HBFITES Data Center, Collaboration, Security, Storage, Wireless, Telepresence Training +91-9886770046 info@hbfites.com

OSIA - Operating Systems Intrusion Analysis

Description

While the security industry and professionals continue to seek the silver bullet solution to all Intrusion Detection System pitfalls, the reality is there is no solution that eliminates human decision making aspart of the analysis process. Too many companies forget this, investing heavily in the infrastructure without making a comparable investment in their analytical personnel. Even large companies make the mistake of relying on the machine rather than the analyst.

Discovering exactly how a hacker has infiltrated a system can be difficult without previous information about the system in question. This course teaches students how to correctly baseline an operatingsystem and save information that can be used later to confirm whether or not an intrusion has taken place. Additionally this course teaches the fundamental commands and tools that can be used to investigate common areas that reveal intrusions or lead to further analysis of the system. Both the Windows and Linux Operating Systems covered in the course.

Objectives

Attending students will learn:

  • Proactive Auditing / Monitoring
  • Establishing a Baseline
  • Looking for Signs of Intrusions
  • Evidence of Rootkits
  • Examining Log Files
  • Examining User and Group Accounts
  • Auditing Services and Daemons
  • MD5, SHA1 Hashing
  • Digital Signature Verification

Prerequisites

You should possess knowledge of the following:

  • Microsoft Windows and Linux Command Line Experience
  • VMWare or other Virtualization Software recommended
  • The Operating Systems Fundamentals and Basic Malware Analysis Courses are highly recommended

Who Should Attend

  • Incident Responders who need to quickly address a security breach
  • Forensic Investigators who need to identify malicious intrusions
  • Exploitation Analysts needing operating system knowledge
  • Malware Analysts requiring a thorough understanding of operating system instrusions

Outline

Windows Intrusion Analysis

  • Understanding Disk Drives
    • Track Sectors
    • Geometric Sectors
    • CHS Calculation
    • Sector Zoning
  • Microsoft File Structures
    • FAT and NTFS
    • Logical Partitions
    • Partition Tables
    • Disk Editors
    • Master Boot Record
    • NTFS Data Streams
    • NTFS Encrypted File System
    • Understanding the Boot Sequence
  • Microsoft Windows Registry
    • Files associated with the registry
    • Registry Structure and Elements
    • Registry use in boot process
    • Registry Security
    • Using Reg.exe
  • Windows Intrusions
    • Baselining a Windows System
    • Finding Rootkits
    • Log File Reviews
    • User Account and Group Auditing
    • Unauthorized User Rights
    • Auto-Start Applications
    • Registry Startup Keys
    • Unauthorized Services
    • Windows Management Information Console
    • Legacy Files
    • Hashing Files
    • Digital Signatures
    • Network Configuration Alteration
    • Unauthorized Shares
    • Unauthorized Scheduled Jobs & Processes
    • Hidden / Unusual Files
    • Altered Permissions on Files
  • Memory Forensics
    • Volatility Principle
    • Locards Exchange Principle
    • Order of Volatility
    • Memory Analysis
    • Virtual Address Descriptor
    • VAD Tree
    • Parsing the VAD
    • Windows Memory Imaging Tools
  • MDD
  • WinDD
  • Windows Memory Forensics Toolkit
    • Linux Memory Imaging Tools
  • DD
  • Second Look
  • Idetect
    • Memory Analysis Tools
  • Volatility
  • Moonsols
  • FTK
  • Web Browser Forensics
    • Web Browsing History
    • Cookies
    • Temporary Internet Files
    • Open Source Tools
  • Pasco
  • Galleta
    • Index.dat Files
    • History Locations

Linux Intrusion Analysis

  • Linux O/S Fundamentals
    • Linux Evolution
    • Linux History
  • Linux Boot Sequence
    • BIOS
    • Boot Loader
    • Kernel Initialization
    • Init Program
    • Shell Startup
  • Disk Imaging
    • Using DD To Image Disks
  • File System Identification
    • Five Ways to Identify File Systems
  • Mount Command
  • File Command
  • CAT Command
  • FSCK Command
  • DF Command
  • Indentifying Files and Contents
    • File Hashing
    • Identifying File Contents
    • Strings Command
    • Hexdump Command
  • Linux Baselining
    • Gathering O/S Information
    • Getting Physical Memory Dump
    • Taking Inventory of Loaded Kernel Modules
    • Taking Inventory of Active Processes
    • Examining Suspicious Processes
    • Verifying Accounts
    • Log File Analysis
    • Auditing System Resource Usage
    • SUID Binaries
    • File Size Auditing
    • Hidden Files
  • Day 4: Reserved for Student Lab Time
    • Instructor Demonstrations
    • Student Practical Labs
  • Day 5: Student Practical Demonstration:
      Students are given a multi-environment intrusion scenario to investigate using the knowledge, skills, and abilities taught from the 4 days of class. This scenario will have challenges in both Windows and Linux

    Lab Outline

    Day 1

    • Master File Table Lab
    • Diskview Lab
    • Alternate Data Streams Lab
    • Mining Registry Data From The Command Line
    Day 2
    • Baselining a Windows System Lab
    • Windows Intrusion Lab #1
    • Windows Intrusion Lab #2
    • Windows Intrusion Lab #3
    • Windows Intrusion Lab #4
    Day 3
    • Windows Memory Forensics Lab
    • Windows Memory Imaging Lab
    • Windows Intrusion Lab #5
    • Windows Intrusion Lab #6
    • Windows Intrusion Lab #7
    • Windows Intrusion Lab #8
    Day 4
    • Baselining a Linux System Lab
    • Linux Intrusion Lab #1
    • Linux Intrusion Lab #2
    • Linux Intrusion Lab #3
    • Linux Intrusion Lab #4
    • Linux Intrusion Lab #5
    Day 5
    • Student Practical Demonstration:
          Students are given a multi-environment intrusion scenario to investigate using the knowledge, skills, and abilities taught from the 4 days of class. This scenario will have challenges in both Windows and Linux