ＨｉｄｅＺｅｒｏＯｎｅ

The Enterprise Forensics and Response course is designed to provide students with both an investigative construct and techniques that allow them to scale incident response activities in an enterprise environment. The focus of the lecture portion of the course work is understanding the incident investigation process, objective oriented analysis and response, intrusion analysis and an exploration of attacker Tactics and Techniques. The technical portion of the course will focus on how to conduct incident investigations at enterprise scale using the remote evidence acquisition and analysis tool Velociraptor along with other free and open-source tools. The focus of the technical portion will be on extracting usable Indicators of Compromise (IOCs) related to specific MITRE ATT&CK tactics. For example, students will be instructed on extracting and analyzing evidence related to the Execution TA0002 of malicious code or LOLBAS. From here, they will be tasked with addressing containment and eradication measures. This course will combine technical elements along with lecture that provides students with both an investigative construct and techniques that allows them to analyze evidence and provide stakeholders with data necessary to limit the damage of modern cyber-attacks.

Antisyphon: Enterprise Forensics and Response

EC-Council’s Hacking Forensic Investigator (C|HFI) is the only comprehensive ANSI accredited, lab-focused program on the market that gives organizations vendor-neutral training in digital forensics. C|HFI provides its attendees with a firm grasp of digital forensics, presenting a detailed and methodological approach to digital  forensics and evidence analysis that also pivots around the Dark Web, IoT, and Cloud Forensics. The tools and techniques covered in this program will prepare the learner for conducting digital investigations using ground-breaking digital forensics technologies.

Unlock the secrets of Windows forensic investigation with my new course! I took my years of experience creating videos on the 13Cubed YouTube channel and set out to develop affordable, comprehensive, and professional training. Whether you’re looking to get into the field, already work in the field but want to step up your game, or just have an interest in digital forensics, look no further. This course is for you!

Syllabus

Welcome and Introduction
Initial Setup
Windows Event Logs
The Registry
Evidence of Execution
Persistence, Privilege Escalation, and Lateral Movement
Anatomy of NTFS
File Deletion and Recovery
LNK Files and Jump Lists
Additional Content
Knowledge Assessment

Investigating Windows Endpoints

If you’ve taken Investigating Windows Endpoints (or already have the equivalent knowledge), this is a natural continuation of the content that deep dives into Windows memory forensics. Learn the foundations of how Windows memory is structured, how to acquire memory, how to analyze memory images using Volatility, MemProcFS, and WinDbg, and more! This is for you.

Syllabus

Welcome and Introduction
Initial Setup
Foundations of Memory Forensics
Acquiring Memory
Poor Man’s Memory Forensics
Memory Analysis with Volatility
Malware Memory Analysis with Volatility
Memory Analysis with MemProcFS
Malware Memory Analysis with MemProcFS
Introduction to WinDbg
Additional Content
Knowledge Assessment

Investigating Windows Memory

FOR528: Ransomware and Cyber Extortion provides the hands-on training required for those who may need to respond to ransomware and/or cyber extortion incidents. The term “Ransomware” no longer refers to a simple encryptor that locks down resources. The advent of Human-Operated Ransomware (HumOR) along with the evolution of Ransomware-as-a-Service (RaaS) have created an entire ecosystem that thrives on hands-on the keyboard, well-planned attack campaigns. Furthermore, some cyber extortion actors carry out the full attack lifecycle yet skip the encryption phase. How do you deal with these threats? Our course uses deftly devised, real-world attacks and their subsequent forensic artifacts to provide you, the analyst, with everything you need to respond when either threat becomes a reality. 13 labs + Final day CTF

FOR528.1: Ransomware Incident Response Fundamentals
FOR528.2: Ransomware Modus Operandi
FOR528.3: Advanced Ransomware Concepts
FOR528.4: Ransomware Incident Response Challenge

FOR528: Ransomware and Cyber Extortion