Your One Stop For Forensic Solutions

INCIDENT RESPONSE TRAINING (AccessData Incident Response)

This beginner Incident Response Training course provides the knowledge and skills necessary to use AccessData and other industry standard tools to conduct fundamental Incident Response actions on Microsoft Windows systems.

Participants will learn the entire Incident Response lifecycle, from Preparation through Lessons Learned. Participants will also learn how to capture volatile and non-volatile data to properly analyze an incident.

During this three-day theory and hands-on course, participants perform the following tasks on systems running the Windows operating

system:

• Use clean static binaries.
  
• View network connections.
  
• Open a list of running processes.
  
• Identify DLL’s used by programs.
  
• Show a system’s hostname.
  
• Determine what programs are scheduled to automatically start.
  
• View all programs and services scheduled to execute at startup.
  
• Identify listening ports connected to running processes.
  
• Export and analyze target registry hives with Registry Viewer.
  
• Locate malware not identified by antivirus signatures.
  
• Manipulate Windows Event Logs, including.
  - Extracting them from a running system.
  - Repairing corrupted event logs.
  - Analyzing logs in relation to an incident.
  
• Use FTK Imager® to perform the following functions:
  - Preview evidence.
  - Export data.
  - Hash data.
  - Acquire a live image of evidence data.
  
• View command line arguments used by malicious programs.
  
• Accurately identify various intrusion vectors
  

• The incident response plan
  
• Equipment and resource requirements
  
• Legal advice resources
  
• Incident types and priorities
  
• Incident identification
  
• Containment strategies
  
• Host- and network-based analysis strategies
  
• Intruder motivations
  
• Evidence collection, handling, and preservation
  
• Volatile and non-volatile data sources
  
• Damage assessments
  
• Proper documentation