IT260, Forensics and Intrusions in a Windows Environment (FIWE)
Who Should Attend:
Training is available to DoD and federal law enforcement intrusion analysts.
Prerequisites:
TT110 (INCH), RT120 (CIRC),and FT210 (WFE-E) or applicable test outs
Duration:
10 Days
Course Description:
FIWE is a scenario-based course that teaches students how
to conduct detailed Windows-based data analysis in a laboratory
environment. Students conduct forensic media and log file analysis
to determine the specifics of a Windows-based intrusion. Topics
also include hacking methodologies that are key to
understanding an attack, case preparation and management.
Objective:
Use tools and analysis techniques to analyze network traffic of
an intruder and correlate the findings with forensic evidence
found on a Windows victim machine.
Topics Covered:
Network Architecture and Information Assurance
- Network Architecture Basics, including LAN/WAN Topologies and Network Services
- Introduction to Wireshark and Creating Filters
- Network and Application Protocol Analysis
Identifying an Intrusion
- Computer Intrusions, Goals, Attacker Profiles and Intrusion Phases
- The Goals, Strategies and Techniques of Reconnaissance, Attack, Entrenchment and Abuse
Case Management and Investigative Methodology
- Investigating Using the Scientific Method
- Documentation
System Preparation and Forensic Analysis
- The Windows Operating System and fundamentals of Windows Artifact Analysis
- Forensic System Setup and Initial Case Processing
- Introduction to and installation of EnCase, Wireshark, jpcap, CoolMiner, Snort and Sawmill
- Analyzing First Responder Data
- File System Searching and Filtering
- Windows Registry, System Log, System Memory and Malicious Code Analysis
Network Device Analysis
- Fundamentals of Network Artifact Analysis
- Network Device Artifact Analysis
- Network Traffic Capture Analysis