This Endpoint Live Forensics course teaches students how to identify abnormal activity and investigate a running system that may have been compromised. In this course, students will learn sound methodology coupled with the most useful commands and tools that can be employed during investigation to reveal the significant indicators of infiltration, as well as how to create a system baseline to be used for future analysis. Both the Windows and Linux operating systems are covered in this course.
Before taking this course, students should have familiarity with Windows command-line interface, and basic knowledge of TCP/IP networking.
5 Days/Lecture & Lab
- Identify the core components of the operating system and ascertain their current state using built-in or other trusted tools
- Analyze a running system and detect abnormal behavior relating to operating system objects such as processes, handles, network connections, etc.
- Use event log analysis to verify and correlate the artifacts of anomalous behavior, and determine the scope of an intrusion
- Use PowerShell to interact with the operating system and build scripts to automate repetitive analytic tasks
- Create and use a system baseline to identify unexpected items such as rogue accounts or configuration changes