The CERT Advanced Forensic Response and Analysis security course is designed for computer forensic professionals who are looking to build on a solid knowledge base in incident response and forensic analysis. The course builds on core forensic topics to provide a process for conducting more complete incident response and forensic analysis investigations.

The goal of this security course is to advance collection and processing skills of the students by outlining a structured process or flow to an incident response and intrusion investigation. Students will learn the pros and cons of common evidence collection measures and forensic analysis steps, methods for organizing analysis to identify relevant evidentiary data, and common areas containing items of evidentiary value to further their investigations.

The security course is an advanced forensic training course designed for forensic analysts in the public or private sector looking to build on their current forensic knowledge. Students should be active computer forensic professionals with an understanding of core forensic and information technology principles. Students who currently conduct incident response and/or intrusion investigations should find the course helpful to extend their knowledge base.
Students who currently conduct other types of computer forensic investigations will find it opens the door to new collection and analysis techniques. The course is designed to be fast-paced. Students should have more than a basic understanding of common forensic principles, including evidence collection and analysis, and should actively conduct computer forensic investigations as part of their current position.

Topics:

• Incident Preparation
• Incident Response
• Evidence Collection from Live Systems
• Malicious Software Identification
• Malicious Software Runtime Analysis
• Timeline Generation and Analysis
• Analysis of Windows System Artifacts

Objectives

At the completion of this course students will have the ability to better perform the following tasks:

• Prepare for an intrusion investigation, including performing reconnaissance and developing a known toolset.
  
  
• Best practices for responding to an incident and methods to collect the most relevant data to their investigations.
  
  
• Methods for performing analysis of victim and perpetrator systems. Students will be able to identify malicious applications, correlate system events with file activity, perform runtime analysis of malicious applications and identify resident artifacts subsequent to the intrusion.

Prerequisites

This is an advanced course. Students should have a solid understanding of Windows operating systems and windows artifacts, such as prefetch files, restore points, registry files and event logs. Students should also have a good understanding of Linux operating systems, including how to run applications from the terminal. Students should be familiar with developing a known or trusted toolset and evidence collection. Students should also be familiar with malicious software files. Knowledge of VMWare and virtual machine environments is required. Previous usage of forensic software applications such an EnCase, FTK and/or Sleuthkit is required.

Detailed information about Advanced Forensic Response and Analysis Security Course you can find at sei.cmu.edu