Host Forensics

What to expect

The class contains demos that will be walked through and explained using one piece of evidence followed by mini labs where you will use the same concepts learned in the demo on mock incident data looking for items of interest. Classes follow the general Cyber Fire Foundry schedule, starting in the morning, ending in the afternoon with a break in the morning, a lunch break, and an afternoon break.
Technical Content advanced

Audience

  • Security operation center staff
  • Incident responders
  • Reverse engineers
  • Software engineers
  • System Administrators
  • Site Reliability Engineers

Applicability

This class is geared toward anybody wishing to learn more about forensic artifacts from Windows systems, how Windows operates internally, and common file systems. This includes incident responders, security operations center staff, red teamers, penetration testers, computer technicians looking to start in forensics, and more.

Objectives

  • Forensics and incident response process
  • Data collection and processes: memory, live response data, forensic images
  • Memory Forensics Analysis
  • Solarwinds Intro
  • Utilizing Sysmon
  • Operationalizing Threat Intel
  • Looking for exfiltration
  • Reporting and Presentation best practices
  • OT Host Forensics Considerations

Setup

  1. Install a Hypervisor that supports x64 Windows. We highly discourage the use of M1, M2, M3, etc. based Apple computers for this course because of virtual machine we use.
    • We recommend current VMWare products such as Workstation Pro or Workstation Player for Windows and Linux or VMWare Fusion for macOS.
    • VirtualBox may work, but you may be limited on advanced virtual machine functionality and may encounter issues
  2. Download CyberFire Host Forensics Virtual Machine .ova file
    • The .ova file linked will be emailed before class and the .ova will be avilable on flash drives at the event)
  3. Import into hypervisor
  4. Turn on virtual machine to ensure that it imported properly
  5. Turn off the virtual machine
  6. Delete the cyberfire ova file that was downloaded
    • Virtual machine has been imported and there is no need to keep the original ova