AX310 Axiom Incident Response Examinations
AX310 is an expert-level four-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to expand their knowledge base on advanced forensics and incident response techniques and want to improve computer investigations. You can purchase training classes directly online using a credit card or if payment by purchase order is required, please request a quotation from sales@magnetforensics.com.
Description
AX310 will give participants the knowledge and skills they need to track incidents where unauthorized computer access and file usage has taken place on a computer system. This course utilizes Magnet Axiom, Axiom Cyber, Axiom Ignite (Cloud investigation tool), Magnet Response and third-party tools to explore the evidence in greater depth by learning about volatile data will be created to capture volatile data in class that students can take with them for use in applications beyond the classroom.
In this course, a deeper understanding of investigating incidents involving malware and network intrusions into Windows computers will be provided. Students will conduct a static analysis of malware and learn about sandbox malware.
After the static analysis of the malware, students will activate the malware in the virtual environment and conduct a dynamic analysis. They will also capture packets during the malware activation to capture information from the malware regarding its command and control server. An analysis of the captured information from the network communication will then be conducted to determine what the malware is designed to do, such as spread laterally on the network, escalate user privileges, create new users, search for PII or send collected data back to the command and control server.
By searching through artifacts like Windows Prefetch, SRUM, AMCACHE, Jumplists, LNK files, SHIMCACHE, MUICACHE, UserAssist, Windows Event logs, and the $Logfile, participants will determine the initial attack vector of the malware and the chain of events that took place thereafter.
What to expect
When it comes to incident response, it’s important to know which questions to ask and when. Hear from Magnet Forensics Trainer, Nick Bria, about Axiom Incident Response Examinations (AX310) and how it can help student learn advanced forensics and incident response techniques and improve their computer investigations.
Course prerequisites
Because AX310 is an expert-level course, it is recommended that students first complete Magnet Axiom Examinations (AX200). AX200 will provide a thorough understanding of Axiom that will help students focus on the Incident Response part of investigations in AX310. Click Here to find out more about AX200.
Course modules
Module 1: Course introduction
- Students will be introduced to each other, to the instructor(s) and to Magnet Axiom.
Module 2: Course overview
- An overview of the course will be presented to students along with the learning objectives and expected outcomes for the four-day training event.
Module 3: Mitre attack navigator and NIST controls
- This module focuses on how you can map and plot an adversary in your network, understand the goals a threat tries to obtain and what techniques that are available under each attack goal. The participant will also see how the NIST controls can be used to help organization prepare policies and help identify areas in your policies or procedures that may need to be updated. Also, this module will show the Cyber Kill Chain and PRESENT mitigation steps used against attacker.
Module 4: Malware overview
- A high-level overview of the different types of malwares seen and what they can do. Showing how the threat actors will utilize tools that come on a Windows computer by default, like PowerShell or Schedule tasks so they can keep persistence and other tools.
Module 5: Where do we start?
- The student will examine the information provided by the initial incident reporter and then look and understand if the information can be corroborated or not, the investigator will also check to see if the time frame needs to be widened thereby increasing the scope of the investigation.
Module 6: Packet captures (PCAP)
- Network traffic is sometimes key to understanding how malware arrived at the network and how the malware allows nefarious actors to travel through the network. This module focuses on capturing, filtering, and analyzing network traffic to track down network intrusions and perform network forensics.
Module 7: IRTK & Magnet Response
- During this module, students will learn the necessity of collecting volatile data from a suspect computer. They will use the output to determine a starting point for the examination while the forensic images are being processed by Axiom.
Module 8: RAM
- Participants will parse RAM from a computer involved in a malware incident and determine what programs were running and from what location. Students will also investigate the malware to determine what computer user was associated with it.
Module 9: Axiom Cyber investigator
- Using the Axiom Cyber license the participant will understand the benefits of having a tools that can connect to a remote computer and grab volatile data, make full disk images and get important files and folders. They will learn how to create a Cyber agent, configure it for the remote, deploy it and pull the data back to the investigating computer in real time.
Module 10: Static analysis of malware
- Participants will set up and learn how mark their tools if used to conduct investigations thereby identifying rouge tools. Using third party tools to examine potential malware files without them being detonated and pulling strings from within the suspicious file.
Module 11: Pattern matching & searching with YARA
- This module will use the information obtained from the previous module and use that data to create a pattern matching rule using YARA. The participant will understand the makeup of a YARA rule and how to correctly security mark the rule using the TLP protocol. Once the rule is created use that to search our data set for hits.
Module 12: Online analysis of malware
- In this module, students will online sandbox environments to monitor the activity of the malware. They will learn of some of the pit falls of using online sandboxes.
Module 13: Log files and why they are important
- Students will understand an important step of the investigation is to gather log files. Where they can be found, and the different types of logs or other areas that can provide information what the computer was doing like, Prefetch, SRUM, AMCACHE, JUMPLIST, LNK, USERASSIST.
Module 14: Bringing our investigation to a close
- During the module, students will learn how to put all the pieces of the investigation together through the correlation of all the data they have collected during the preceding modules.
Module 15: Another type of incident response investigation?
- To further reinforce the instructional goals of the course, students are presented with a final scenario, which represents a cumulative review of the exercises conducted in each of the previous modules.
Additional information
Who should attend: Participants who are unfamiliar with the principles of digital forensics
Advanced preparation: None
Program level: Advanced-level
Field of study: Computer software & applications
Delivery method: Group internet based & group live
Refunds and cancellations: Training Course(s) can be rescheduled to a later date or cancelled by either Magnet Forensics or you without charge or penalty if written notice is received twenty-one (21) days or more prior to the date of the Training Course. No rescheduling shall be permitted on less than twenty-one (21) days written notice, which shall constitute a cancellation without a refund. Your written rescheduling or cancellation notice must be emailed to training@magnetforensics.com or contact 202.984.3417. If Magnet Forensics cancels a Training Course due to insufficient attendance, you will have the option to register in a different scheduled Training Course or receive a full refund. Please do not book travel until you have confirmed that the Training Course will be running.
Magnet Forensics is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website:www.nasbaregistry.org.