Course: Host Forensics

Examine memory and disk forensic artifacts to find forensic artifacts.


Finding malware activity, malicious actors, and insiders through computer evidence can be a challenge. Start with understanding data volatility, how to capture the most volatile data, and less volatile data, then move into understanding that data. Looking at processes, open ports, network communication, registry artifacts, file system artifacts, data exfiltration, persistence mechanisms, loaded drivers, and more.

What to expect

The class contains demos that will be walked through and explained using one piece of evidence followed by mini labs where you will use the same concepts learned in the demo on mock incident data looking for items of interest. Classes follow the general Cyber Fire Foundry schedule, starting in the morning, ending in the afternoon with a break in the morning, a lunch break, and an afternoon break.

Who should attend?

  • Security operation center staff
  • Incident responders
  • Reverse engineers
  • Software engineers
  • System Administrators
  • Site Reliability Engineers

Is this the right class for me?

This class is geared toward anybody wishing to learn more about forensic artifacts from Windows systems, how Windows operates internally, and common file systems. This includes incident responders, security operations center staff, red teamers, penetration testers, computer technicians looking to start in forensics, and more.

Day 1

Topics Duration
  • Overview and Introductions
  • Forensics and Incident Response Process
 90m
  • Data Collection and Processes
  • Memory
  • Live Response Data
  • Forensics Images
 90m
  • Memory Forensics Analysis
 90m
  • Network Connections
  • Processes
 90m

Day 2

Topics Duration
  • Disk Forensics Overview
  • Registry Persistence
 90m
  • Registry User Activity
  • Registry Process Execution
 90m
  • Looking for Exfiltration
 90m
  • Reporting and Presentation Best Practices
  • Timeline Analysis
 90m

Day 3

Topics Duration
  • Solarwinds Supply-Chain Compromise
  • Utilizing threat intelligence
  • Using sysmon to analyze systems
 7h

Laptop Configuration

  1. Install a Hypervisor
    • We recommend VMWare products such as Workstation Pro or Workstation Player for Windows and Linux or VMWare Fusion for OSX.
    • VirtualBox will work, but you may be limited on advanced virtual machine functionality
  2. Download CyberFire Host Forensics Virtual Machine .ova file
    • The .ova file linked will be emailed before class and the .ova will be avilable on flash drives at the event)
  3. Import into hypervisor
  4. Turn on virtual machine to ensure that it imported properly
  5. Turn off the virtual machine
  6. Delete the cyberfire ova file that was downloaded
    • Virtual machine has been imported and there is no need to keep the original ova