imported properly
5. Turn off the virtual machine
6. Take a snapshot of the VM if possible
7. Delete the cyberfire ova file which was downloaded
   • Once the virtual machine has been imported, there is no need to keep the original ova