This course will teach you tried-and-true techniques and tactics for handling major cyber breaches. After completing your certification, you will be fully capable of conducting digital forensics investigations and dealing with cyber incidents.

"Digital forensics and incident response are the bedrock of modern cybersecurity operations. Without these capabilities, an organization is blind to attacks and unable to defend itself."

Incident response is the process of investigating and mitigating a security incident. This may include the identification of malicious activity, the collection and analysis of evidence, and the implementation of corrective actions.

Digital forensics is the process of collecting, analyzing and preserving evidence from a digital device. This evidence can be used in the criminal justice system to identify and prosecute criminals. Digital forensics is used to recover data from phones, computers and other digital devices. This data can be used to identify the people involved in a crime, as well as the methods and tools used to commit the crime.

The digital world is constantly changing, and with that comes new and innovative ways for criminals to commit crimes. As a result, the demand for digital forensics and incident response personnel is growing. This is great news if you are looking for a career opportunity in this field!

The MCSI Digital Forensics and Incident Response (MDFIR) certification will equip you with the skillset necessary to carry out the following tasks:

• Perform digital forensics investigations on Windows systems
• Use memory forensics to identify and analyze modern APT samples
• Perform network forensics on PCAP files to investigate intrusions
• Analyze files, executables and malware samples
• Identify and track adversary infrastructure based on IOCs generated from an investigation

Cyber incident responders can earn a six-figure salary, and the demand for them is high. As businesses become increasingly reliant on technology, the need for qualified incident responders grows. Those with the necessary skills and experience can expect to be in high demand and can command a high salary.

MCSI is one of the most respected and trusted names in cyber security education and training. Our certifications teach critical skills, knowledge and abilities needed to advance a career in cyber security. Our courses are comprehensive and up-to-date, and our instructors are experienced professionals who are dedicated to helping students learn. MCSI provides the real-world skills and knowledge you need to protect any organization from cyber threats.

• File Analysis

  File analysis is the process of inspecting a file for information that can be used to understand the file's contents and structure. This information can be used to recreate the file, or to extract data from the file. File analysis is often used in reverse engineering, where the goal is to understand the inner workings of a program or system.

  One of the ways malware analysts use to examine malware is to analyze the files the malware creates and uses. Malware authors often leave evidence of their activity in the files they create. This evidence can include strings containing text that reveals the purpose of the malware, file names that suggest the type of malicious activity the malware is engaged in.

  Some of the file types you will learn to analyse:

  • .exe
  • .msi
  • .a3x
  • .pdf
  • .doc
  • .lnk
  • .rtf
• Windows Forensics

  Windows Forensics is the process of gathering, examining, and reporting on evidence found on a Microsoft Windows computer system. This type of digital evidence can include user activity logs, system files, and deleted files. Windows Forensics is used in many types of investigations, including civil, criminal, and internal corporate investigations.

  Windows Registry

  One of the most important aspects of Windows forensics is being able to properly analyze the Windows Registry. The Registry is a database that stores configuration information and settings for the operating system, applications, and users.

  The Registry can be used to answer questions about how a system was configured at the time of the forensic examination, as well as questions about how the system has been used and changed over time. The Registry can also be used to find evidence of user activity, software installations, and system changes.

  Windows Event Logs

  Windows Event Logs are a system of logs that Windows maintains to record significant events on the system. These logs can include login attempts, application crashes, and other system events. They can be used to help troubleshoot problems on the system, or to track down malicious activity.

  • Account Usage
  • Application Crashes
  • Networking Information
  • Program Execution

  Windows Prefetch

  Windows Prefetch is a file system feature that was introduced in Windows XP. The Prefetch file is a database that stores information about the files that are used on the system. The information includes the file name, the path to the file, and the time that the file was last used. When a user opens a file, Windows will look in the Prefetch file to see if the file was previously opened. If it was, Windows will open the file from the cache instead of opening it from the disk. This can improve performance by reducing the amount of time that it takes to open a file.

  Windows ShimCache, AppCompatCache and AmCache

  Windows Application Compatibility Database is a valuable artefact for forensic investigators. By default, the feature is enabled on all Windows systems and preserves information about recently executed programs. This information can be used to help determine which programs were run on a system and when they were run.

• Memory Forensics

  Memory forensics is a process of collecting digital evidence from a computer's RAM. This type of evidence is often used in investigations to determine what actions a user has taken on a computer, as well as to find out information about other users who have access to the computer. The evidence collected from memory can also be used to identify malware and other security threats.

  Volatility Framework

  Volatility is a framework for memory forensics. It is open source and allows for the examination of volatile memory images in order to extract information about the running system. Volatility can be used to detect malicious code, investigate system crashes and user activity, and recover deleted files.

  This is the memory forensics tool you will learn how to use in this course.

  Topics Covered

  • Retrieving and analyzing artefacts from the Windows Registry
  • Listing running processes and loaded DLLs to identify malicious programs
  • Retrieve the memory sections of a process to recover malicious code
  • Identifying and listing kernel objects to manually investigate a compromised system
  • Recovering networking information and discovering suspicious network connections
  • Listing GUI information to identify open desktop programs
  • Discovering code injection attacks
  • Developing and running YARA rules on memory dumps
• Application Forensics

  User application forensics is the process of examining user applications and the data they create in order to extract evidence for use in investigations. This type of digital evidence can be used to help determine what actions a user took on their device, what files they accessed, and who they communicated with. This information can be used to support or disprove alibis, identify potential suspects, and build criminal cases.

  Browser Forensics

  Browser Forensics is the process of collecting digital evidence from a web browser. This evidence can be used in investigations to determine how a person interacted with a website, what they clicked on, and what data they entered.

  Email Forensics

  Email Forensics is the process of extracting evidence from email communications. This evidence can be used in investigations to help identify suspects, gather evidence, and prove or disprove alibis. Email Forensics can extract information such as the sender and recipient of an email, the date and time it was sent, and the contents of the email. This information can be used to help identify individuals involved in criminal activity, or to prove that an email was not sent as claimed.

  Microsoft Office Forensics

  Microsoft Office Forensics is the practice of collecting, examining, and preserving digital evidence from Microsoft Office files. The type of evidence collected can include metadata, user interactions, and document content. Microsoft Office Forensics can be used in investigations to determine how a document was created and modified, who authored it, and what it contains.

  Web Server Logs Analysis

  Logs are the bread and butter of a web server forensics investigation. By analyzing the logs, investigators can gain a clear understanding of how the server was used and abused. The logs can provide information on user activity, system performance, file access, and more. This information can be used to help identify the perpetrators of an attack, and to prove or disprove hypotheses about an incident.

  Database Logs Analysis

  Database logs can be used to investigate data breaches. In order to do this, the database administrator must first ensure that the logs are properly configured and maintained. The logs can then be used to track user activity and identify any unauthorized access or changes to data. This information can be used to help trace the source of the data breach and to determine the extent of the damage.

• Network Forensics

  Network forensics is the practice of collecting and analyzing data that passes through a computer network. Network forensics tools can be used to track the activities of users on a network and to investigate cyber crimes.

  PCAP Files Analysis

  PCAP files are a type of digital evidence that can be used in digital forensics investigations. They are collected by network sniffers and can contain a record of all network traffic that passes through a particular network interface. This can include email, chat logs, website visits, and more. PCAP files can be used to help identify the source of a cyberattack, or to reconstruct activity that has taken place on a network.

  Netflow Files Analysis

  Netflow files are a type of digital evidence that can be used in digital forensics investigations. They are generated by network devices such as routers and switches, and collect information about network traffic including IP addresses, ports, and packet sizes. This information can be used to help identify network congestion and security issues, as well as track user activity and investigate cybercrime.

  Detecting DGA Algorithms

  Domain Generation Algorithms (DGA) are a type of algorithm used by malware to generate a large number of possible domains for use in communication with a C&C server. This allows the malware to evade detection by security products that rely on blacklisting known malicious domains. Malware can also use DGAs to create a pool of decoy domains that can be used to distract and mislead investigators.

  Detecting DNS Tunnelling

  DNS tunnelling is a technique used by malware to disguise their communications as DNS traffic. This allows them to bypass security measures that are in place to block malicious traffic. DNS tunnelling can also be used to send data to and from infected computers without being detected.

  Detecting Domain Fronting

  Domain fronting is a technique that allows a malware to communicate with a command and control (C&C) server while appearing as if it is communicating with a legitimate website. This is accomplished by using a domain that is hosted on a different domain name server than the C&C server. By doing this, the malware can disguise its communications and avoid detection.

  Detecting Pass-the-hash Attacks

  A pass-the-hash (PTH) attack is a technique that allows an attacker to use a stolen password hash to sign in to a target account. Password hashes are created by hashing a password with a cryptographic algorithm. When a user logs in, the login process converts the user's input into a hash and compares it to the hash stored in the database. If the hashes match, the user is authenticated.

  Threat actors use PTH attacks because they are quick and easy to execute. They can also be successful even if the target user has a strong password. PTH attacks work because of a Windows feature.

  Detecting Remote Code Execution Attacks

  Remote code execution (RCE) is a type of software vulnerability that allows an attacker to execute code on a remote system, without needing any authentication credentials. This can be done by exploiting a flaw in the system's software, or by taking advantage of a flaw in the way that the system is configured.

  Detecting RCE vulnerabilities can be difficult, as they can often be hidden inside complex code. However, by using network forensics tools, it is possible to identify abnormal activity that may indicate an RCE exploit is being used. Examples of such activity may include large amounts of network traffic from a single source, or signs of shellcode in network packets, or packets that are being sent to unusual destinations.

• Malware Analysis

  Malware analysis is the study of malware, which is any type of software that can be used to harm or disable computers. This might include viruses, ransomware, spyware, adware, and other types of malicious software. Malware analysis is used to determine how a particular piece of malware works and how it can be neutralized. It also helps to identify the individuals or organizations behind the malware.

  Binary classification

  Binary classification is the process of classifying a piece of malware as either malicious or benign. This is done by examining the malware's code and behavior and comparing it to known malicious and benign malware.

  Malicious and benign malware can be distinguished by their code, behavior, and other characteristics. For example, malicious malware often contains code that exploits vulnerabilities in the operating system or other software, while benign malware does not.

  Behavioural analysis

  Behavioural analysis is a technique used in malware analysis to identify and characterize the behaviour of malware. This involves studying the behaviour of the malware in a controlled environment, such as a virtual machine, and identifying any patterns in its behaviour. This can help to identify any malicious activity that the malware is carrying out, as well as any changes in its behaviour that may indicate that it has been modified or updated.

  Static Analysis

  Static Analysis is the process of analyzing a program or malicious code without executing it. This can be done through a variety of methods such as decompiling the code, disassembling it, or simply viewing the code in a text editor. Static Analysis allows analysts to understand how the code works and look for potential malicious behavior. It can also be used to identify potential vulnerabilities in the code that could be exploited by malware.

  Indicators of Compromise (IOCs) Extraction

  One of the most important steps in analyzing malware is extracting indicators of compromise (IOCs). These are specific pieces of data that can help you identify and track infections. They may include file names, registry keys, IP addresses, or other pieces of information. Extracting IOCs can help you quickly determine how widespread an infection is and how to best address it.

  Developing YARA Rules

  The purpose of YARA is to allow analysts to create descriptions of malware samples that are both useful and concise. These rules can then be used to quickly identify similar malware samples.

• Enterprise Investigations

  An enterprise investigation in digital forensics and incident response is a process where a team of experts work together to identify and resolve a security incident within a large organization. The team typically includes members from the information security, legal, and human resources departments, as well as outside experts from the forensic investigations and computer security industries. The goal of the investigation is to identify the cause of the security incident, contain the damage, and prevent future incidents from occurring.

  Capturing and Indexing Forensics Artefacts

  The first and most important step in any forensic investigation is the collection of all relevant evidence. In order to do this effectively, it is necessary to have a process in place for capturing and indexing forensic artefacts. This allows investigators to quickly and easily locate any relevant evidence, which can be crucial in solving a case.

  Baselining the Enterprise Network

  Baselining the network is important in digital forensics and incident response because it can help you to better understand how the network is supposed to look and function. This information can be helpful when investigating incidents or trying to determine how an attacker may have compromised the network. Additionally, baselining the network can help you to quickly identify any changes that may have occurred since the last baseline was created, which could indicate an incident or attack.

  Performing Memory Forensics at Scale

  When it comes to performing memory forensics on a large scale in an enterprise setting, there are several reasons why it's important. Memory forensics can provide a great deal of information about what happened on a system in the past. By analyzing the contents of system memory, investigators can often get a clear picture of what programs were running, what files were accessed, and even what passwords were typed. This information can be crucial in helping to determine the cause of an incident.

  Data Science with Python Pandas

  Python pandas are often used in enterprise digital forensics and incident response investigations for data analysis. Pandas can be used to read in data from a variety of sources, including files, databases, and web scraping. Pandas can also be used to clean, process, and transform the data for analysis. Additionally, pandas provide a number of functions for statistical analysis and data visualization. This makes pandas an essential tool for data-driven investigations.

• Threat Intelligence

  Digital forensics and incident response (DFIR) teams use their findings to produce threat intelligence. Threat intelligence is a critical part of any organization's security strategy, as it allows organizations to understand the threats they face and take steps to mitigate those threats. Threat intelligence is also used to help organizations respond to attacks and incidents.

  DFIR teams gather information about threats in several ways. They may collect data from open sources, such as the internet or social media. They may also collect data from closed sources, such as live breaches!

  Pivot Analysis

  Pivot analysis is a technique that is used in incident response to help identify and track malicious activity. Pivot analysis allows investigators to move laterally from the initial compromised system to other systems on the network in order to gather more information about the incident. This technique can be used to identify additional systems that have been compromised, to determine the scope of the breach, and to identify the perpetrators of the attack.

  Open-Source Intelligence Collection

  Open-source intelligence (OSINT) is a method of gathering intelligence from publicly available sources. OSINT collectors can use a variety of methods to gather this information, including social media, search engines, and public databases.

  OSINT is often used in incident response. Incident responders can use OSINT to gather information about the incident, including the type of attack and the attacker's identity.

• Write professional malware analysis reports

  Executive Summary

  An executive summary might briefly describe the findings of a malware analysis report. The executive summary might describe what type of malware was found, how it works, and what impact it could have on a system. The executive summary might also include recommendations for mitigating the threat.

  Tags and Keywords

  The tags and keywords section of a malware analysis report is used to categorize the malware and its capabilities. This section is important for identifying the purpose of the malware and its potential for harm. The tags and keywords also help to determine how the malware should be handled and mitigated.

  Sensitivity Classification

  A malware analysis report's Sensitivity Classification section designates the confidentiality, integrity, and availability (CIA) impact of the malware. For each CIA category, the section describes how the malware could potentially exploit the system to cause harm. For instance, a piece of malware might be able to delete critical files, resulting in a loss of availability. Alternatively, it might be able to eavesdrop on sensitive communications, violating the confidentiality of the system. Finally, it might be able to tamper with data, jeopardizing the integrity of the system. By understanding the CIA impact of malware, analysts can better assess the risks posed by a given piece of malware and take steps to mitigate those risks.

  Hashes

  The hashes section of a malware analysis report includes the MD5, SHA-1, and CRC32 hashes of the malware sample. These hashes can be used to identify the sample and determine if it is the same as a sample that has been previously analyzed. The hashes can also be used to check for malicious content in files that have been downloaded from the Internet.

  Methodology

  A malware analysis report's methodology section is critical for ensuring that the study is completed correctly and completely. This part should include a full account of how the analysis was carried out, including the tools utilized and the procedures used to reach the final results. This part should be presented in a clear and straightforward manner so that readers can simply follow along and comprehend the procedure.

  Limitations

  A malware analysis report's limitations section is used to identify any locations where the study' scope was constrained. Time constraints, restricted access to resources, or a lack of expertise of the infection can all contribute to this. It's critical to be open about any constraints in order to verify that the analysis' results are correct.

  Identification and Classification of Sample(s)

  Identify the type of malware that was discovered and provide information about its classification. This section includes a description of the sample, its unique identification number, and the date and time it was collected. It also includes information about the source of the sample and how it was classified.

  Features

  A malware analysis report should have a section that explains the features of the malware that was analyzed. This section should describe what the malware does, how it works, and what it is designed to do. This information is important for understanding how the malware works and what it is capable of doing.

  Dependencies

  The dependencies section of a malware analysis report lists all of the files that the malware depends on in order to run. This includes any libraries that the malware uses, as well as any other files that it needs in order to function. This information is important for understanding how the malware works, and what it would take to disable it.

  Conclusions of Code Analysis and Observed Behavior

  The conclusion section of a malware analysis report should provide a brief summary of your findings and recommendations. It should also state whether the malware is still active and, if so, how to remove it.

• Write digital forensics and incident response reports and briefings

  Timeline

  The timeline section of digital forensics and incident response reports is important in order to understand the order of events that occurred during an incident. This information can be used to help determine the cause of the incident and who is responsible.

  Incident Statements

  An incident statement is a short, clear summary of an incident that occurred. It should include who was involved, what happened, when it happened, and where it happened. Incident statements are often used in digital forensics and incident response reports to help readers understand the events that took place.

  Hypothesis generation and testing

  The hypothesis generation and testing section of digital forensics and incident response reports is used to generate possible explanations for an observed event and to test those explanations against the evidence. This process is important in order to rule out false positives and to ensure that the most likely explanation is supported by the evidence.

  The first step in hypothesis generation is to examine the evidence and identify any patterns or anomalies. Once these have been identified, possible explanations for them can be generated. These explanations are then tested against the evidence to see if they are supported. If they are not, they are rejected and new explanations are generated. This process is repeated until a satisfactory explanation is found.

  Key assumptions check

  The "key assumptions check" section is an important part of digital forensics and incident response reports. This section is used to verify that the digital evidence and incident response findings are accurate and complete. The key assumptions check ensures that the report is based on valid and reliable information.

• Disk and filesystem forensics
• Develop standard operating procedures and templates

Student Testimonial