Specialisation in Forensic Analysis

• Identify the differences between forensic expert reports and forensic technical reports.
• The structure of expert reports and technical reports.
• The importance of ISO27037 for expert reports
• The role of the expert report and the expert.
• The ethics and impartiality of experts.
• The importance of digital evidence
• Fundamental rights in investigations
• Phases of forensic expertise
• The chain of custody

The starting point in any forensic investigation is the collection of evidence. The digital evidence used in this type of forensic investigation is data, which can be found in a wide range of formats and locations.

In the first instance, it is necessary to identify the data that may be required, establish where it is housed, and finally develop a strategy and procedures for its collection. This unit will cover digital acquisition and data processing, the skills required to respond appropriately, identify, collect and retain data from a wide range of storage devices ensuring that the integrity of the evidence is beyond reproach.

• Rapid collection of incident response artefacts to move forward
• quickly in the investigation without waiting for the completion of a forensic image.
• Remote and enterprise-wide collection of digital evidence.
• Collection of artefacts from Windows operating systems.
• Compilation of memory.
• Acquisition of volume snapshots.
• Understanding of advanced storage containers such as RAID and JBOD.
• Analysis of file systems and how they store data.
• Advanced understanding of proper evidence collection and scene management.
• Identification of devices and data storage locations.
• Access to storage media by non-destructive methods.
• Access and collection of cloud-based storage containers.
• Methodologies for accessing and acquiring data from IoT devices.

This unit will teach you how to apply a dynamic approach to incident response. Using indicators of compromise, you will learn the steps to effectively respond to security breaches affecting Windows systems, Linux and cloud platforms. For forensic investigators, it is very important to know the tactics, techniques and procedures of attackers, in order to know what to investigate and above all, to communicate findings to incident managers.

• Apply a dynamic approach to incident response.
• Identify threats through host, network and log analysis.
• Best practices for effective incident response in the cloud.
• Cyber investigation processes using live analysis, network awareness and forensic memory analysis.
• How attackers are leveraging cloud systems against organisations.
• Attackers' techniques to circumvent endpoint detection tools.
• How attackers exploit complex vulnerabilities in the cloud.
• Attackers' steps for internal discovery and lateral movement after initial engagement.
• How attackers exploit publicly accessible systems, including Microsoft 365.

ThreatHunting tactics and procedures is one of the skills a forensic analyst with advanced capabilities must have. Incident response teams where forensic investigators work are the key to identifying and observing malware indicators and activity patterns in order to generate accurate threat intelligence that can be used to detect current and future intrusions.

This in-depth course on threat hunting on Windows systems provides advanced skills to hunt, identify, counter and recover from a wide range of threats within enterprise networks.

• Techniques and procedures necessary to effectively hunt, detect and contain a variety of adversaries, as well as to remediate incidents.
• Detect and hunt for live, latent and unknown custom malware in memory on Windows systems.
• Determine how the breach occurred by identifying the root cause.
• Identify life-on-earth techniques, including malicious use of PowerShell and WMI.
• A Identify advanced anti-forensic techniques of adversaries.
• Identify lateral movement techniques from a forensic point of view on Windows systems with all forensic artefacts.
• Understand how the attacker acquires legitimate credentials, including domain administrator rights.
• Timeline analysis.

Linux-based systems are widely deployed both in
cloud platforms as well as on-premises systems.

• The use of forensic artefact collection tools.
• Log analysis of the main daemons.
• File System Analysis.
• Identification of file and binary deletion.
• Identification of the process tree.
• Recovery with Bul Extractor.
• Memory analysis.
• Identification of backdoors and persistent malware.

Today, businesses have thousands of systems, from desktops to servers, from on-premises to the cloud. While geographic location and network size have not deterred attackers from breaching their victims, these factors pose unique challenges for organisations to successfully detect and respond to security incidents.

It is important for the forensic analyst to focus on the concepts: collecting, analysing and making decisions based on information from hundreds of machines. This requires the ability to automate and the ability to quickly focus on the right information for analysis. Using tools built to operate on an enterprise scale, students will learn the techniques to collect data specific to threat hunting.

Students will then delve deeper into analysis methodologies, learning multiple approaches to understanding the movement and activity of attackers on hosts with different functions and operating systems using chronological, graphical, structured and unstructured analysis techniques.

• Deploy mass forensic collaboration and analysis platforms that allow teams to work simultaneously in different rooms, states or countries.
• Collect host and cloud-based forensic data from large environments.
• Analyse best practices for responding to Azure, M365 and AWS cloud platforms.
• Analyse containerised microservices, such as Docker containers.
• Correlate and analyse data across multiple data types and machines using a myriad of analysis techniques.
• Perform analysis of structured and unstructured data to identify attacker behaviour.
• Enrich the data collected to identify additional indicators of engagement.
• Develop IOC signatures and analysis to expand search capabilities and enable rapid detection of similar incidents in the future.

• Selecting the most effective forensic tools, techniques and procedures to
• effectively analyse smartphone data for Android and iOS.
• Understanding how file systems store data on smartphones
  Android and IOS, how they differ and how the evidence will be stored in each
  device.
• Interpret the file systems on Android and IOS smartphones and locate the
  information to which users do not usually have access.
• Linking a user to a smartphone at a specific date/time and across multiple
  sites
• Detect Android and IOS compromised by malware and spyware using forensic methods.
• Decompile and analyse mobile malware using open source tools.
• Handling smartphone encryption and decrypting iOS backup files
  encrypted with iTunes.
• Analysing SQLite databases and raw data dumps from smartphones
  to recover deleted information.
• Apply advanced data analysis techniques on smartphones to validate the
  results and extract lost or deleted data.

Presentation of the final project before a panel of experts.