Forensics 101: Windows vs. Malwares

מק"ט: #7519 | משך קורס: 32 שעות אק'
| מספר מפגשים: 4

The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.
In this course, you will investigate compromised computers, create a timeline from evidences found on victim’s host and analyze the malware with a wide range of tools.

*שדות חובה
PDF version


What you will learn:

  • Data Acquisition from suspect’s computer.
  • Data integrity as part of the forensics process
  • Forensics methodology and malware analysis methodology.
  • Windows interesting footprints
  • Analyze malwares with static tools
  • Malware hunting with dynamic tools
  • Malware analysis with sandboxes
  • Incident Response (IR) Methodology
  • IR process – from Incident to report

קהל יעד

  • Junior level in System (Windows, Linux) and Networking (TCP/IP)
  • SOC juniors who wish to advance IR team

תנאי קדם

  • Good system skills (Linux or WIndows, preferably both)
  • Good understanding in networking technologies (IP, TCP, DNS, HTTP, HTTPs)


Part 1: Forensics Methodology

  • Computer forensics in today’s world
  • Computer forensics investigation process
  • Investigation with Cyber Kill Chain
  • Malware footprints
  • Data Acquisition


Part 2: Digital Forensics

  • Building your own environment
  • Logging as part of investigation process
  • Creating a timeline
  • Windows Artifacts
  • Registry footprints
  • Files hashing
  • Mails & attachments
  • Explorers


Part 3: Static Malware Analysis

  • Type of malwares
  • Get information from strings
  • Packers in general
  • Imported DLLs
  • PE structure


Part 4: Dynamic Malware Analysis

  • Identifying malicious processes
  • Malware persistency
  • Suspicious network connection
  • Monitoring the malware
  • Sandboxes


Part 5: Memory Forensics (Optional)

  • Memory structure
  • Getting RAM
  • Introduction to Volatility Framework
  • Investigating strange processes
  • Getting network connections
  • Building a timeline


Part 6: Putting it all together

  • Investigating a compromised host – from incident to report
  • Memory analysis (Optional)