In this hands-on lab, we will approaches for analyzing various types of electronic evidence.
Attendees will develop an understanding of what evidence can be retrieved from a disk image, memory image and log data and how to recognize evidence related to unauthorized activity.
Memory analysis techniques will cover analyzing injected processes, creation of IOC’s from indicators in memory and creating timelines from memory images. Disk analysis will cover techniques to identify when malware was created on the system, when it was executed, identifying signs of lateral movement and other internal reconnaissance activities. Log analysis techniques will help attendees identify scope of external threat activity and what tools may have been deployed and how were they used to access additional resources.
Attendees will learn how to analyze:
· Process lists
· Network connections
· Registry keys used for persistence
· Files used by malware
· Process injected binaries
· Identify configuration files used my malware