This hands-on course is designed for investigators who want to learn more about network intrusions, the tools commonly used by attackers, and the forensic artifacts left behind. This course goes into not only the technical aspects of network intrusions, but also discusses the methodology commonly used by attackers. The course will begin with an overview of networking protocols and then quickly address topics such as session hijacking, capturing network traffic, and the importance of collecting volatile data (which can contain significant forensic artifacts).
The course combines forensic examinations with live response in a network environment. Students learn how to examine a compromised server or workstation in the field to obtain log files and forensic images of hard disk drives. Students examine server log files and forensic artifacts for evidence of the attacker's methods and activities.
This course covers several aspects of Trojan virus infection, as well as how investigators and examiners can combat the Trojan virus defense (“It wasn’t me!”).
Students will take part in real-world scenarios by performing several different types of attacks on a mock victim machine and then examining the victim computer using EnCase to identify the artifacts they left behind by the “attacker.” Many different types of tools and programs will be discussed and used during the course to familiarize the investigator with common tools and methods used to gain unauthorized access, and how those tools and methods can be readily identified during a forensic examination.
In addition to the various “hacker” tools, students will also utilize and discuss a variety of forensic tools, including the EnCase Enterprise Edition (network version) and network intrusion EnScripts® for live incident response and collection of volatile data important to network intrusion investigations. Students will also discuss the use of the EnCase Enterprise Edition for internal investigations over an organization's Local Area Network.
Delivery method: Group-Live. NASBA defined level: advanced.
The course will cover the following topics:
- Use of virtualized environments in investigations
- The hacker mind and security policy
- Collection of volatile data from live system
- Viruses
- Hiding and manipulating data
- Trojans and Malware
- Combating the Trojan virus defense
- Footprinting and vulnerability scanning
- Webserver attacks
- Wireless security and vulnerabilities
- Analyzing network traffic (sniffing)
- Netbios/FileSharing attacks
- Windows® rootkits
- Security and incident response policy
- IRC Bots
- Binary anlaysis
- IP and e-mail tracing
- DCOM vulnerabilities
- SQL database attacks
- FTP server compromises
- Hacking Linux
- Exploiting web applications
- Pre-built penetration testing tools
WHO SHOULD ATTEND
This course is intended for corporate and government/law enforcement investigators, legal professionals and network security personnel. Incident response supervisors and team members are encouraged to attend, as are individuals working in a penetration testing or network intrusion investigation role. An understanding of the concepts of computer forensics and familiarity with the EnCase forensic software is required. Knowledge of computer networking hardware, protocols, and concepts is helpful, but not required. Class curriculum is designed to provide a good overview of network security and intrusion investigation issues, both from a forensic and intruder perspective.
Course Syllabus
Tuition is $3,750.00 per student
Government training rate is $2,498.00 per student