CNIT 152: Incident Response

Fall 2018 Sam Bowne

Schedule · Lectures · Projects · Speakers · Links · Home Page

Textbook

Incident Response & Computer Forensics, Third Edition by by Jason Luttgens, Matthew Pepe, and Kevin Mandia
Publisher: McGraw-Hill Education; 3 edition (August 1, 2014)
Sold by: Amazon Digital Services, LLC
ASIN: B00JFG7152
Kindle edition: $36, Paper edition: $16 (prices I saw on 4-10-16 at Amazon)
Buy from Amazon ($15 - $40)

Catalog Description

When computer networks are breached, incident response (IR) is required to assess the damage, eject the attackers, and improve security measures so they cannot return. This class covers the IR tools and techniques required to defend modern corporate networks. This class is part of the Advanced Cybersecurity Certificate.

Schedule not ready yet

Lectures

Policy
Student Agreement
1 Real-World Incidents · KEY · PDF
2 IR Management Handbook · KEY · PDF
3 Pre-Incident Preparation · KEY · PDF
4 Getting the Investigation Started on the Right Foot &
5 Initial Development of Leads
· KEY · PDF
6 Discovering the Scope of the Incident &
7 Live Data Collection
· KEY · PDF
8 Forensic Duplication · KEY · PDF
9 Network Evidence · KEY · PDF
10 Enterprise Services · KEY · PDF
11 Analysis Methodology · KEY · PDF
12 Investigating Windows Systems (Part 1 of 3) · KEY · PDF
12 Investigating Windows Systems (Part 2 of 3) · KEY · PDF
12 Investigating Windows Systems (Part 3 of 3) · KEY · PDF
13 Investigating Mac OS X Systems · KEY · PDF
14 Investigating Applications · KEY · PDF
15 Malware Triage
16 Report Writing · KEY · PDF
17 Remediation Introduction (Part 1) · KEY · PDF
18 Remediation Case Study

Click a lecture name to see it on SlideShare.
If you want to use other formats, you may find this useful: Cloud Convert.

Projects (Being Revised)

Download VMware Player

Project 1: Preparing a Kali Virtual Machine (15 pts.)
Project 2: Windows 2016 Server Virtual Machine (20 Points)
Project 3: Capturing a RAM Image (15 Points)
Project 4: Analyzing a RAM Image with Bulk Extractor (15 Points)
Project 5: Analyzing a RAM Image with Volatility (15 Points)
Project 6: Data Carving with Foremost (15 Points)
Project 7: Capturing and Examining the Registry (15 pts.)

PROJECTS BELOW THIS LINE ARE UNDER REVISION

Downloading the Old Virtual Machines

Project 5: Prefetch (10 pts.)
Project 6: Recovering Deleted Photographs with PhotoRec (10 pts.)
     nps-2009-canon2-gen6.dd (Use right-click, "Save As...")
Project 7: Rebuilding an Image Header (10 pts.)
     badheader.jpg (Use right-click, "Save As...")
Project 8: NTFS Data Runs (25 pts.) (Rev. 10-5-16)
      FILE1.TXT       FILE2.TXT
Project 9: Fixing the Partition Table with TestDisk (20 pts.)
Project 10: Static Acquisition with DEFT (20 Points) (rev. 1-26-15)
      p10Evidence.zip
Project 14: Acquiring a Forensic Image of an Android Phone (25 pts.) (rev. 11-9-16)
Project 15: Live Response with Mandiant Redline (15 pts.)
Project 18: Shadow Copies and CCleaner (20 pts.) (Rev. 11-22-16)

      How to Increase the VMWare Boot Screen Delay

Extra Credit Projects

Project X0: Essential Linux (15 pts. extra credit)

Project X1: Identifying File Types (Up to 25 points)      text.7z
Project X2: Static Image (15 pts. extra credit)      Proj X2 Evidence File
Project X3: National Software Reference Library (10 pts.) (Updated 11-16-16)
Project X4: Acquiring an iPad image with iTunes (15 pts.) (rev. 5-6-15)
Project X5: Sleuthkit and Autopsy (15 pts. extra credit) (rev. 10-13-16)
Project X6: Analyzing an iTunes Backup with Magnet Forensics' Internet Evidence Finder (15 pts.) (rev. 11-29-16)
Project X7: Procdump (10 pts.)
Project X8: Thumbcache (10 pts.)

Independent Projects (points vary)

Links

osquery | Easily ask questions about your Linux, Windows, and macOS infrastructure
GitHub - Yelp/osxcollector: A forensic evidence collection & analysis toolkit for OS X
OS X Incident Response: Scripting and Analysis--RECOMMENDED
GitHub - google/grr: GRR Rapid Response: remote live forensics for incident response
KnockKnock shows you what's persistently installed on your Mac! -- RECOMMENDED
GitHub - Yelp/amira: AMIRA: Automated Malware Incident Response & Analysis
Cyphort: Anti-SIEM reduces SIEM cost, noise, complexity, and wasted time
Collect NTFS forensic information with osquery

Last Updated: 5-19-18 8 pm