The Host Forensics class focuses on understanding the incident response lifecycle and how forensic analysis fits in that process from the collection of evidence to the analysis of that evidence by investigating whether a device is compromised and uncovering details of the incident. The class contains a combination of lecture, hands-on lab exercises, challenges, and instructor-led demonstrations. Participants will learn how to forensically collect memory from a system and how to instrument endpoints for live collection of forensic artifacts. Participants will then analyze that data learning topics such as fundamentals of the windows executive process, critical system processes, objects being accessed by running processes, loaded modules and DLLs, extraction of files out of memory, network communications, registry analysis, windows services, persistence mechanisms, and other windows artifacts useful for analysis. Participants will also explore detecting process injection and rootkits. After this class, participants will be equipped with the essential skills to understand how the compromised occurred by reconstructing attacker activity and produce actionable information to respond to an incident by containing and eradicating the threat.

• Security Operation Center Staff
• Incident Responders
• Reverse Engineers
• Software Engineers
• System Administrators
• Site Reliability Engineers

This class is geared toward anybody wishing to learn more about forensic artifacts from Windows systems, how Windows operates internally, and common file systems. This includes incident responders, security operations center staff, red teamers, penetration testers, computer technicians looking to start in forensics, and more.

• Forensics and incident response process
• Data collection processes: memory and live response data
• Memory Analysis
• Endpoint logging with Sysmon
• Analyzing Windows event logs, registry, and services
• Explore process injection and rootkits on Windows
• Utilize YARA and Sigma rules with forensic tooling

1. Install a Hypervisor that supports x64 Windows. We highly discourage the use of M1, M2, M3, etc. based Apple computers for this course because of virtual machine we use.
   • We recommend VMWare Workstation Pro or VMWare Fusion for macOS.
   • VirtualBox or other hypervisors may work, but you may be limited on advanced virtual machine functionality and may encounter issues
2. Download CyberFire Host Forensics Virtual Machine .ova file
   • The .ova file link will be emailed before class and will be avilable at the event.
3. Import into hypervisor
   • VMWare Workstation Instructions
   • VMWare Fusion Instructions
4. Turn on virtual machine to ensure that it imported properly
5. Turn off the virtual machine
6. Take a snapshot of the VM if possible
7. Delete the cyberfire ova file which was downloaded
   • Once the virtual machine has been imported, there is no need to keep the original ova