Overview
This is a core-level technical course for people looking to extend their digital forensic knowledge beyond conventional device analysis.
COURSE OVERVIEW
On this four-day practical course you will investigate forensic case studies, applying the principles, knowledge and techniques learnt during the course. It will help you protect your IT environment by showing you how to conduct malware analysis, from first principles all the way to investigating network activity stemming from malicious software infection that your AV software has failed to detect.
.
Prerequisites
Completion of the CFIP course is highly recommended. Otherwise you will need:
- Knowledge of the principles surrounding forensic investigation and an understanding of the preliminary forensic investigation case considerations
- Sound experience with the Microsoft Windows operating systems
- An understanding of how a web page is requested and delivered
- Ideally an understanding of Command Line Interface (CLI) and TCP/IP networking concepts
WHO SHOULD ATTEND
For those looking to develop their skills in malware identification and analysis, including:
- Digital forensic analysts
- Cyber incident investigators
- Law Enforcement Officers
- System administrators
Delegates will learn how to
THE SKILLS YOU WILL LEARN
Practical application of course content will be through the use of case scenarios in order to gain a practical understanding of modern malware beyond the often quoted traditional principles; mount forensic images for analysis; build virtual machines for analysis, and build a network environment to carry out network forensic analysis.
KEY BENEFITS
The course will give you:
- You will learn how to identify, analyse and interpret malicious software and associated forensic artefacts, including Trojan horses, viruses, worms, backdoors and rootkits
- How Trojan payloads can be used to bypass anti-virus software, personal and corporate firewalls
- You will practice malware investigations from mounted, booted and network perspectives, and undertake real-world exercises, including the conversion of E01 forensic images to bootable virtual machine disks
- The function, structure and operation of the Windows registry, and investigation of malicious software locations in the registry and file system
- The skills to analyse and interpret malicious software, and investigate network activity initiated by malicious software infection
- An understanding of how to simplify complex evidence, and collate and report results
- An industry-recognised qualification in malware investigation
Outline
Analysis Environments
- Identify and define the five analysis environments
- Identify situations in which each of the investigation environments could be used effectively
- Identify their respective levels of risk both to the original data as well as other systems
Malicious Software
- Define the term 'malicious software'
- Identify and define different types of malicious software
- Identify similarities and differences between different types of malicious software
Malware Investigation
- Identify the stages of malware investigation
- Critically assess the capabilities and limitations of anti-malware tools
- Identify the different means of running software at system start-up
Methods of Deception
- Identify mechanisms of malware delivery
- Identify mechanisms of disguise
- Identify client security circumvention
Mounted Analysis
- Mounting forensic images as logical drives
- Using malware scanners against the mounted image
- Documenting the results of malware scans
- Using online scanners for further clarification
Booted Analysis
- Identify approaches to creating a booted analysis environment
- Experiment with making a Virtual Machine
- Identifying password implications
- Identifying and explaining the potential differences between mounted and booted analysis results
Network Analysis
- Identify key reasons for network analysis
- Methods of building a network for analysis
- Explaining network communication protocols
- Using traffic analysis tools for network analysis
- External Port Analysis
- Identifying and explaining the potential differences between network and other analysis results
Virtualisation Malware
- Explain how hardware Hypervisor support allows for virtualisation malware
- Define Type I, Type II and Type III malware
Simplifying Complex Evidence
- Aiming the report at a subject knowledge level fitting the target audience
- Discuss a sample report outline
Frequently asked questions
How can I create an account on myQA.com?
There are a number of ways to create an account. If you are a self-funder, simply select the "Create account" option on the login page.
If you have been booked onto a course by your company, you will receive a confirmation email. From this email, select "Sign into myQA" and you will be taken to the "Create account" page. Complete all of the details and select "Create account".
If you have the booking number you can also go here and select the "I have a booking number" option. Enter the booking reference and your surname. If the details match, you will be taken to the "Create account" page from where you can enter your details and confirm your account.
Find more answers to frequently asked questions in our FAQs: Bookings & Cancellations page.
How do QA’s virtual classroom courses work?
Our virtual classroom courses allow you to access award-winning classroom training, without leaving your home or office. Our learning professionals are specially trained on how to interact with remote attendees and our remote labs ensure all participants can take part in hands-on exercises wherever they are.
We use the WebEx video conferencing platform by Cisco. Before you book, check that you meet the WebEx system requirements and run a test meeting (more details in the link below) to ensure the software is compatible with your firewall settings. If it doesn’t work, try adjusting your settings or contact your IT department about permitting the website.
How do QA’s online courses work?
QA online courses, also commonly known as distance learning courses or elearning courses, take the form of interactive software designed for individual learning, but you will also have access to full support from our subject-matter experts for the duration of your course. When you book a QA online learning course you will receive immediate access to it through our e-learning platform and you can start to learn straight away, from any compatible device. Access to the online learning platform is valid for one year from the booking date.
All courses are built around case studies and presented in an engaging format, which includes storytelling elements, video, audio and humour. Every case study is supported by sample documents and a collection of Knowledge Nuggets that provide more in-depth detail on the wider processes.
When will I receive my joining instructions?
Joining instructions for QA courses are sent two weeks prior to the course start date, or immediately if the booking is confirmed within this timeframe. For course bookings made via QA but delivered by a third-party supplier, joining instructions are sent to attendees prior to the training course, but timescales vary depending on each supplier’s terms. Read more FAQs.
When will I receive my certificate?
Certificates of Achievement are issued at the end the course, either as a hard copy or via email. Read more here.