This course is an expert-level four-day training course, designed for participants who are familiar with the principles of digital forensics and are seeking to expand their knowledge on advanced forensics and incident response techniques as well as improve computer investigations in relation to incident response.
Because AX310 is an expert-level course, it is recommended that students first complete Magnet AXIOM Examinations (AX200). AX200 will provide a thorough understanding of AXIOM that will help students focus on the Incident Response part of investigations in AX310.  Click Here to find out more about AX200.
Hear directly from Hoyt Harness, Forensic Trainer at Magnet Forensics, about why you should take our Magnet AXIOM Incident Response Examinations (AX310) course, what you can expect when you take it, and what type of real-life experience he brings to the classroom.
Course Prerequisites
MODULE 1: INTRODUCTION AND INSTALLATION OF MAGNET AXIOM
Students will be introduced to each other, to the instructor(s) and to Magnet Axiom.
MODULE 2: COURSE OVERVIEW
An overview of the course will be presented to students along with the learning objectives and expected outcomes for the four-day training event.
MODULE 3: MITRE ATT&CK NAVIGATOR AND NIST CONTROLS
This module focuses on how you can map and plot an adversary in your network, understand the goals a threat tries to obtain and what techniques that are available under each attack goal. The participant will also see how the NIST controls can be used to help organization prepare policies and help identify areas in your policies or procedures that may need to be updated. Also, this module will show the Cyber Kill Chain and PRESENT mitigation steps used against attacker.
MODULE 4: MALWARE OVERVIEW
A high-level overview of the different types of malwares seen and what they can do. Showing how the threat actors will utilize tools that come on a Windows computer by default, like PowerShell or Schedule tasks so they can keep persistence and other tools.
MODULE 5: WHERE DO WE START?
The student will examine the information provided by the initial incident reporter and then look and understand if the information can be corroborated or not, the investigator will also check to see if the time frame needs to be widened thereby increasing the scope of the investigation.
MODULE 6: PACKET CAPTURES (PCAP)
Network traffic is sometimes key to understanding how malware arrived at the network and how the malware allows nefarious actors to travel through the network. This module focuses on capturing, filtering, and analyzing network traffic to track down network intrusions and perform network forensics.
MODULE 7: IRTK & MAGNET RESPONSE
During this module, students will learn the necessity of collecting volatile data from a suspect computer. They will use the output to determine a starting point for the examination while the forensic images are being processed by Axiom.
MODULE 8: RAM
Participants will parse RAM from a computer involved in a malware incident and determine what programs were running and from what location. Students will also investigate the malware to determine what computer user was associated with it.
MODULE 9: AXIOM CYBER INVESTIGATOR
Using the Axiom Cyber license the participant will understand the benefits of having a tools that can connect to a remote computer and grab volatile data, make full disk images and get important files and folders. They will learn how to create a Cyber agent, configure it for the remote, deploy it and pull the data back to the investigating computer in real time.
MODULE 10: STATIC ANALYSIS OF MALWARE
Participants will set up and learn how mark their tools if used to conduct investigations thereby identifying rouge tools. Using third party tools to examine potential malware files without them being detonated and pulling strings from within the suspicious file.
MODULE 11: PATTERN MATCHING & SEARCH WITH YARA
This module will use the information obtained from the previous module and use that data to create a pattern matching rule using YARA. The participant will understand the makeup of a YARA rule and how to correctly security mark the rule using the TLP protocol. Once the rule is created use that to search our data set for hits.
MODULE 12: ONLINE ANALYSIS OF MALWARE
In this module, students will online sandbox environments to monitor the activity of the malware. They will learn of some of the pit falls of using online sandboxes.
MODULE 13: LOG FILES AND WHY THEY ARE IMPORTANT
Students will understand an important step of the investigation is to gather log files. Where they can be found, and the different types of logs or other areas that can provide information what the computer was doing like, Prefetch, SRUM, AMCACHE, JUMPLIST, LNK, USERASSIST.
MODULE 14: BRINGING OUR INVESTIGATION TO A CLOSE
During the module, students will learn how to put all the pieces of the investigation together through the correlation of all the data they have collected during the preceding modules.
MODULE 15: ANOTHER TYPE OF INCIDENT RESPONSE INVESTIGATION?
To further reinforce the instructional goals of the course, students are presented with a final scenario, which represents a cumulative review of the exercises conducted in each of the previous modules.
Additional Information
Who Should Attend:
Participants who are unfamiliar (or somehow familiar) with the principles of digital forensics
Advanced Preparation:Â
AX200 or similar training course is recommended
Program Level:
Advanced-level
Field of Study:
Computer Software & Applications
Delivery Method:
Group Internet Based & Group Live