(Click Category to List Courses)
42 - IT-S Information Technology - Security and Audit
IT-S 129B - Digital Forensic and Incident Response (DFIR) (10 Days)
Code | Start Date | Duration | Venue | |
---|---|---|---|---|
IT-S 129B | 09 December 2024 | 10 Days | Istanbul | Registration Form Link |
IT-S 129B | 06 January 2025 | 10 Days | Istanbul | Registration Form Link |
IT-S 129B | 10 February 2025 | 10 Days | Istanbul | Registration Form Link |
IT-S 129B | 07 April 2025 | 10 Days | Istanbul | Registration Form Link |
IT-S 129B | 16 June 2025 | 10 Days | Istanbul | Registration Form Link |
IT-S 129B | 28 July 2025 | 10 Days | Istanbul | Registration Form Link |
IT-S 129B | 22 September 2025 | 10 Days | Istanbul | Registration Form Link |
IT-S 129B | 17 November 2025 | 10 Days | Istanbul | Registration Form Link |
IT-S 129B | 22 December 2025 | 10 Days | Istanbul | Registration Form Link |
Course Description
Training is given by experienced and professional people in their field, and the training contents are constantly updated according to the developing technologies and perspectives. The training course is prepared according to current internationally accepted standards, and interesting and entertaining with high-quality content that makes participants interactive. Anyone who completes the training can start to apply their knowledge and skills they have learned immediately.
In addition to the theoretical information, comprehensive practical exercises next to theoretical knowledge are performed in the training to ensure for reinforcement and practical gain of the participants. The main purpose of the training is not only to use software and try to understand the results by pressing certain buttons, but also to gain the ability to interpret and analyze raw data both theoretically and practically.
Course Objectives
- Understanding Incident Response (IR)
- Managing Cyber Incidents, Incident Scene Management
- Examining a Sample Case with Autopsy and Beklasoft Evidence Center
- Recovering Files from Forensic Images, File Carving, Data Recovery
Who Should Attend?
- Police and other laws enforcement personnel
- Defense and military personnel
- E-Business security professionals
- Systems administrators
- Legal professionals
Course Details/Schedule
Day 1
- Understanding Incident Response (IR)
- IR Process,
- IR Framework
- IR Plan
- IR Playbook/Handbook
- Testing IR Framework
- Methodology of Digital Forensics, Digital Evidence Concept
- Code Of Criminal Procedure, Penal Code
- Law and Regulations
- Legal Authority
- Evaluation of Data as Digital Evidence
- Rules of Evidence
- Incident Response (IR)
Day 2
- Managing Cyber Incidents, Incident Scene Management
- CSIRT Models
- SOAR
- Communication in Crisis
- Preparation Phase for Incident Response (IR)
- Identification, Scoping, and Initial Event Analysis
- Choosing Investigation Methodology
- Creating an Investigator Software Toolkit
- Choosing and Creating an Investigator Hardware Toolkit (Cameras, HDD/SSD Adapters, Cables, Screwdriver Sets, etc.)
- Search And Seizure Phase for Incident Response (IR)
- Digital Evidence Collection
- Write Protection Concept, Forensic Image Acquisition
- Write Blockers
- Hardware Imagers
- Software Imagers
- Understanding Forensic Imaging
- HPA and DCO
- Image Acquisition
- RAW DD Format, e01, and Other Image Files
Day 3
- Live Forensics Concept and Applications
- Order of Volatility
- First Controls
- Checking Disk Encryptions
- Acquisition of Volatile Data and RAM
- RAM Imagers, PSTools, Command Line Tools, Port Scanners, Autoruns, System Explorer, etc.
- Acquisition of Non-Volatile Data
- Triage Tools and How to Use
- Logical vs Physical Image
- Pagefile.sys and Hiberfil.sys
- Analyzing System Memory
- Volatility, Redline
- Unorthodox Image Acquisition Methods, Cloud Data, Remote Image Acquisition, Multi-Drive Storage Devices, and Network Image Acquisition
Day 4
- Processing of Acquired Image File
- Data Types
- Process Types
- Examining a Sample Case with Autopsy and Beklasoft Evidence Center
- Hash Concept and Usage,
- Hash Types
- Hashing a file
- Running Hash Analysis
- File Signature Analysis, File Analysis
- Windows File System
- FAT, ExFAT and NTFS
- Filename, Metadata, and Data Layers
- Sector and Clusters
- Data Allocation and Slack Area
- MBR and GPT
- $MFT
- Zone.Identifier
- Volume Shadow Copy
Day 5
- Recovering Files from Forensic Images, File Carving, Data Recovery
- Timestamps and Timelines
- Timeline Analysis
- Internet History Analysis
- GREP Search, YARA and SIGMA
- Malware Analysis for IR
- How to use GREP Search
- How to use YARA for Malware Analysis
- How to use SIGMA for Event Log Analysis
- Reporting
- What to Document
- Executive Summary
- IR Report / Forensic Report
Day 6
- Special procedures (Mobile Devices, Cloud Data, Portable Computers, Portable Storage Media, GPS Devices, Digital Cameras, Servers, IoT Devices, Game Consoles, Smart Home Devices, Security Cameras, Virtual Wallets, Vehicles)
- Forensic Image Mount for Scanning
- OSFMount and Malware Scanning
- Recycle Bin Examination
- Artifacts Examination
- Meta Data
- Meta Data vs File System Data
- EXIF Info
- Prefetch Files, Shortcuts/(.lnk) , Jump List , Thumbnail Caches
- Encrypted Files
- Finding Encrypted Files
- Basic Password Recovery Techniques
Day 7
- Adding Forensic Acquisitions/Images to Virtual Machines
- Web Browser Forensics
- Chrome, Firefox, Edge and Other Browser Artifacts
- E-mail and E-mail Header Analysis
- Structure and Protocols
- Header Examination
- Sender’s Geolocation and Time Zone
- HEX
- Decimal, Hexadecimal, Binary Concepts and Calculations
Day 8
- Mobile Devices
- Mobile Operating Systems (Android, iOS)
- Android File Hierarchy
- HFS Plus and APFS Filesystems
- Mobile Device Acquisition and Data Analytics
- Challenges in Mobile Forensics
- The Make, Model, and Identifying Information For The Device
- Preparation And Isolation Phase
- Manual Extraction, Logical Analysis, Hex Dump, Chip-Off
- Physical Acquisition
- Logical Acquisition
- Android and iOS Screen Lock Bypassing Techniques
- Mobile Apps & Data Examination
- Device Info, SMS, Chat Messages, etc.
- Android Malware
- Extracting An APK File from an Android Device
- Android Apps Reverse Engineering Techniques
- Plist and SQlite Databases
- Extracting a DB File from the Device
- DB Examination
Day 9
- Deep Dive to Windows Registry Analysis (Part 1)
- Windows Registry Structure
- Registry Essentials
- User/Group Information analysis (Name, RID, Login, Group, Password Policy)
- Windows User Passwords
- System Configuration Analysis
- User Activity Analysis (
- SAM, SECURITY, SYSTEM, SOFTWARE
- Backup Hives
- User Registry Hives
- ShellBag
- Last Write Time, MRU
- Deleted Registry Keys/Values
- Registry Explorer
- Deep Dive to Windows Registry Analysis (Part 2)
- System Configuration
- Windows Time Decoding Structure
- CurrentControlSet
- Computer Name
- Time Zone Information and ActiveTimeBias
- Last Access Time
- Network Interfaces
- Historical Networks
- Network Profile Key
- Shares and Offline Cashing
- System Boot Autostart Programs
- Shutdown Information
- User Search History
- Typed Paths
- Office RecentDocs
- LastVisitedMRU
- OpenSaveMRU
- Last Commands Executed
- UserAssist Key
Day 10
- Ransomware Preparation, Response and Investigation
- Ransomware Types
- Ransomeware Initial Access and Execution
- Credential Access and Theft
- Command and Control
- Threat Intelligence and Hunting
- Sandbox Types
- YARA
- ClamAV
- Threat Intelligence Types
- Sourcing Threat Intelligence
- Maltego
- MITRE ATT&CK Framework
- Velociraptor
- Digital Forensic Techniques for Hunting