ABOUT NETCOM LEARNING NetComLearning isanaward-winning global leader in managedlearning services,training andtalentdevelopment. Founded Headquarters DeliveryCapability : 1998 : NewYorkCity : Worldwide CEO : Russel Sarder 100K+ Professionals trained 14K+ Corporate clients 3500 IT,Business& SoftSkilscourses 96% Ofcustomers recommendustoothers 8.6/9 Instructor evaluations 20+ Leadingvendors recognitions Microsoft’s Worldwidetraining partner of the year 80% Trainedofthe Fortune100 Top20 ITTraining Company Interested in training? Contact us! | www.netcomlearning.com | (888) 563-8266 | eccouncil@netcomlearning.com© 1998-2022 NetCom Learning
CLICK HERE TO WATCH Access the Recorded Session here! © Interested in training? Contact us! | www.netcomlearning.com |© 1998-2022 NetCom Learning (888) 563-8266 | eccouncil@netcomlearning.com
AGENDA
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com| | |
Overview of Multi Stage Network Breaches Understanding Forensic Investigation 3 Key Tools and Techniques to Perform Forensic Analysis Q&A with Speaker
IMPORTANCE OF COMPUTER FORENSICS PROCESS
• The investigators must follow a forensic investigation process that comply to local laws and established precedents
• As digital evidence is fragile, a proper investigation process that ensures the integrity of evidence is critical to prove a case in court.
• The investigators must follow a repeatable and well documented steps
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com| | |
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com| | | EVERY CRIME LEAVES A TRAIL OF EVIDENCE!
MULTI-STAGE ATTACKS ARE MAKING NETWORK DEFENSE
•
•
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com| | |
DIFFICULT!
Multi-stage attack typically includes an initial dropper file, a main payload component of the malware, and additional modules delivered over a period of days, weeks, or more.
IT managers are inundated with cyberattacks coming from all directions and are struggling to keep up due to a lack of security expertise, budget and up to date technology, according to Sophos. • Cybercriminals use multiple attack methods and payloads for maximum impact • Cybercriminals are evolving their attack methods and often use multiple payloads to maximize profits • Organizations that are only patching externally facing high-risk servers are left vulnerable internally and cybercriminals are taking advantage of this and other security lapses. • Software exploits, unpatched vulnerabilities and/or zero-day threats are top security risk • Lack of security expertise, budget and up to date technology.
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com| | | 6 STAGES OF A NETWORK INTRUSION • Reconnaissance • Initial Exploitation • Establish Persistence • Install Tools • Move Literally • Achieve Objective
COMPUTER FORENSICS
To and
To
To the
To minimize to
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com| | |
• Set of methodological procedures and techniques • Finding evidence related to a digital crime, to find the culprits and initiate legal action against them. Objectives:
gather evidence
track
prosecute cyber criminals.
losses
the organization
protect
organization from similar incidents in future Intent of perpetrator Cybercrime- Any illegal act that involving a computer device, network or application Internal- Breach of Trust by disgruntled employees External- Attackers • Company becomes target of intrusions every 15 minutes from external source
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com| | | TYPES OF FORENSICS • Network forensics • Email forensics • Malware forensics • Memory forensics • Cell Phone forensics • Database forensics • Disk forensics
CYBER CRIME INVESTIGATION
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com| | |
• Collection of clues and forensic evidence • There will be at least one electronic device found during the investigation. • The electronic device found may be central to the investigation, as it could contain valuable evidence for solving the case. • Therefore, the information contained in this device must be investigated in the proper manner • Process such as collection, process and analysis of data differ based on the type of the case • Types • Civil • Criminal • Administrative
RULES
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com| | |
OF FORENSIC INVESTIGATION • Limited access and examination of the original evidence • Record changes made to evidence files • Create chain of custody • Comply with standards • Hire professionals for analysis • Evidence should be strictly related to incident • Securely store evidence • Use recognized tools for analysis
DIGITAL EVIDENCE
Digital Evidence:
Any information of probative value that is either stored or transmitted in a digital form. Locard’s Exchange Principle- “Anyone entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave”
Type
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com| | |
Volatile Non-Volatile
SOURCES
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com
OF POTENTIAL EVIDENCE • Hard Drive, Thumb Drive, Memory card • Smart card, Biometric Scanner, Digital Camera • Routers, Hubs, Switches • Removable storage device • Scanners, Fax Machines, GPS
FORENSIC READINESS
Organization’s ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs Benefits
Fast and efficient investigation
Structured storage of evidence- reduces expense and time of investigation
Easy identification of evidence
Gives attackers less time to cover tracks
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com ROLES AND RESPONSIBILITIES OF FORENSIC INVESTIGATOR • Determine extent of damage • Recovers data of investigate value • Gathers evidence in a forensically manner • Ensures that evidence is not damaged • Creates an image of original evidence without tampering to maintain integrity • Guides officials in carrying out investigation • Reconstructs the damaged disks or other storage devices, and uncover the information hidden on the computer • Analyzes evidence data found • Prepares analysis report • Updated organizations about various attacks and recovery techniques. • Address issue in court
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com WHAT MAKES A GOOD COMPUTER FORENSIC INVESTIGATOR? • Interviewing skills to gather much information about case • Researching skills to know the background activities • Patience and willingness to work long hours • Excellent writing skills to detail findings in the report • Strong analytical skills to find evidence and link it to suspect • Excellent communication skills to explain findings • Be updated with new methods and forensic technology • Well versed in more than one computer platform • Knowledge of various technologies, hardware, software. • Honest, ethical and law abiding
PHASES
PROCESS
PrePhase investigation Phase
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com
IN THE COMPUTER FORENSICS INVESTIGATION
investigation Phase Investigation
Post-
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com COMPUTER FORENSIC INVESTIGATION METHODOLOGY 1. First Response 2. Search and Seizure 3. Collect evidence 4. Secure evidence 5. Data acquisition 6. Data analysis 7. Evidence assessment 8. Documentation & Reporting 9. Testing as an expert witness
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com 3 KEY TECHNIQUES TO PERFORM FORENSIC ANALYSIS • Preparation/Extraction • whether there is enough information to proceed, validation of all hardware and software, duplicates the forensic data provided in the request and verifies its integrity, If examiners get original evidence, they need to make a working copy and guard the original's chain of custody, tool selection • Identification • Examiners repeat the process of identification for each item on the Extracted Data List, check if its out of scope • Analysis • In the analysis phase, examiners connect all the dots and paint a complete picture for the requester, examiners answer questions like who, what, when, where, and how.
•
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com 3 KEY TECHNIQUES TO PERFORM FORENSIC ANALYSIS • Autopsy/the Sleuth Kit
The Sleuth Kit is a command-line tool that performs forensic analysis of forensic images of hard drives and smartphones. Autopsy is a GUI-based system that uses The Sleuth Kit behind the scenes. • EnCase • Encase is an application that helps you to recover evidence from hard drives. It allows you to conduct an in-depth analysis of files to collect proof like documents, pictures, etc. • FTK Imager • FTK Imager is a data preview and imaging tool used to acquire data (evidence) in a forensically sound manner by creating copies of data without making changes to the original evidence
© 1998-2022 NetCom Learning Interested in training? Contact us! www.netcomlearning.com (888) 563-8266 eccouncil@netcomlearning.com RELEVANT CERTIFICATION - CHFI https://www.eccouncil.org/programs/computer-hacking-forensic-investigator-chfi/
Recommended Courses NetCom Learning offers a comprehensive portfolio for Security » EC-COUNCIL CHFI: COMPUTER HACKING FORENSIC INVESTIGATOR V10 – Class Scheduled on Oct 17 » EC-COUNCIL CND: CERTIFIED NETWORK DEFENDER V2 - Class Scheduled on Oct 24 » EC-COUNCIL CEH: CERTIFIED ETHICAL HACKER V12 - Class Scheduled on Oct 17 You can also access the below Marketing Assets » Free 1hr Training - Best Practices to Cybersecurity Vulnerability Assessment and Solutions Implementation » Free On-Demand Training - Learn Cybersecurity Incident Handling & Response in Under 40 Minutes » Blog - Top 5 Popular Cybersecurity Certifications for 2022 Interested in training? Contact us! | www.netcomlearning.com |© 1998-2022 NetCom Learning (888) 563-8266 | eccouncil@netcomlearning.com
Other Marketing Assets COURSES& CERTIFICATIONS Interested in training? Contact us! | www.netcomlearning.com |© 1998-2022 NetCom Learning OUR FREEVIRTUALEVENTS BLOGS SAVINGS PROGRAMS & PROMOS (888) 563-8266 | eccouncil@netcomlearning.com
Stay Digital Safe - Assess and Upskill your team against cyber threats now ! NetCom Learning's end-user Cybersecurity Awareness Training & Phishing Simulation Solution offers phishing simulations on email, voice, and text to organizations, and is bundled with 90+ interactive security awareness video courses for the end-users. Request a Demo Interested in training? Contact us! | www.netcomlearning.com |© 1998-2022 NetCom Learning (888) 563-8266 | eccouncil@netcomlearning.com
Learning Passport Flexible Team Training Package Specifically designed to be customized for the number of learners you plan to train on top-notch technology providers – including Microsoft, AWS, Cisco, CompTIA, Adobe, Autodesk, PMI, EC-Council, and more. Redeemable over 4,000+ official courses Flexible fund validity of 12 months Contact Us Now To Schedule your appointment with our learning consultants. Toll-free Phone: 1-888-563-8266 | Email: info@netcomlearning.com Learn More Interested in training? Contact us! | www.netcomlearning.com |© 1998-2022 NetCom Learning (888) 563-8266 | eccouncil@netcomlearning.com
NetCom Individual Learner Subscription Get 24/7 access to unlimited virtual instructor-led and self-paced IT and business training for 12 months. NetCom+ includes over 250 e-Learning and 140 virtual instructor led courses across various domains. $2,999 per learner per year * Additional discounts available for enterprises + Learn More Interested in training? Contact us! | www.netcomlearning.com |© 1998-2022 NetCom Learning (888) 563-8266 | eccouncil@netcomlearning.com
Exclusive Government Savings Solutions For FY22 This fiscal year, take full advantage of your FY22 training budget and strengthen your workforce's skillset across 9 domains such as Cloud, Security, Networking, Project Management, and more, delivered by certified instructors - equipped with security clearance and government and military training experience. Learning Passport Experience up to a 100% increase in purchasing power and secure your yearly training Get Special Pricing Get exclusive Special Pricing for Government and Military on courses up to $3,600 NetCom+ Subscription Save training dollars and get unlimited access to virtual Instructor led and on demand courses Help teams earn and maintain certifications as per Department of Defense (DoD) directive 8140 (Formerly known as DoD 8570) Interested in training? Contact us! | www.netcomlearning.com |© 1998-2022 NetCom Learning (888) 563-8266 | eccouncil@netcomlearning.com
NetCom Learning serves all Government agencies through our GSA schedule, 47QTCA22D004B. Our GSA Schedule provides more than 800 classroom training solutions available for delivery at one of our many training facilities, at your location or at an off-site that offers maximum convenience. NetCom Learning is also approved as GSA Small Business for GSA Set Asides. We accept GSA SmartPay and GCPC credit cards | We participate in GSA Advantage Interested in training? Contact us! | www.netcomlearning.com |© 1998-2022 NetCom Learning (888) 563-8266 | eccouncil@netcomlearning.com
Continue your Cybersecurity Skilling Journey with Microsoft Security Fundamentals You will get access to your free Microsoft Official Courseware on SC-900T00: Microsoft Security, Compliance, And Identity Fundamentals in the NetCom365 Learning Portal. Access Now Interested in training? Contact us! | www.netcomlearning.com |© 1998-2022 NetCom Learning (888) 563-8266 | eccouncil@netcomlearning.com
FOLLOWUS ON LinkedIn er InstagramYouTube Interested in training? Contact us! | www.netcomlearning.com | (888) 563-8266 | eccouncil@netcomlearning.com© 1998-2022 NetCom Learning
A BOOK FROM RUSSELL SARDER CEO - NETCOM LEARNING Aframework to build asmarter workforce, adapt to change and drive growth. Download Interested in training? Contact us! | www.netcomlearning.com | (888) 563-8266 | eccouncil@netcomlearning.com© 1998-2022 NetCom Learning
Thankyou
Interested in training? Contact us! | www.netcomlearning.com | (888) 563-8266 | eccouncil@netcomlearning.com© 1998-2022 NetCom Learning
