Become an Incident Handler

Students will use perform incident response on a compromised machine.

In this lab, students will install FTK Imager and use it to image a disk within Windows. Students will also use dd to image a system and perform a live image acquisition using Kali Linux.

In this lab, students will examine two disk image files and their hashes using MD5 and SHA-1. Students will also use a tool called hashtab to verify the files have not been altered.

In this lab, you will get an opportunity to examine a system that was and is still actively compromised by an attacker. You have likely read articles in the news or heard from your professors about some of the various high-profile attacks where large companies had systems compromised. It is important to be able to look at a system and know how to examine it in order to determine if the system has been compromised. There are utilities that are built into the operating system as well as third-party utilities that can be utilized to help you determine if a system is compromised. Some of the common tasks that be performed to check for a system compromise include examining network connections, file time stamps, viewing the registry, and dumping and examining the RAM of the system. This lab will help you learn about the possible indications of a compromised system.

In this lab, students will enable auditing of Host machines and also review security logs in Event Viewer. Students will learn to identify artifacts that are generated on Windows systems.

This lab is part of a series of lab exercises intended to support courseware for Forensics training. The development of this document is funded by the Department of Labor (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48. In this lab, students will enumerate hosts on the network using various tools. This lab includes the following tasks: Examining Windows Event Logs Examining Windows IIS Logs Examining Linux Log Files

When defending networked digital systems, attention must be paid to the logging mechanisms set in place to detect suspicious behavior. In this lab, students will work with Splunk to help correlate server logs, system logs, and application logs in order to determine if an attacker was successful, and if so what happened and how they got in.

Take on the role of the lead incident responder on a sysadmin team, and use incident response methodologies to: determine what happened, identify any malicious files found on the system, take the appropriate steps to resolve any discovered issues, and investigate critical system modifications to determine if a virus was installed on the machine.

In this lab, you will learn how to search through a forensic disk image in dd format to find artifacts related to an intrusion on a Linux Server. Some of the relevant forensic artifacts from a Linux system include apache log files, the history file, and the secure or auth.log file, which includes valuable information such as SSH connections or user account activity. You will find that forensic analysis of a Linux system is far different than forensics in Windows.

In this lab, you will learn how to search through a forensic disk image in dd format to find artifacts related to an intrusion on a Windows client machine. Windows’ client machines tend to be a large target for hackers because end users, who may lack knowledge of computer security, can download malicious files or open malicious attachments. Some of the relevant forensic artifacts from a Windows server include Windows event log files, event viewer files, and registry entries.

In this lab, you will learn how to search through a forensic disk image in dd format to find artifacts related to an intrusion on a Windows Server. A hacker’s dream is to compromise a Windows Server, especially a domain controller, because they can leverage the Domain administrator account to control most of the other systems within in the network. The relevant forensic artifacts from a Windows Server include log files, event viewer files, and registry entries.

This lab is part of a series of lab exercises designed through a grant initiative by the Center for Systems Security and Information Assurance (CSSIA) and the Network Development Group (NDG) and funded by the National Science Foundation’s (NSF) Advanced Technological Education (ATE) program Department of Undergraduate Education (DUE) Award No. 0702872 and 1002746. By the end of this lab, students will utilize various methods to determine if an attacker attempted a breach or successfully compromised a system. Some information about the attacker, such as his IP Address, may be lost if the machine is shutdown. For this reason, an investigator collects volatile data before shutting down a system. This lab includes the following tasks: Task 1 – Obtaining a dump of physical memory using DumpIt Task 2 – Attacking the victim system with Armitage Task 3 – Using volatility to determine remote connections

In this lab, students will perform static and dynamic malware analysis. Analyzing malware is important for many reasons. Malware analysis in general is taking steps to find out more information about things like who crafted a malware payload or what types of actions the malware is trying to perform. Static analysis is where you look at the file contents and look at the strings and don’t execute the file. With dynamic malware analysis, you run the file (likely in a virtual environment not connected to a real network) to see the types of network and process actions that happen to the system.

The Open Source Collection lab is designed to familiarize students with the advanced functionality of Google, default webpages used for web-servers, and the specifics of Google Hacking database. This allows the students to understand how open source information can be used for exploitation purposes.

Students will utilize Nmap, a network discovery and mapping tool, to identify the systems on a network of responsibility. Using the tool, students will identify other devices on the laboratory network, to include computers and network infrastructure devices, such as routers.

Students will use Zenmap to scan a network segment in order to create an updated network map and detail findings on the systems discovered. They will use the material they generated to help them discover if there have been any changes to the network after they compare it to a previously generated network map/scan.

Students will leverage Nmap, a network discovery and mapping tool, to identify the systems on a network of responsibility. Students will utilize non-traditional scans to attempt avoiding an Intrusion Detection System (IDS).

In this lab you will analyze a capture file of a web application attack in order to identify the attack vector and deduce the vulnerability the attack exploited.

In this lab, students will analyze the index.dat file of Internet Explorer and the browser cache files. Students will also analyze data in Google Chrome.

This lab is part of a series of lab exercises intended to support courseware for Forensics training. The development of this document is funded by the Department of Labor (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48. In this lab, students will enumerate hosts on the network using various tools. This lab includes the following tasks: Using file hashing tools to verify integrity Mounting a partition with deleted files and folders Using Foremost to carve files Using a HEX editor

Students will participate in attack analysis/incident response, including root cause determination, to identify vulnerabilities exploited, vector/source and methods used (e.g., malware, denial of service).