The Cyber Defense Forensics Analyst course is designed to equip participants with the skills needed to perform digital forensics across a diverse range of technology sources. This course introduces the fundamentals of digital forensics, focusing on the analysis of digital evidence and the investigation of computer security incidents. Participants will acquire practical skills to extract and analyze data, crucial for enhancing security measures and safeguarding digital environments.

The course starts with foundational concepts of digital forensics, establishing a base for more specialized skills and knowledge. Participants will learn to perform detailed forensic investigations on Windows computers, mastering techniques to recover artifacts from various digital sources. This module emphasizes hands-on practice in retrieving and analyzing data to understand the nuances of digital forensics.

As the course progresses, participants will delve into advanced techniques such as processing memory dumps and analyzing network traffic captures. The curriculum also includes basic malware analysis to aid in determining the extent of system compromises. Each of these skills builds on the last, forming a comprehensive understanding of the tools and methodologies used in modern forensics.

The course integrates all learned skills, enabling effective analysis and correlation of evidence from diverse sources. This empowers participants to tackle complex security challenges in today's digital landscape. They will become proficient forensic analysts, fully equipped to enhance their organizations' security posture.

Upon completion of the MCDFA Certified Cyber Defense Forensics Analyst course, participants will be equipped with a diverse skill set enabling them to:

• Verify digital evidence integrity using forensic testing techniques.
• Analyze forensic images with specialized tools for investigative purposes.
• Conduct custom analyses of forensic images to meet specific investigation needs.
• Detect hidden or suspicious files on forensic images.
• Evaluate executable files (e.g., MSI, Java, Python, EXE) for security threats.
• Extract forensic artifacts from Windows systems, including event logs and volume shadow copies.
• Perform memory analysis using industry-standard tools to extract critical operational data.

MCSI is one of the most respected and trusted names in cyber security education and training. Our certifications teach critical skills, knowledge and abilities needed to advance a career in cyber security. Our courses are comprehensive and up-to-date, and our instructors are experienced professionals who are dedicated to helping students learn. MCSI provides the real-world skills and knowledge you need to protect any organization from cyber threats.

• Lab Setup and Virtualization
• Malware Analysis

  Malware analysis involves examining malicious software to understand its functionality, behavior, and impact on systems. It is important for cybersecurity professionals to conduct malware analysis to identify and mitigate potential threats, protect systems from infection, and improve incident response capabilities.

  Understanding malware allows for proactive measures such as developing effective detection signatures, updating security defenses, and devising appropriate mitigation strategies to defend against evolving threats.

  Analyzing and Extracting Malicious Shortcut Files

  This involves examining shortcut files for hidden malware payloads, which is crucial for identifying and neutralizing threats targeting system vulnerabilities.

  Analyzing and Extracting Malicious PDF Files

  Analyzing malicious PDF files helps identify embedded malware and potential exploit techniques, enabling effective mitigation and response strategies.

  Analyzing and Extracting Malicious Word Files

  Examining malicious Word files allows for the detection of embedded malware or macros, essential for understanding attack vectors and developing effective countermeasures.

  Decompiling Java, AutoIt, MSI Files

  Decompiling these types of files aids in understanding their inner workings and identifying malicious behaviors, which is essential for malware analysis and threat intelligence.

  Using Resource Hacker to Decompose Malware

  Resource Hacker is a tool used to dissect Windows executable files, which can reveal hidden or obfuscated malicious code, aiding in malware analysis.

  Monitoring Malware with Process Monitor

  This involves using Process Monitor to observe malware behavior on systems, providing insights into its activities and helping to detect and respond to threats.

  Using API Monitor on Malware

  API monitoring helps analyze how malware interacts with system functions and external resources, enabling detection and mitigation of malicious activities.

  Reverse Engineering Malicious Macros

  This process involves dissecting malicious macros to understand their functionality and potential impact, which is crucial for identifying and mitigating macro-based attacks.

• Windows Forensics

  Windows forensics is crucial for investigating security incidents and identifying malicious activities on Windows-based systems. It enables analysts to collect and analyze digital evidence from Windows devices, aiding in incident response, threat detection, and mitigation efforts.

  Capturing an Image from USB Drives

  Capturing an image from USB drives is important for cyber defense forensic analysts as it allows them to collect and preserve data from removable storage devices for forensic analysis, aiding in investigations and incident response.

  Recovering Concealed Data

  Recovering concealed data is essential in forensic investigations as it helps analysts uncover hidden information and artifacts that may be critical for understanding the scope and impact of security incidents.

  Analyzing Windows Prefetch Files

  Analyzing Windows Prefetch files is important for cyber defense forensic analysts to understand program execution patterns and identify suspicious or unauthorized activity on Windows systems.

  Analyzing Windows Hibernation Files

  Analyzing Windows hibernation files is critical for extracting memory snapshots and volatile data, providing insights into system activities and potentially uncovering evidence of malicious behavior.

  Recovering Windows Shadow Copies

  Recovering Windows shadow copies is important for restoring previous versions of files and recovering data that may have been deleted or modified, aiding in digital forensics investigations.

  Using AmCacheParser

  Using AmCacheParser is essential for cyber defense forensic analysts to parse and analyze application compatibility cache data, helping to identify artifacts related to executed programs and user activity on Windows systems.

  Analyzing SCRUM Dumps on Windows

  Analyzing SCRUM dumps on Windows is important for examining memory dumps and extracting valuable information about processes, network connections, and file system activities, aiding in incident response and malware analysis.

• Behavioural Analysis

  Behavioral analysis is essential for cyber defense forensic analysts as it involves studying patterns of behavior within systems and networks to detect abnormal or suspicious activities indicative of security threats. This approach helps identify potential threats that traditional signature-based methods may miss, enabling proactive threat detection and response.

  Analysing malware with sysmon

  Analysing malware with Sysmon involves using Sysinternals Sysmon to monitor and log system activity, providing valuable insights into the behavior of malware and potential indicators of compromise.

  Sandboxes

  Sandboxes are isolated environments used to execute suspicious files and URLs safely, enabling the analysis of malware behavior without compromising the host system.

  Dynamically analysing malware connections

  Dynamically analyzing malware connections involves monitoring network traffic generated by malware in real-time to identify communication patterns, potential command-and-control servers, and data exfiltration attempts.

• Memory Forensics

  Memory forensics is crucial for cyber defense forensic analysts because it enables the extraction of volatile data from active systems, providing insights into running processes, network connections, and system artifacts that may not be available through traditional disk-based forensics.

  Analyzing memory dumps can reveal important evidence of malware execution, persistence mechanisms, and attacker activities, aiding in incident response and threat mitigation efforts.

  Volatility Framework

  The Volatility Framework is a powerful tool used for memory forensics, allowing cyber defense forensic analysts to extract and analyze critical data from compromised machines' RAM. It aids in identifying malware, analyzing running processes, and uncovering artifacts crucial for incident response and threat hunting.

  Perform forensic analysis on compromised machines

  Performing forensic analysis on compromised machines involves extracting and examining evidence from systems that have been subject to security breaches. This process is essential for identifying the extent of compromise, understanding attacker tactics, and strengthening future defenses.

  Dump the RAM of a Windows machine

  Dumping the RAM of a Windows machine allows analysts to capture the volatile memory state, providing insights into active processes, network connections, and system artifacts. This data is critical for detecting malware, understanding attacker activities, and conducting thorough incident response investigations.

  Dumping the RAM of a Linux machine

  Dumping the RAM of a Linux machine enables analysts to capture volatile data from Linux systems, aiding in memory forensics investigations. This process helps identify malicious activities, uncover rootkits, and gather critical evidence for forensic analysis.

  Extracting malware from dumps

  Extracting malware from memory dumps allows analysts to isolate and analyze malicious code that resides in system memory. This activity is essential for understanding malware behavior, identifying indicators of compromise (IOCs), and strengthening defenses against similar threats.

This course teaches the specific Knowledge, Skills, Abilities, and Tasks (KSATs) aligned with the DoD Cyber Workforce Framework (DCWF) as outlined in DoD 8140. By focusing on these critical competencies, the course ensures that you develop the essential capabilities required for various cybersecurity roles within the Department of Defense. This alignment not only guarantees that the training is relevant and comprehensive but also that it prepares you to meet the specific operational needs and standards of the DoD cyber workforce.

• knowledge

  ID	Description
  22	Knowledge of computer networking concepts and protocols, and network security methodologies.
  24A	Knowledge of basic concepts and practices of processing digital forensic data.
  108	Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
  302	Knowledge of investigative implications of hardware, Operating Systems, and network technologies.
  1086	Knowledge of data carving tools and techniques (e.g., Foremost).
  1089	Knowledge of reverse engineering concepts.
  1092	Knowledge of anti-forensics tactics, techniques, and procedures.
  1096	Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro).
  1158	Knowledge of cybersecurity principles.
  1159	Knowledge of cyber threats and vulnerabilities.
  6810	Knowledge of binary analysis.
  6900	Knowledge of specific operational impacts of cybersecurity lapses.
  6935	Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).
  6938	Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.
  25	Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]).
  29	Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools.
  61	Knowledge of incident response and handling methodologies.
  90	Knowledge of operating systems.
  105	Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
  113	Knowledge of server and client operating systems.
  114	Knowledge of server diagnostic tools and fault identification techniques.
  139	Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.
  264	Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).
  287	Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).
  290	Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody).
  294	Knowledge of hacking methodologies in Windows or Unix/Linux environment.
  310	Knowledge of legal governance related to admissibility (e.g., Federal Rules of Evidence).
  316	Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
  340	Knowledge of types and collection of persistent data.
  345	Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.
  346	Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files.
  888	Knowledge of types of digital forensics data and how to recognize them.
  889	Knowledge of deployable forensics.
  923	Knowledge of security event correlation tools.
  1033	Knowledge of basic system administration, network, and operating system hardening techniques.
  1036	Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.
  1072	Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
  1093	Knowledge of common forensics tool configuration and support applications (e.g., VMWare, WIRESHARK).
  1094	Knowledge of debugging procedures and tools.
  1095	Knowledge of how different file types can be used for anomalous behavior.
  1097	Knowledge of virtual machine aware malware, debugger aware malware, and packing.
  3513	Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems.
  6210	Knowledge of cloud service models and possible limitations for an incident response.
  6820	Knowledge of network architecture concepts including topology, protocols, and components.

• skills

  ID	Description
  217	Skill in preserving evidence integrity according to standard operating procedures or national standards.
  350	Skill in analyzing memory dumps to extract information.
  381	Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK).
  890	Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems).
  1087	Skill in deep analysis of captured malicious code (e.g., malware forensics).
  1088	Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump).
  1098	Skill in analyzing anomalous code as malicious or benign.
  1099	Skill in analyzing volatile data.
  1100	Skill in identifying obfuscation techniques.
  1101	Skill in interpreting results of debugger to ascertain tactics, techniques, and procedures.
  6850	Skill in analyzing malware.
  6860	Skill in conducting bit-level analysis.
  6870	Skill in processing digital evidence, to include protecting and making legally sound copies of evidence.
  193	Skill in developing, testing, and implementing network infrastructure contingency and recovery plans.
  214A	Skill in performing packet-level analysis.
  360	Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics).
  364	Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).
  369	Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
  374	Skill in setting up a forensic workstation.
  386	Skill in using virtual machines.
  389	Skill in physically disassembling PCs.
  1091	Skill in one way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]).

• abilities

  ID	Description
  6890	Ability to conduct forensic analyses in and for both Windows and Unix/Linux environments.
  908	Ability to decrypt digital data collections.

• tasks

  ID	Description
  438A	Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise.
  447	Conduct analysis of log files, evidence, and other information in order to determine best methods for identifying the perpetrator(s) of a network intrusion.
  463	Confirm what is known about an intrusion and discover new information, if possible, after identifying intrusion via dynamic analysis.
  541	Provide technical summary of findings in accordance with established reporting procedures.
  613	Examine recovered data for information of relevance to the issue at hand.
  752	Perform file signature analysis.
  1082	Perform file system forensic analysis.
  480	Create a forensically sound duplicate of the evidence (i.e., forensic image) that ensures the original evidence is not unintentionally modified, to use for data recovery and analysis processes. This includes, but is not limited to, hard drives, floppy diskettes, CD, PDA, mobile phones, GPS, and all tape formats.
  482	Decrypt seized data using technical means.
  573	Ensure chain of custody is followed for all digital media acquired in accordance with the Federal Rules of Evidence.
  636	Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration.
  749	Perform dynamic analysis to boot an “image” of a drive (without necessarily having the original drive) to see the intrusion as the user may have seen it, in a native environment.
  753	Perform hash comparison against established database.
  758	Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView).
  759	Perform timeline analysis.
  762	Perform real-time cyber defense incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs).
  768	Perform static media analysis.
  771	Perform tier 1, 2, and 3 malware analysis.
  786	Prepare digital media for imaging by ensuring data integrity (e.g., write blockers in accordance with standard operating procedures).
  817	Provide technical assistance on digital evidence matters to appropriate personnel.
  825	Recognize and accurately report forensic artifacts indicative of a particular operating system.
  839A	Review forensic images and other data sources (e.g., volatile data) for recovery of potentially relevant information.
  868A	Use data carving techniques (e.g., FTK-Foremost) to extract data for further analysis.
  870	Capture and analyze network traffic associated with malicious activities using network monitoring tools.
  871	Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence.
  882A	Write and publish cyber defense recommendations, reports, and white papers on incident findings to appropriate constituencies.
  944	Conduct cursory binary analysis.
  1031	Serve as technical expert and liaison to law enforcement personnel and explain incident details as required.
  1081	Perform virus scanning on digital media.
  1083	Perform static analysis to mount an “image” of a drive (without necessarily having the original drive).
  1084	Perform static malware analysis.
  1085	Utilize deployable forensics tool kit to support operations as necessary.
  2179	Coordinate with intelligence analysts to correlate threat assessment data.
  5690	Process image with appropriate tools depending on analyst’s goals.
  5700	Perform Windows registry analysis.
  5720	Perform file and registry monitoring on the running system after identifying intrusion via dynamic analysis.
  5730	Enter media information into tracking database (e.g. Product Tracker Tool) for digital media that has been acquired.
  5740	Correlate incident data and perform cyber defense reporting.
  5760	Maintain deployable cyber defense toolkit (e.g. specialized cyber defense software/hardware) to support IRT mission.