The course begins with an in-depth exploration of forensic image analysis. Participants will gain the skills to view data from a source computer as it existed at the time of imaging, helping to reconstruct past events. They will learn how to create and analyze timelines of files contained in these images, which is crucial for narrowing down the focus to pertinent files that warrant detailed examination.

Further training covers critical evidentiary locations within Windows operating systems, where significant digital artifacts can be retrieved. The curriculum includes the analysis of volatile data from computer RAM, enhancing understanding of system state at the time of incident. Participants will also delve into network traffic analysis to trace interactions between computers involved in suspicious activities, and scrutinize suspicious files and executables to reveal the extent of potential intrusions or breaches.

To bridge theory with real-world application, the course incorporates numerous case studies simulating complex forensic scenarios. Participants will be guided to create their own methodologies, integrating state-of-the-art practices to proficiently manage and solve forensic challenges. This hands-on approach ensures they are well-prepared to tackle actual forensic tasks in the field.

Upon completing this course, participants will emerge with advanced capabilities in:

• Ensuring digital evidence integrity through established forensic verification methods.
• Utilizing advanced tools for detailed forensic image analysis tailored to specific investigative needs.
• Identifying hidden or anomalous files in forensic images, including steganography detection and OS functionality exploration.
• Assessing security implications of executable files (MSI, Java, Python, EXE) to identify potential threats.
• Retrieving critical forensic data from Windows systems, including event logs, Amcache hive, shadow copies, and prefetch files.
• Conducting comprehensive static and dynamic analyses on suspect files to evaluate behavior and risk.
• Investigating network intrusions and track threat actors using packet analysis tools like Wireshark.

MCSI is one of the most respected and trusted names in cyber security education and training. Our certifications teach critical skills, knowledge and abilities needed to advance a career in cyber security. Our courses are comprehensive and up-to-date, and our instructors are experienced professionals who are dedicated to helping students learn. MCSI provides the real-world skills and knowledge you need to protect any organization from cyber threats.

• Lab Setup and Virtualization
• File and Disk Forensics

  File and disk forensics are critical for forensics analysts as they involve the examination and recovery of digital evidence from storage devices, enabling the analysis of file metadata, deleted data, and file system artifacts to reconstruct events and identify potential security breaches or criminal activities.

  Understanding file and disk forensics is essential for uncovering crucial information such as file timestamps, user interactions, and file access patterns, which are fundamental for investigations, incident response, and legal proceedings in digital forensics.

  Analysing Shortcut Files

  Understanding shortcut files is crucial for forensics analysts as they often contain valuable metadata and references to files or locations, aiding in reconstructing user activities and identifying potentially malicious actions.

  Analysing RTF Files

  Analyzing RTF files is important for uncovering embedded objects, macros, and potential exploits, providing insights into document-based attacks and malicious payloads.

  Retrieving IOC from Files

  Extracting Indicators of Compromise (IOCs) from files helps forensics analysts identify specific threat signatures and patterns, facilitating threat detection and incident response efforts.

  Decompiling Executables

  Decompiling executables like Java, C#, or Python scripts helps forensics analysts analyze code logic, identify embedded threats, and understand program behavior, aiding in malware analysis and reverse engineering.

  Analysis of Forensic Images

  Analyzing forensic images provides valuable insights into the contents of a disk, enabling investigators to uncover a wealth of information. This includes identifying recently modified or deleted files, uncovering concealed data that may have been intentionally hidden, and detecting the potential presence of malicious files or suspicious activity.

• Windows Forensics

  Windows forensics is crucial for forensics analysts due to the widespread use of Windows operating systems in both corporate and personal environments, making it a primary target for cyber attacks and investigations.

  Understanding Windows forensics allows analysts to extract valuable artifacts, analyze system activity, and reconstruct events to uncover evidence of malicious activities or security breaches, supporting incident response, legal proceedings, and overall digital investigations.

  Analysing Numerous Types of Windows Files (Prefetch Files, Event Logs, etc.)

  Analyzing various types of Windows files like prefetch files and event logs is critical for forensics analysts to gather system usage patterns, user activities, and timestamps, aiding in reconstructing events and identifying potential evidence of malicious activities.

  Retrieving Hidden Deleted Files

  Recovering hidden and deleted files is important in Windows forensics to access valuable evidence that may have been intentionally or unintentionally concealed, providing insights into user actions and potential data remnants critical for investigations.

  Analysing the Amcache Hive

  Examining the Amcache hive is essential for forensics analysts to retrieve information about application usage and executions on Windows systems, enabling the reconstruction of software activities and identifying potential indicators of compromise or unauthorized software usage.

• Behavioral and Memory Analysis

  Behavioral and memory analysis are crucial for forensics analysts because they provide insights into the runtime behavior of systems and processes, allowing the identification of anomalous activities, malicious behaviors, and hidden artifacts that may evade traditional static analysis techniques.

  Understanding behavioral and memory analysis enables analysts to uncover sophisticated threats, investigate advanced malware, and reconstruct the sequence of events during a security incident, supporting comprehensive digital investigations and effective incident response strategies.

  Dynamically Analysing Malware with Sysmon, CAPE, etc.

  Conducting dynamic malware analysis using tools like Sysmon and CAPE is essential for forensics analysts to observe malware behavior in real-time, capture system events, and identify malicious activities to better understand and mitigate threats.

  Dynamically Analysing Malicious Network Connections

  Analyzing malicious network connections in real-time helps forensics analysts identify suspicious traffic patterns, detect command-and-control communications, and trace network-based activities associated with malware infections or security breaches.

  Dumping Windows RAM

  Extracting memory dumps from Windows systems is important for forensics analysts to capture volatile data such as running processes, network connections, and system artifacts, aiding in the investigation of active threats and incident response.

  Dumping Linux RAM

  Dumping RAM on Linux systems enables forensics analysts to retrieve volatile data and artifacts unique to Linux environments, providing insights into running processes, open files, and system configurations for forensic analysis and incident response.

  Dumping Android RAM

  Capturing RAM dumps from Android devices allows forensics analysts to access volatile data including running apps, cached information, and system state, aiding in the investigation of mobile device intrusions and data breaches.

  Retrieving Various Types of Concealed Data from Dumped Images

  Extracting concealed data from memory dumps and forensic images is critical for forensics analysts to uncover hidden artifacts, encrypted content, and obscured information that may contain evidence of malicious activities or security incidents.

  Utilizing Volatility Framework

  Using the Volatility framework is essential for forensics analysts to perform memory forensics, analyze memory dumps, and extract valuable artifacts and forensic indicators from volatile memory, supporting investigations of malware, intrusions, and system compromise.

• Malware Analysis

  Malware analysis is crucial for forensic analysts because it allows them to dissect and understand malicious software to uncover its behavior, functionality, and impact on systems, aiding in the identification of threats and the development of effective mitigation strategies.

  By analyzing malware, forensic analysts can gather intelligence on attacker tactics, techniques, and procedures (TTPs), enabling proactive defense measures, incident response, and threat intelligence for better overall cybersecurity posture.

  Extracting Malware from Word and PDF Files

  Extracting malware from Word and PDF files is important for forensic analysts to analyze embedded malicious scripts or payloads, enabling the identification of malware delivery methods and evasion techniques used by threat actors.

  Monitoring Malware using APIMonitor

  Using APIMonitor to monitor malware behavior in runtime provides valuable insights into API calls, system interactions, and runtime activities, aiding forensic analysts in understanding malware functionality and impact on compromised systems.

  Utilizing Resource Hacker to Extract Embedded Malware

  Leveraging Resource Hacker to extract embedded malware from executables or binaries helps forensic analysts dissect malicious artifacts, analyze code snippets, and uncover hidden payloads, facilitating deeper malware analysis and threat intelligence gathering.

  Reverse Engineering Office Macros

  Reverse engineering Office macros is essential for forensic analysts to understand macro-based attacks, deobfuscate malicious scripts, and identify malicious behaviors triggered by macros in documents, enabling effective detection and mitigation of macro-based threats.

• Documentation

  Documentation is crucial for forensic analysts because it ensures that investigative processes, findings, and methodologies are clearly recorded and communicated, supporting transparency, repeatability, and integrity of forensic examinations.

  Well-documented procedures and reports enable effective collaboration with stakeholders, legal teams, and law enforcement, facilitating comprehensive and accurate analysis of digital evidence for successful investigations and legal proceedings.

  Writing DFIR Documents

  Writing DFIR (Digital Forensics and Incident Response) documents is essential for forensic analysts to document investigation processes, findings, and conclusions in a structured and comprehensive manner, ensuring the integrity and admissibility of digital evidence for legal and investigative purposes.

  Writing Memory Forensics Standard Operating Procedures

  Developing standard operating procedures (SOPs) for memory forensics is crucial for forensic analysts to establish consistent methodologies, guidelines, and best practices for conducting memory analysis, ensuring accurate and repeatable processes for extracting and analyzing volatile data from digital systems.

This course teaches the specific Knowledge, Skills, Abilities, and Tasks (KSATs) aligned with the DoD Cyber Workforce Framework (DCWF) as outlined in DoD 8140. By focusing on these critical competencies, the course ensures that you develop the essential capabilities required for various cybersecurity roles within the Department of Defense. This alignment not only guarantees that the training is relevant and comprehensive but also that it prepares you to meet the specific operational needs and standards of the DoD cyber workforce.

• knowledge

  ID	Description
  22	Knowledge of computer networking concepts and protocols, and network security methodologies.
  24	Knowledge of concepts and practices of processing digital forensic data.
  25A	Knowledge of encryption algorithms, stenography, and other forms of data concealment.
  61	Knowledge of incident response and handling methodologies.
  90	Knowledge of operating systems.
  108	Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
  264	Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).
  287	Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).
  302	Knowledge of investigative implications of hardware, Operating Systems, and network technologies.
  316	Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
  888	Knowledge of types of digital forensics data and how to recognize them.
  1086	Knowledge of data carving tools and techniques (e.g., Foremost).
  1092	Knowledge of anti-forensics tactics, techniques, and procedures.
  1093	Knowledge of common forensics tool configuration and support applications (e.g., VMWare, WIRESHARK).
  1158	Knowledge of cybersecurity principles.
  1159	Knowledge of cyber threats and vulnerabilities.
  6900	Knowledge of specific operational impacts of cybersecurity lapses.
  6935	Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).
  6938	Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.
  29	Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools.
  105	Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
  113	Knowledge of server and client operating systems.
  114	Knowledge of server diagnostic tools and fault identification techniques.
  139	Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.
  290	Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody).
  294	Knowledge of hacking methodologies in Windows or Unix/Linux environment.
  340	Knowledge of types and collection of persistent data.
  345	Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.
  346	Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files.
  889	Knowledge of deployable forensics.
  923	Knowledge of security event correlation tools.
  1033	Knowledge of basic system administration, network, and operating system hardening techniques.
  1036	Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.
  1072	Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
  1089	Knowledge of reverse engineering concepts.
  1094	Knowledge of debugging procedures and tools.
  1095	Knowledge of how different file types can be used for anomalous behavior.
  1096	Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro).
  1097	Knowledge of virtual machine aware malware, debugger aware malware, and packing.
  6210	Knowledge of cloud service models and possible limitations for an incident response.

• skills

  ID	Description
  217	Skill in preserving evidence integrity according to standard operating procedures or national standards.
  350	Skill in analyzing memory dumps to extract information.
  381	Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK).
  890	Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems).
  193	Skill in developing, testing, and implementing network infrastructure contingency and recovery plans.
  214	Skill in performing packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).
  360	Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics).
  364	Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).
  369	Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
  374	Skill in setting up a forensic workstation.
  386	Skill in using virtual machines.
  1087	Skill in deep analysis of captured malicious code (e.g., malware forensics).
  1088	Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump).
  1091	Skill in one way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]).
  1098	Skill in analyzing anomalous code as malicious or benign.
  1099	Skill in analyzing volatile data.
  1100	Skill in identifying obfuscation techniques.

• abilities

  ID	Description
  908	Ability to decrypt digital data collections.
  6918	Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments.

• tasks

  ID	Description
  447	Conduct analysis of log files, evidence, and other information in order to determine best methods for identifying the perpetrator(s) of a network intrusion.
  480	Create a forensically sound duplicate of the evidence (i.e., forensic image) that ensures the original evidence is not unintentionally modified, to use for data recovery and analysis processes. This includes, but is not limited to, hard drives, floppy diskettes, CD, PDA, mobile phones, GPS, and all tape formats.
  482A	Detect and analyze encrypted data, stenography, alternate data streams and other forms of concealed data.
  541	Provide technical summary of findings in accordance with established reporting procedures.
  564A	Document original condition of digital and/or associated evidence (e.g., via digital photographs, written reports, hash function checking).
  573	Ensure chain of custody is followed for all digital media acquired in accordance with the Federal Rules of Evidence.
  613	Examine recovered data for information of relevance to the issue at hand.
  636	Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration.
  749	Perform dynamic analysis to boot an “image” of a drive (without necessarily having the original drive) to see the intrusion as the user may have seen it, in a native environment.
  752	Perform file signature analysis.
  753	Perform hash comparison against established database.
  768	Perform static media analysis.
  786	Prepare digital media for imaging by ensuring data integrity (e.g., write blockers in accordance with standard operating procedures).
  817	Provide technical assistance on digital evidence matters to appropriate personnel.
  839A	Review forensic images and other data sources (e.g., volatile data) for recovery of potentially relevant information.
  871	Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence.
  1081	Perform virus scanning on digital media.
  1082	Perform file system forensic analysis.
  1083	Perform static analysis to mount an “image” of a drive (without necessarily having the original drive).
  1085	Utilize deployable forensics tool kit to support operations as necessary.
  438A	Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise.
  463	Confirm what is known about an intrusion and discover new information, if possible, after identifying intrusion via dynamic analysis.
  649	Identify, collect, and seize documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents, investigations, and operations.
  758	Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView).
  759	Perform timeline analysis.
  771	Perform tier 1, 2, and 3 malware analysis.
  792	Process crime scenes.
  825	Recognize and accurately report forensic artifacts indicative of a particular operating system.
  868	Extract data using data carving techniques (e.g., Forensic Tool Kit [FTK], Foremost).
  870	Capture and analyze network traffic associated with malicious activities using network monitoring tools.
  882	Write and publish cyber defense techniques, guidance, and reports on incident findings to appropriate constituencies.
  944	Conduct cursory binary analysis.
  1084	Perform static malware analysis.