EnCaseŽ v6 Network Intrusion Investigations I



			Go to Digital Investigations courses.


EnCaseŽ v6 Network Intrusion Investigations I
Vendor Course Code:
Course Length:	4 days
Course Price:	$3,700.00 plus $370.00 GST = $4,070.00 inc. GST
Availability:	Please call DDLS on 1800 U LEARN (1800 853 276) or click here to register your interest.
Overview:	This hands-on course is designed for investigators who want to learn more about network intrusions, the tools commonly used by attackers and the forensic artifacts left behind. This course goes into the technical aspects of network intrusions, as well as the methodology commonly used by attackers. The course will begin with an overview of networking protocols and then quickly address topics such as session hijacking, capturing network traffic and the importance of collecting volatile data (which can contain significant forensic artifacts). The course combines forensic examinations with live response in a network environment. Students learn how to examine a compromised server or workstation in the field to obtain log files and forensic images of hard disk drives. Students examine server log files and forensic artifacts for evidence of the attacker's methods and activities. This course covers several aspects of Trojan virus infection, as well as how investigators and examiners can combat the Trojan virus defense ("It wasnt me!"). Students will take part in real-world scenarios by performing several different types of attacks on a mock victim machine and then examining the victim computer using EnCase to identify the artifacts they left behind by the "attacker." Many different types of tools and programs will be discussed and used during the course to familiarise the investigator with common tools and methods used to gain unauthorized access, and how those tools and methods can be readily identified during a forensic examination. In addition to the various "hacker" tools, students will also utilize and discuss a variety of forensic tools, including the EnCase Enterprise Edition (network version) and network intrusion EnScriptsŽ for live incident response and collection of volatile data important to network intrusion investigations. Students will also discuss the use of the EnCase Enterprise Edition for internal investigations over an organisation's Local Area Network.
Skills Gained:
Key Topics:	Day 1 Network intrusion begins with a hacker, and so instruction on day one of this course starts with an introduction to attacker methodology and motivations. The basics of incident response and the importance of a good security policy are discussed. Networking basics such as hardware and communications protocols are explored, and students will use their acquired knowledge to conduct footprinting and scanning against victim computers. The days studies conclude with the examination of how WindowsŽ file sharing and the functionality of its underlying protocols are important to the understanding of NETBIOS attacks. The activities of day one include: Understanding the hacker mind and methodology Expanding common tool knowledge and hash sets Incident response techniques and considerations - Understanding and processing volatile data Networking 101 - Identifying network-based attacks - Understanding network hardware devices - The role of firewalls - An overview of TCP/IP protocol - Understanding core protocols and layering Host enumeration and port and vulnerability scanning Windows file sharing and vulnerabilities - NETBIOS-file sharing basics - IPC$ share Day 2 Day two continues the study of Windows files sharing and allows the students to conduct a practical exercise of NETBIOS and file sharing attacks in a manner consistent with a real-world intrusion. The students can then view the resulting forensic artifacts. Attendees will apply data obfuscation and manipulation techniques and forensically identify such techniques. Students will collect and analyse network traffic and conduct and identify a man-in-the-middle attack. The instruction covered during day two includes: A practical exercise focused on Windows file Sharing and vulnerabilities Hiding and manipulating data Changing file names and extensions - Directory hide-and-seek - Attribute manipulation - Alternate data streams - Stenography - Slack space - Time and date manipulation - Packers and compressors Indentifying web server attacks Understanding MicrosoftŽ Internet Information Services (IIS) and how its popularity may play a role in vulnerability Day 3 Day three begins with a practical exercise that allows the students to demonstrate the skills they have learned about IIS exploits and associated forensic evidence to find suspicious artifacts. Next the students will learn about some of the most powerful and well-known Trojan viruses, and they will use this knowledge to locate evidence of a suspected compromise by examining a suspect evidence file. Students will learn about IRC bots, how they are used in attacks, and how to identify evidence of an infestation. The day will conclude with the start of a lesson on rootkits.The activities of day three include: Examining suspect evidence files and locating evidence of a suspected compromise involving an IIS exploit Understanding remote access Trojans How Optix Pro can be used to compromise a system - Forensically examining open ports, autostart programs, and packers - Using virus scan to identify viral artifacts Understanding Internet Relay Chat (IRC) bots Good bots vs. bad bots - Dynamic DNS service - Self-replicating bots - Registry locations - Services Understanding Windows rootkits What rootkits are - Using Hacker Defender rootkit - Forensically analysing rootkits Day 4 Day fours activities continue the examinations of Windows rootkits. The students will participate in a hands-on exercise allowing them to demonstrate the skills learned to configure and execute the Hacker Defender rootkit to hide files, ports and processes on a computer as well as identify and explain artifacts left by the Hacker Defender rootkit on an examined computer. Instruction will continue with the subject of the vulnerability of buffer overflows followed by a practical exercise to find suspicious artifacts. The Metasploit Project makes it childs play to compromise remote systems, so students will become familiar with some basic tools that are freely available to the public. Likewise because investigators familiar with the structure and operation of SQL databases stand a better chance of bringing a case involving SQL exploitation to a positive resolution, students will be taught how to examine a suspect evidence file and locate evidence of a suspected compromise involving a SQL database. The course concludes with discussions on how attackers use binary tools. A final exercise will be administered, allowing the students to utilise the skills learned throughout the course. The instruction covered during day four includes: Identifying suspicious artifacts in evidence files leftbehind by Windows rootkits Understanding buffer overflow exploits such asDCOM vulnerabilities How the Metasploit framework can be used to compromise a system Understanding the vulnerabilities of SQL databases Analysing how binary tools are used
Target Audience:	This course is intended for corporate and government/law enforcement investigators, legal professionals and network security personnel. Incident response supervisors and team members are encouraged to attend, as are individuals working in a penetration testing or network intrusion investigation role. An understanding of the concepts of computer forensics and familiarity with the EnCase forensic software is required. Knowledge of computer networking hardware, protocols and concepts is helpful, but not required. Class curriculum is designed to provide a good overview of network security and intrusion investigation issues, both from a forensic and intruder perspective.
Prerequisites:	The EnCaseŽ Computer Forensics II course or EnCE Certification are prerequisits for this course. Students should have a good understanding of network topology and TCP/IP. Advance preparation for this course is not required. Tweet