Course: Host Forensics

Examine memory and disk forensic artifacts to find forensic artifacts.


Finding malware activity, malicious actors, and insiders through computer evidence can be a challenge. Start with understanding data volatility, how to capture the most volatile data, and less volatile data, then move into understanding that data. Looking at processes, open ports, network communication, registry artifacts, file system artifacts, data exfiltration, persistence mechanisms, loaded drivers, and more.

What to expect

The class contains demos that will be walked through and explained using one piece of evidence followed by mini labs where you will use the same concepts learned in the demo on mock incident data looking for items of interest. Classes follow the general Cyber Fire Foundry schedule, starting in the morning, ending in the afternoon with a break in the morning, a lunch break, and an afternoon break.

Who should attend?

  • Security operation center staff
  • Incident responders
  • Reverse engineers
  • Software engineers
  • System Administrators
  • Site Reliability Engineers

Is this the right class for me?

This class is geared toward anybody wishing to learn more about forensic artifacts from Windows systems, how Windows operates internally, and common file systems. This includes incident responders, security operations center staff, red teamers, penetration testers, computer technicians looking to start in forensics, and more.

Day 1

Topics Duration
  • Overview and introductions
  • Forensics and incident response process
 90m
  • Data collection and processes
  • Live response data
  • Memory collection
 90m
  • Windows process analysis
  • Powershell and command prompt analysis
  • Windows service analysis
 90m
  • Loaded library analysis
  • Kernel module analysis
  • Network analysis
 90m

Day 2

Topics Duration
  • Registry overview
  • Registry persistence
 90m
  • Registry user activity
  • Registry process execution
 90m
  • Windows service registry artifacts
  • Windows event logs
 90m
  • Intro to file systems
  • Disk artifacts in memory
 90m

Day 3

Topics Duration
  • Solarwinds Supply-Chain Compromise
  • Operationalizing threat intelligence
 120m
  • Utilizing Sysmon for live response data
 120m
  • Looking for exfiltration
  • Timeline analysis
  • OT/ICS forensics best practices
 120m

Laptop Configuration

  1. Install a Hypervisor
    • We recommend VMWare products such as Workstation Pro or Workstation Player for Windows and Linux or VMWare Fusion for OSX.
    • VirtualBox will work, but you may be limited on advanced virtual machine functionality
  2. Download CyberFire Host Forensics Virtual Machine .ova file
    • The .ova file linked will be emailed before class and the .ova will be avilable on flash drives at the event)
  3. Import into hypervisor
  4. Turn on virtual machine to ensure that it imported properly
  5. Turn off the virtual machine
  6. Delete the cyberfire ova file that was downloaded
    • Virtual machine has been imported and there is no need to keep the original ova