This course is an expert-level four-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to expand their knowledge base on advanced forensics and incident response techniques. This course will leverage Magnet AXIOM, Magnet RAM Capture, Magnet Process Capture, and third-party tools to improve computer investigations in relation to incident response.
Magnet AXIOM Incident Response Examinations (AX310) will give participants the knowledge and skills they need to track incidents where unauthorized computer access and file usage has taken place on a computer system. This course utilizes Magnet AXIOM and third-party tools to explore the evidence in greater depth by learning about volatile data collection. An incident response toolkit will be created to capture volatile data in class that students can take with them for use in applications beyond the classroom.
In this course, a deeper understanding of investigating incidents involving malware and network intrusions into Windows computers will be provided. Students will conduct a static analysis of malware by building a virtual environment and use Kali Linux in that environment to sandbox malware.
After the static analysis of the malware, students will activate the malware in the virtual environment and conduct a dynamic analysis. They will also capture packets during the malware activation to capture information from the malware regarding its command and control server. An analysis of the captured information from the network communication will then be conducted to determine what the malware is designed to do, such as spread laterally on the network, escalate user privileges, create new users, search for PII or send collected data back to the command and control server.
By searching through artifacts like Windows Prefetch, SRUM, AMCACHE, Jumplists, LNK files, SHIMCACHE, MUICACHE, UserAssist, Windows Event logs, and the $Logfile, participants will determine the initial attack vector of the malware and the chain of events that took place thereafter.
Objectives of Magnet Axiom Examinations
This course follows an actual intrusion into a computer network. During this course, Packet Capture (PCAP) files will be examined from the sniffer running on the network during the incident. This course also walks each student through creating their own Incident Response Toolkit that will collect volatile data from a running computer as well as RAM and Process Memory. Good forensic practices will be discussed around the collection of volatile data as well as RAM and Process captures.
Starting in AXIOM 2.0, integration with the Volatility framework was added to increase the ability to parse RAM. Volatility works by first establishing the profile (specific version of the operating system, such as Windows 10, 64-bit, version 1709) and then through the use of plugins to recover information such as process list. During this course, instructors and students will conduct the static analysis of malware recovered from the suspect system in a virtual machine using Virtual Box and Kali Linux.
Students will also perform a dynamic analysis of the malware by executing it in the Windows environment it was designed to infect and recording the changes made to the infected system. Students will also build a virtual computer on the same closed network as the infected machine to act as a packet sniffer looking for traffic from the malware when it tries to communicate to the command and control server or send DNS requests resolve the DNS address in the malware to an IP Address. Towards the end of this course, students will start putting all the pieces together that they have learned through the Incident Response Toolkit, virtual machines, RAM, Volatile Data, File System Data, and Registry information.
In the final chapter of this course, students will examine a second machine infected with Malware using the techniques, tactics, and procedures learned through the first three and a half days of this course.
Training Class Schedule
|Classroom Instructor–Led||Herndon, VA||December 4-7|
|Classroom Instructor–Led||Herndon, VA||February 19-22, 2019|
|Virtual – Instructor-Led||Online||March 19-22, 2019|
|Classroom Instructor-Led||Anaheim, CA||April 30-May 3|
|Virtual – Instructor-Led||Herndon, VA||May 14-17, 2019|
|Classroom Instructor-Led||Anaheim, CA||May 21-24|
|Classroom Instructor-Led||Princes Risborough, UK||June 18-21|
AXIOM Incident Response Examinations Module Descriptions
Module 1: Introduction and Installation of Magnet AXIOM
Students will be introduced to each other, to the instructor(s) and to Magnet AXIOM. The functionality of the tool will be discussed, and the module will conclude with hands-on exercises during which participants will install Magnet AXIOM, and learn about its associated programmatic components, AXIOM Process and AXIOM Examine.
Module 2: Course Overview
An overview of the course will be presented to students along with the learning objectives and expected outcomes for the four-day training event. Students will be introduced to the evidence files and the scenario in which this course of instruction will follow – including the two main players in this scenario who may or may not have been complicit in the malware introduction.
Module 3: Malware Overview
This module focuses on malware — specifically, the footprints left behind from it, its common behavior, and what Windows is doing to stop it. Malware is dynamic and with each version of Windows that approaches, malware authors will have to take also change.
Module 4: Packet Captures (PCAP)
Network traffic is sometimes key to understanding how malware arrived into the network and how the malware allows nefarious actors to travel through the network. This module focuses on capturing, filtering, and analyzing network traffic to track down network intrusions and perform network forensics. Participants will also learn about Wireshark and understand what a packet sniffer and protocol analyzer is.
Module 5: Incident Response Toolkit
The concepts of volatile data collection from a running computer consists of more than just RAM collection. During this module, students will learn the necessity of collecting volatile data from a suspect computer. Students will use the output to determine a starting point for the examination while the forensic images are being processed by AXIOM. Students will also learn to compare the output from volatile data collected from a running computer against the forensic image to locate root-kits and hidden malware.
Module 6: RAM
During this module, participants will parse RAM from a computer involved in a malware incident and determine what programs were running and from what location. Students will also investigate the malware to determine what computer user was associated with it. From RAM, students will recover if there were any network connections or established listening ports from where the malware could communicate. Participants will also learn how PCAP exists in RAM and how to export PCAP from RAM. Students will also gain an understanding how to process PCAP files from RAM to assist in the forensic examination.
Module 7: Static Analysis of Malware
Participants will set up and learn how to utilize virtual machine technology and Kali Linux to leverage good forensic practices and intrusion detection methodologies to infect a computer and examine the results and behavior of the malware. Participants will also learn how to set up the virtual network to ensure the malware cannot escape into the wild or laterally spread. Students will also learn the good forensic process of examining malware designed for one operating system in a separate operating system to keep it from activating.
Module 8: Dynamic Analysis of Malware
In this module, students will setup a Windows computer similar to the OS from the suspect computer and activate the extracted malware in a controlled environment (sandbox) and monitor the activity of the malware. In order to see the malware extracted from a forensic image of hard drive, this process gives the examiner the ability to determine what remote hosts the malware wants to communicate with and other actions on the computer in a safe manner. Utilizing previously learned methodologies, participants will capture the traffic of the malware live in its environment and utilize that information in the furtherance of the investigation.
Module 9: Wrapping up the Investigation
Students will put all of the pieces or this malware puzzle together in order to get ready to report on the findings of their investigation. Learning the artifact-first approach of AXIOM, students will examine Prefetch, SRUM, AMCACHE, JUMPLISTS, LNK Files, Recent file/folders, SHIMCACHE, MUICACHE, User Assist, and Windows event logs to aid in telling the malware story.
Module 10: Finalizing the Investigation
During the module, students will learn how to put all the pieces of the investigation together through the correlation of all the data they have collected during the preceding modules. Students will be correlating the data recovered from the volatile collection using the incident response toolkit with the artifacts recovered from the evidence files of the computers in question and the PCAP files recovered from RAM and the network monitoring tools. Participants will also extract information from the firewall settings in Windows to determine if there is a hole in the firewall for the malware to communicate. By utilizing the $Logfile students will be able to determine if the malware files were renamed, moved, or deleted and if so when.
Module 11: Cumulative Review Exercise
Throughout the four-day training event, instructor-led and student practical exercises are used to reinforce the learning objectives and provide the participants with the knowledge and skills necessary to successfully utilize the material taught and Magnet AXIOM in their investigative workflow. To further reinforce the instructional goals of the course, students are presented with a final scenario-based practical exercise which represents a cumulative review of the exercises conducted in each of the previous modules.