Host Forensics


Finding malware activity, malicious actors, and insiders through computer evidence can be a challenge. Start with understanding data volatility, how to capture the most volatile data, and less volatile data, then move into understanding that data. Looking at processes, open ports, network communication, registry artifacts, file system artifacts, data exfiltration, persistence mechanisms, loaded drivers, and more.

What to Expect

The class contains demos that will be walked through and explained using one piece of evidence followed by mini labs where you will use the same concepts learned in the demo on mock incident data looking for items of interest. Classes follow the general Cyber Fire Foundry schedule, starting in the morning, ending in the afternoon with a break in the morning, a lunch break, and an afternoon break.

Day One

  • Overview and Introductions
  • Forensics and Incident Response Process
  • Data Collection and Processes
    • Memory
    • Live Response Data
    • Forensics Images
  • Memory Forensics Analysis
    • Network Connections
    • Processes

Day Two

  • Registry Persistence
  • Registry User Activity
  • Registry Process Execution
  • Looking for Exfiltration
  • Reporting and Presentation Best Practices
  • Timeline Analysis

Who should Attend?

  • Security operation center staff
  • incident responders
  • reverse engineers
  • Software engineers
  • System Administrators
  • Site Reliability Engineers

Is this class right for me?

This class is geared toward anybody wishing to learn more about forensic artifacts from Windows systems, how Windows operates internally, and common file systems. This includes incident responders, security operations center staff, red teamers, penetration testers, computer technicians looking to start in forensics, and more.

What should I bring?

  • laptop computer; any operating system as long as it has a virtual machine hypervisor installed. VMWare Workstation Player(Free), VMWare Workstation Pro(Paid), or VMware Fusion(Paid, MacOS) is preferred, but VirtualBox will work.
    • Wireless networking enabled
    • 60GB of free space

Laptop Configuration

Laptop and software setup sessions usually happen the afternoon or evening before the first day of class. Please check the schedule for details and come early if you would like help making sure everything is ready to go for class.