Detailed Course Outline
Module 1: Introduction to Windows Internals
- Introduction to Windows Internals
- Processes and Threads
- PID and TID
- Information Gathering from the Running Operating System
- Obtaining Volatile Data
- A Deep Dive into Autoruns
- Effective Permissions Auditing
- PowerShell Get NTFS Permissions
- Obtaining Permissions Information with AccessCheck
- Unnecessary and Malicious Services
- Detecting Unnecessary Services with PowerShell
Module 2: Securing Monitoring Operations & Threat Hunting
- Types of Hunting
- Defining Hunt Missions
- Malware Hiding Techniques
- Uncovering Internal Reconnaissance
- Uncovering Lateral Movement
- Uncovering Hidden Network Transmissions
Module 3: Handling Malicious Code Incidents
- Count of Malware Samples
- Virus, Worms, Trojans, and Spywares
- Incident Handling Preparation
- Incident Prevention
- Detection of Malicious Code
- Containment Strategy
- Evidence Gathering and Handling
- Eradication and Recovery
Module 4: Static Malware Analysis
- Static Malware Analysis Scenarios
- Types and goals of malware analysis
- Cloud-based malware analysis
- Incident prevention and response steps
- Containment and mitigation
- Executable analysis
- Static analysis tools
Module 5: Behavioural Malware Analysis and Threat Hunting
- Malware Detonation
- Sysinternals Suite
- Network Communication Analysis
- Monitoring System Events
- Memory Dump Analysis
- Simulating a Real Environment
Module 6: Network Forensics and Monitoring
- Types and Approaches to Network Monitoring
- Network Evidence Acquisition
- Network Protocols and Logs
- LAB: Detecting Data Thievery
- LAB: Detecting WebShells
- Gathering Data from Network Security Appliances
- Detecting Intrusion Patterns and Attack Indicators
- Data Correlation
- Hunting Malware in Network Traffic
- Encoding and Encryption
- Denial-of-Service Incidents
- Distributed Denial-of-Service Attack
- Detecting DoS Attack
- Incident Handling Preparation for DoS
- DoS Response and Preventing Strategies
Module 7: Memory: Dumping and Analysis
- Introduction to memory dumping and analysis
- Creating memory dump - Belkasoft RAM Capturer and DumpIt
- Utilizing Volatility to analyse Windows memory image
- Analysing Stuxnet memory dump with Volatility
- Automatic memory analysis with Volatile
Module 8: Memory: Indicators of compromise
- Yara rules language
- Malware detonation
- Introduction to reverse engineering
Module 9: Disk: Storage Acquisition and Analysis
- Introduction to Storage Acquisition and Analysis
- Drive Acquisition
- Mounting Forensic Disk Images
- Virtual Disk Images
- Signature vs. File Carving
- Introduction to NTFS File System
- Windows File System Analysis
- Autopsy with Other Filesystems
- External Device Usage Data Extraction (USB Usage, etc.)
- Reviving the Account Usage
- Extracting Data Related to Recent Use of Applications and Files
- Recovering Data After Deleting Partitions
- Extracting Deleted Files and File Related Information
- Extracting Data from File Artifacts like $STANDARD_INFORMATION, etc.
- Password Recovery
- Extracting Windows Indexing Service Data
- Deep-Dive into Automatic Destinations
- Detailed Analysis of Windows Prefetch
- Extracting Information About Program Execution (UserAssist, RecentApps, Shimcache, appcompatcache, etc.)
- Extracting Information About Browser Usage (Web Browsing History, Cache, Cookies, etc.)
- Communicator Apps Data Extraction
- Extracting Information About Network Activity
- Building Timelines
Module 10: Malicious Non-Exe Files
- Alternative Binaries
- PowerShell Scripts
- Office Documents
- JScript
- HTML Documents
- Living off the Land Binaries