Advanced Forensic Response and Analysis

The CERT Advanced Forensic Response and Analysis course is designed for computer forensic professionals who are looking to build on a solid knowledge base in incident response and forensic analysis. The course builds on core forensic topics to provide a process for conducting more complete incident response and forensic analysis investigations. The goal of the course is to advance collection and processing skills of the students by outlining a structured process or flow to an incident response and intrusion investigation. Students will learn the pros and cons of common evidence collection measures and forensic analysis steps, methods for organizing analysis to identify relevant evidentiary data, and common areas containing items of evidentiary value to further their investigations.

Who should attend?

The course is an advanced forensic training course designed for forensic analysts in the public or private sector looking to build on their current forensic knowledge. Students should be active computer forensic professionals with an understanding of core forensic and information technology principles. Students who currently conduct incident response and/or intrusion investigations should find the course helpful to extend their knowledge base. Students who currently conduct other types of computer forensic investigations will find it opens the door to new collection and analysis techniques. The course is designed to be fast-paced. Students should have more than a basic understanding of common forensic principles, including evidence collection and analysis, and should actively conduct computer forensic investigations as part of their current position.

Topics

  • Incident Preparation
  • Incident Response
  • Evidence Collection from Live Systems
  • Malicious Software Identification
  • Malicious Software Runtime Analysis
  • Timeline Generation and Analysis
  • Analysis of Windows System Artifacts

Objectives

At the completion of this course students will have the ability to better perform the following tasks:

  • Prepare for an intrusion investigation, including performing reconnaissance and developing a known toolset
  • Best practices for responding to an incident and methods to collect the most relevant data to their investigations.
  • Methods for performing analysis of victim and perpetrator systems. Students will be able to identify malicious applications, correlate system events with file activity, perform runtime analysis of malicious applications and identify resident artifacts subsequent to the intrusion.

Prerequisites

This is an advanced course. Students should have a solid understanding of Windows operating systems and windows artifacts, such as prefetch files, restore points, registry files and event logs. Students should also have a good understanding of Linux operating systems, including how to run applications from the terminal. Students should be familiar with developing a known or trusted toolset and evidence collection. Students should also be familiar with malicious software files. Knowledge of VMWare and virtual machine environments is required. Previous usage of forensic software applications such an EnCase, FTK and/or Sleuthkit is required.

Materials

Participants will receive a course notebook and a CD containing the course material.

Schedule

This three-day course meets at the following times:
Days 1-3: 9:00 a.m.-5:00 p.m.

Course Details

Course Fees [USD]

U.S. Industry:

$2400

U.S. Government/Academic:

$1900

International:

$3500

Lab Fee $300 per person

Please select a course offering then click REGISTER.
 

Dates

November 4 - 6, 2014 (SEI, Arlington, VA)
June 9 - 11, 2015 (SEI, Arlington, VA)

 
This course may be offered by special arrangement at customer sites.

For More Information

E-mail: course-info@sei.cmu.edu
Phone: 412-268-7622


Help us improve

Visitor feedback helps us continually improve our site.

Please tell us what you
think with this short
(< 5 minute) survey.