Algorithms and tactics for responding to information security incidents, trends in current cyber attacks, approaches to investigating data leaks in companies, researching browsers and mobile devices, analyzing encrypted files, extracting geolocation data and analytics of big data volumes - all these and other topics can be studied on new joint courses of Group-IB and Belkasoft. In August we the first Belkasoft Digital Forensics course, which starts on September 9, and, having received a large number of questions, we decided to tell in more detail what the students will study, what knowledge, competencies and bonuses (!) will be received by those who reach the end. About everything in order.
Two all in one
The idea of ββholding joint training courses appeared after the participants of the Group-IB courses began to ask about a tool that would help them in the investigation of compromised computer systems and networks, and combine the functionality of various free utilities that we recommend using during incident response .
In our opinion, Belkasoft Evidence Center could be such a tool (we have already talked about it in Igor Mikhailov "Key to start: the best software and hardware for computer forensics"). Therefore, we, together with Belkasoft, have developed two training courses: Belkasoft Digital Forensics ΠΈ Belkasoft Incident Response Examination.
IMPORTANT: the courses are sequential and interconnected! Belkasoft Digital Forensics is dedicated to the Belkasoft Evidence Center program, and Belkasoft Incident Response Examination is dedicated to incident investigation using Belkasoft products. That is, before studying the Belkasoft Incident Response Examination course, we strongly recommend that you complete the Belkasoft Digital Forensics course. If you start right away with the incident investigation course, the student may have annoying knowledge gaps in using the Belkasoft Evidence Center, finding and researching forensic artifacts. This can lead to the fact that during the Belkasoft Incident Response Examination course, the student will either not have time to master the material, or will slow down the rest of the group in obtaining new knowledge, since the training time will be spent by the trainer explaining the material from the Belkasoft Digital Forensics course.
Computer forensics with Belkasoft Evidence Center
Purpose of the course Belkasoft Digital Forensics β to introduce students to the Belkasoft Evidence Center program, teach them how to use this program to collect evidence from various sources (cloud storage, random access memory (RAM), mobile devices, storage media (hard drives, flash drives, etc.), master basic forensic techniques and techniques, methods for forensic investigation of Windows artifacts, mobile devices, memory dumps You will also learn how to identify and document browser and instant messaging artifacts, create forensic copies of data from various sources, extract geolocation data and search for text sequences (search by keywords), use hashes in research, analyze the Windows registry, learn the skills of researching unknown SQLite databases, the basics of researching graphic and video files, and analytical techniques used in the course of investigations.
The course will be useful for experts with specialization in the field of computer-technical expertise (computer expertise); technical specialists who determine the reasons for a successful intrusion, analyze the chain of events and the consequences of cyber attacks; technical specialists who identify and document data theft (leakage) by an insider (internal offender); e-Discovery specialists; SOC and CERT/CSIRT staff; information security officers; enthusiasts of computer forensics.
Course plan:
- Belkasoft Evidence Center (BEC): first steps
- Creating and processing cases in BEC
- Collecting Digital Evidence in a Forensic Investigation with BEC
- Use of filters
- Reporting
- Exploring Instant Messaging Programs
- Web Browser Research
- Mobile Research
- Extracting geolocation data
- Search for text sequences in cases
- Data extraction and analysis from cloud storages
- Using bookmarks to highlight significant evidence found during research
- Examining Windows System Files
- Windows registry analysis
- SQLite database analysis
- Data Recovery Methods
- Techniques for examining RAM dumps
- Use of hash calculator and hash analysis in forensic investigations
- Analysis of encrypted files
- Methods for researching graphic and video files
- The use of analytical techniques in forensic research
- Automation of routine actions using the built-in programming language Belkascripts
- Practical exercises
Course: Belkasoft Incident Response Examination
The purpose of the course is to learn the basics of forensic investigation of cyber attacks and the possibilities of using Belkasoft Evidence Center in the investigation. You will learn about the main vectors of modern attacks on computer networks, learn how to classify computer attacks based on the MITER ATT & CK matrix, apply operating system research algorithms to establish the fact of compromise and reconstruct the actions of attackers, find out where artifacts are located that indicate which files were opened last , where the operating system stores information about loading and running executable files, how attackers moved around the network, and learn how to explore these artifacts using BEC. You will also learn which syslog events are of interest for incident investigation and remote access determination, and learn how to investigate them using BEC.
The course will be useful for technical specialists who determine the reasons for a successful intrusion, analyze the chain of events and the consequences of cyber attacks; system administrators; SOC and CERT/CSIRT staff; information security personnel.
Course Overview
Cyber ββKill Chain describes the main stages of any technical attack on the computers (or computer network) of the victim as follows:
The actions of SOC employees (CERT, information security, etc.) are aimed at preventing intruders from accessing protected information resources.
If the intruders nevertheless penetrated the protected infrastructure, then the above persons should try to minimize the damage from the activities of the attackers, determine how the attack was carried out, reconstruct the events and sequence of actions of the attackers in the compromised information structure and take measures to prevent this type of attacks in the future.
In a compromised information infrastructure, the following types of traces can be found that indicate a network (computer) compromise:
All such traces can be found using Belkasoft Evidence Center.
BEC has an "Incident Investigation" module, where, when analyzing storage media, information about artifacts is placed that can help the researcher in investigating incidents.
BEC supports the examination of the main types of Windows artifacts that indicate the launch of executable files on the system under investigation, including Amcache, Userassist, Prefetch, BAM/DAM, , analysis of system events.
Information about traces containing information about user actions in a compromised system can be presented in the following form:
This information, among other things, includes information about the launch of executable files:
Information about running the file 'RDPWInst.exe'.
Information about attackers staying on compromised systems can be found in Windows registry startup keys, services, scheduled tasks, Logon scripts, WMI, and so on. Examples of detecting pinning information in an attacker's system can be seen in the following screenshots:
Pinning attackers using the task scheduler by creating a task that runs a PowerShell script.
Fixing attackers using Windows Management Instrumentation (WMI).
Pinning attackers with the Logon script.
The movement of attackers across a compromised computer network can be detected, for example, by analyzing Windows system logs (when the attackers use the RDP service).
Information about detected RDP connections.
Information about the movement of attackers through the network.
Thus, Belkasoft Evidence Center is able to help researchers identify compromised computers in an attacked computer network, find traces of malware launches, traces of fixing in the system and moving around the network, and other traces of attackers' activities on compromised computers.
How to conduct such studies and detect the artifacts described above is described in the Belkasoft Incident Response Examination training course.
Course plan:
- Trends in cyberattacks. Technologies, tools, goals of attackers
- Using threat models to understand the tactics, techniques, and procedures of attackers
- Cyber ββkill chain
- Incident response algorithm: identification, localization, generation of indicators, search for new infected nodes
- Analyzing Windows Systems with BEC
- Identification of primary infection methods, network propagation, persistence, network activity of malware using BEC
- Identification of infected systems and restoration of infection history using BEC
- Practical exercises
FAQWhere are the courses held?
Courses are held at the Group-IB headquarters or at an external site (in the training center). Departure of the trainer on platforms to corporate customers is possible.
Who conducts the classes?
Trainers at Group-IB are practitioners with many years of experience in forensic investigations, corporate investigations and information security incident response.
The qualification of trainers is confirmed by numerous international certificates: GCFA, MCFE, ACE, EnCE, etc.
Our trainers easily find a common language with the audience, explaining even the most complex topics in an accessible way. Students will learn a lot of relevant and interesting information about the investigation of computer incidents, methods for detecting and countering computer attacks, receive real practical knowledge that they can apply immediately after graduation.
Will the courses provide useful skills that are not related to Belkasoft products, or will these skills be inapplicable without this software?
The skills acquired during the trainings will be useful even without using Belkasoft products.
What is included in the initial testing?
Primary testing is a test of knowledge of the basics of computer forensics. Testing for knowledge of Belkasoft and Group-IB products is not planned.
Where can I find information about the company's educational courses?
Within the framework of educational courses, Group-IB trains specialists in incident response, malware research, cyber intelligence specialists (Threat Intelligence), specialists for work in the Security Operation Center (SOC), proactive threat search specialists (Threat Hunter), etc. . A complete list of author's courses from Group-IB is available .
What bonuses do students who complete the joint courses of Group-IB and Belkasoft receive?
Those who completed the joint courses of Group-IB and Belkasoft will receive:
- course completion certificate;
- free monthly subscription to Belkasoft Evidence Center;
- 10% discount for purchasing Belkasoft Evidence Center.
We remind you that the first course starts on Monday, on September 9, β do not miss the opportunity to gain unique knowledge in the field of information security, computer forensics and incident response! Registration for the course .
Sources ofIn preparing the article, Oleg Skulkin's presentation "Using host-based forensics to get indicators of compromise for successful intelligence-driven incident response" was used.
Source: habr.com