Digital Forensics and Incident Response
(DIG-FORNSC-IR.AJ1)/ISBN:978-1-64459-471-1
Explore the complexities of digital forensics, mastering the techniques of investigating cyber incidents, scrutinizing digital evidence, and effectively responding to cybersecurity threats. From grasping the essentials of cybercrime investigations to navigating advanced forensic analysis and incident response strategies, this course provides a comprehensive skill set. Dive into practical learning with the latest tools, analyze real-life examples, and develop the skills needed to strengthen digital environments.
Lessons
20+ Lessons | 148+ Exercises | 60+ Quizzes | 94+ Flashcards | 94+ Glossary of terms
TestPrep
55+ Pre Assessment Questions | 55+ Post Assessment Questions |
Hand on lab
29+ LiveLab | 29+ Video tutorials | 49+ Minutes
Need guidance and support? Click here to check our Instructor Led Course.
Here's what you will learn
Download Course OutlineLessons 1: Preface
- Who this course is for
- What this course covers
- To get the most out of this course
Lessons 2: Understanding Incident Response
- The IR process
- The IR framework
- The IR plan
- The IR playbook/handbook
- Testing the IR framework
- Summary
- Further reading
Lessons 3: Managing Cyber Incidents
- Engaging the incident response team
- SOAR
- Incorporating crisis communications
- Incorporating containment strategies
- Getting back to normal – eradication, recovery, and post-incident activity
- Summary
- Further reading
Lessons 4: Fundamentals of Digital Forensics
- An overview of forensic science
- Locard’s exchange principle
- Legal issues in digital forensics
- Forensic procedures in incident response
- Summary
- Further reading
Lessons 5: Investigation Methodology
- An intrusion analysis case study: The Cuckoo’s Egg
- Types of incident investigation analysis
- Functional digital forensic investigation methodology
- The cyber kill chain
- The diamond model of intrusion analysis
- Summary
Lessons 6: Collecting Network Evidence
- An overview of network evidence
- Firewalls and proxy logs
- NetFlow
- Packet capture
- Wireshark
- Evidence collection
- Summary
- Further reading
Lessons 7: Acquiring Host-Based Evidence
- Preparation
- Order of volatility
- Evidence acquisition
- Acquiring volatile memory
- Acquiring non-volatile evidence
- Summary
- Further reading
Lessons 8: Remote Evidence Collection
- Enterprise incident response challenges
- Endpoint detection and response
- Velociraptor overview and deployment
- Velociraptor scenarios
- Summary
Lessons 9: Forensic Imaging
- Understanding forensic imaging
- Tools for imaging
- Preparing a staging drive
- Using write blockers
- Imaging techniques
- Summary
- Further reading
Lessons 10: Analyzing Network Evidence
- Network evidence overview
- Analyzing firewall and proxy logs
- Analyzing NetFlow
- Analyzing packet captures
- Summary
- Further reading
Lessons 11: Analyzing System Memory
- Memory analysis overview
- Memory analysis methodology
- Memory analysis tools
- Memory analysis with Strings
- Summary
- Further reading
Lessons 12: Analyzing System Storage
- Forensic platforms
- Autopsy
- Master File Table analysis
- Prefetch analysis
- Registry analysis
- Summary
- Further reading
Lessons 13: Analyzing Log Files
- Logs and log management
- Working with SIEMs
- Windows Logs
- Analyzing Windows Event Logs
- Summary
- Further reading
Lessons 14: Writing the Incident Report
- Documentation overview
- Executive summary
- Incident investigation report
- Forensic report
- Preparing the incident and forensic report
- Summary
- Further reading
Lessons 15: Ransomware Preparation and Response
- History of ransomware
- Conti ransomware case study
- Proper ransomware preparation
- Eradication and recovery
- Summary
- Further reading
Lessons 16: Ransomware Investigations
- Ransomware initial access and execution
- Discovering credential access and theft
- Investigating post-exploitation frameworks
- Command and Control
- Investigating lateral movement techniques
- Summary
- Further reading
Lessons 17: Malware Analysis for Incident Response
- Malware analysis overview
- Setting up a malware sandbox
- Static analysis
- Dynamic analysis
- ClamAV
- YARA
- Summary
- Further reading
Lessons 18: Leveraging Threat Intelligence
- Threat intelligence overview
- Sourcing threat intelligence
- The MITRE ATT&CK framework
- Working with IOCs and IOAs
- Threat intelligence and incident response
- Summary
- Further reading
Lessons 19: Threat Hunting
- Threat hunting overview
- Crafting a hypothesis
- Planning a hunt
- Digital forensic techniques for threat hunting
- EDR for threat hunting
- Summary
- Further reading
Appendix
Hands-on LAB Activities
Fundamentals of Digital Forensics
- Completing the Chain of Custody
Investigation Methodology
- Performing Reconnaissance on a Network
Collecting Network Evidence
- Installing a DHCP Server
- Performing a Proxy Server Operation
- Creating a Firewall Rule
- Capturing Packet Using RawCap
- Using tcpdump to Capture Packets
Acquiring Host-Based Evidence
- Using WinPmem for Memory Acquisition
- Using FTK Imager
- Using FTK Imager for Obtaining Protected Files
Remote Evidence Collection
- Using the Velociraptor Server
Forensic Imaging
- Preparing a Staging Drive
- Using EnCase Imager
Analyzing Network Evidence
- Working with NetworkMiner
- Capturing a Packet Using Wireshark
Analyzing System Memory
- Analyzing Malicious Activity in Memory Using Volatility
- Working with Strings in Linux
Analyzing System Storage
- Analyzing Forensic Case with Autopsy
- Viewing the Windows File Registry
Analyzing Log Files
- Creating an Event Log View
- Examining Windows Event Logs Using DeepBlueCLI
Ransomware Preparation and Response
- Understanding LPE
Ransomware Investigations
- Using Social Engineering Techniques to Plan an Attack
- Passing the Hash Using Mimikatz
Malware Analysis for Incident Response
- Analyzing Malware Using VirusTotal
- Using Process Explorer
- Handling Potential Malware Using ClamAV
Leveraging Threat Intelligence
- Examining MITRE ATT&CK
- Using Maltego to Gather Information