Name of Traning:
Windows Forensics Masterclass with Malware Analysis Essentials
A full description of the training:
In today’s digital landscape, the significance of digital forensics cannot be overstated. This 2-day beginner-friendly hands-on training walks you through the Digital Forensics Lifecycle, which involves collecting and performing analysis on digital evidence using different free and open-source tools. Will do a comprehensive coverage of Windows forensics involving analysis on both Disk and Memory with case studies. We will address the problems of forensic tool validation, missing basic malware analysis skills, rapid triage of ever-growing volumes of evidence data, fast forensics and report-writing techniques for forensic analysts along with insights on the latest advancements in the field. Also, tests the skills learned here via a CTF at the end to build muscle memory.
Attendees will be provided with the necessary lab instructions and evidence files to perform forensic analysis practically and be confident and clear on how to apply the knowledge gained here to investigate some real-world scenarios.
KEY TAKEAWAYS:
- Comprehensive understanding of the Digital Forensics Lifecycle with practical skills in Windows forensics, covering evidence collection strategies and analysis of disk, and memory with malware analysis fundamentals.
- Art of converting forensic analyses into clear, actionable reports and self-sufficient to build their own forensic toolkit with free and open-source tools
- Go the Extra mile and get insights on leveraging Cloud and Automations to perform fast-forensics and achieve quick-wins
Outline of the Class
Evidence Acquisition & Preservation:
- Core Principles
- Collection Strategies & Terminology
- Collection Toolkit
- Live Acquisition
- Dead Acquisition
- Local vs Remote Acquisitions
- Chain of Custody
- Challenges
Investigation & Artifact Analysis
- Forensic Workbench Setup (Cloud and On-Prem)
- MFT and USN Journals
- File carving and Deleted Data recovery
- Recycle Bin Analysis
- Magic numbers & Metadata Analysis
- Internet History & Application Analysis
- Prefetch Analysis
- Registry Analysis - MRU, Persistence items etc.
- User behaviour analysis
- USB Forensics
- Event Log Analysis(RDP and Malicious Logins)
- Thumbcache
- Lnk Files & Jump Lists
- Volume Shadow Copies
- Timeline Analysis
- Anti-Forensics
Memory Forensics & Malware Essentials
- RAM Dumps, Pagefile.sys, hyberfile.sys
- Data Carving
- Regex Analysis - URLs, emails…etc.
- Identifying Evil Processes & Network Connections
- Hunting for RAT, Infostealer, Ransomware etc
- Identifying and Dumping Evil Files via Volatility
- Basic Malware Analysis - Both Static and Dynamic
- Malware Sandbox Analysis
The Extra Mile
- Fast Forensics & Automation
- Forensic Toolkit
- How to validate a tool
- Leveraging the Cloud for Lab Setup/Evidence Collection
- Further practice resources
Capture The Flag
- Participate in the CTF to test and validate the skills learned in the training and build muscle memory.
LAB REQUIREMENTS
- Laptop with Windows 10 64-bit
- Processor: Core i5 or equivalent processor
- RAM: 8GB+ (minimum 8GB is recommended)
- Disk Space: 100 GB
- Virtualisation Support enabled
- Admin/install rights
PRE-REQUISITES
- Familiarity with Windows Operating System.
- Cybersecurity basics and terminology
- Knowledge of handling virtual machines
- Curiosity, Willingness, and of course, the Lab requirements too
Trainer
Surya is a Digital Forensic Investigator and a Malware Analyst with 7+ years of experience in successfully building and running DFIR programs from scratch with SoPs and field manuals in the organizations he worked for. Currently, Surya leads the Digital Forensics & Incident Response charter at a fintech company, bringing several years of experience in handling cases involving Windows, Linux, Mac and AWS in both corporate and government bodies. Engaging, understanding, and knowledgeable technical trainer, with expertise in instructing both small and large groups across diverse industries. Surya believes in the power of community and has delivered trainings on Endpoint Forensics at renowned conferences such as Defcon Blue Team Village, Bsides Singapore, and Shellcon.
Saksham Tushar specializes in various aspects of Threats, including intelligence, detection, analytics, and hunting. He has experience leading teams and collaborating with organizations such as Informatica, Microsoft, and IBM to establish multiple global Security Operations Centers. Currently, he holds the position of Head of Security Operations at CRED India. He possesses extensive expertise in developing, refining, and transitioning Threat Management programs, including Advanced MDR Operations across ASEAN & EMEA regions. Additionally, he creates threat detections and hunts and shares them with the community through analytical Notebooks.