Host Forensics
Examine memory and disk forensic artifacts to find forensic artifacts.
What to expect

The class contains demos that will be walked through and explained using one piece of evidence followed by mini labs where you will use the same concepts learned in the demo on mock incident data looking for items of interest. Classes follow the general Cyber Fire Foundry schedule, starting in the morning, ending in the afternoon with a break in the morning, a lunch break, and an afternoon break.

Audience
  • Security operation center staff
  • Incident responders
  • Reverse engineers
  • Software engineers
  • System Administrators
  • Site Reliability Engineers
Applicability

This class is geared toward anybody wishing to learn more about forensic artifacts from Windows systems, how Windows operates internally, and common file systems. This includes incident responders, security operations center staff, red teamers, penetration testers, computer technicians looking to start in forensics, and more.

Setup
  1. Install a Hypervisor
  • We recommend VMWare products such as Workstation Pro or Workstation Player for Windows and Linux or VMWare Fusion for OSX.
  • VirtualBox will work, but you may be limited on advanced virtual machine functionality
  1. Download CyberFire Host Forensics Virtual Machine .ova file
  • The .ova file linked will be emailed before class and the .ova will be avilable on flash drives at the event)
  1. Import into hypervisor
  1. Turn on virtual machine to ensure that it imported properly
  2. Turn off the virtual machine
  3. Delete the cyberfire ova file that was downloaded
  • Virtual machine has been imported and there is no need to keep the original ova