Focal Point - Endpoint Live Forensics Course Details:

While there is undoubtedly a need for deep forensic analysis in the investigation of malware and operating system intrusions, an investigator must first know that there has been an intrusion before that activity can begin. Many organizations rely on technology to perform this task for them but there is no substitute for a well-trained analyst when it comes to identifying and investigating abnormal behavior on a system.

Endpoint Live Forensics teaches students how to identify abnormal activity and investigate a running system that may have been compromised. In this course, students will learn sound methodology coupled with the most useful commands and tools that can be employed during investigation to reveal the significant indicators of infiltration, as well as how to create a system baseline to be used for future analysis. Both the Windows and Linux operating systems are covered in this course.

    No classes are currenty scheduled for this course.

    Call (919) 283-1653 to get a class scheduled online or in your area!

  1. OS Overview
  2. Windows OS Structures and Boot Process
  3. The Registry
  4. Processes
  5. DLLs
  6. Memory Management and Injection
  7. Services
  8. Logs and Timelining
  9. PowerShell
  10. Querying the OS with PowerShell
  11. Scripting with PowerShell
  12. Baselining with PowerShell
  13. Remote Investigation

Practical Scenario:

The practical assessment for this course is an investigation scenario that will require students to use all of the knowledge, skills and abilities acquired during class to analyze Windows and Linux systems in a virtual environment, identifying and investigating compromised machines

*Please Note: Course Outline is subject to change without notice. Exact course outline will be provided at time of registration.
  • Identify the core components of the operating system and ascertain their current state using built-in or other trusted tools
  • Analyze a running system and detect abnormal behavior relating to operating system objects such as processes, handles, network connections, etc.
  • Use event log analysis to verify and correlate the artifacts of anomalous behavior, and determine the scope of an intrusion
  • Use PowerShell to interact with the operating system and build scripts to automate repetitive analytic tasks
  • Create and use a system baseline to identify unexpected items such as rogue accounts or configuration changes
  1. OS Familiarization
  2. Registry Familiarization
  3. Registry Analysis
  4. TCPView and Netstat
  5. Process Scenario
  6. Process Injection
  7. Analyzing Services
  8. Event Log Analysis
  9. The PowerShell Help System
  10. Members and Sorting Part 1
  11. Members and Sorting Part 2
  12. Querying Processes and Services
  13. Querying Registry Keys
  14. PowerShell Scripting
  15. Creating a Baseline Script with PowerShell
  16. Baseline Scenario
  17. Linux File System
  18. Users, Groups, and Authentication
  19. Linux Services and Processes
  20. Linux Investigation
  • Familiarity with the use of desktop operating systems, including command-line experience in Windows and/or Linux
  • Working knowledge of TCP/IP networking
  • Incident Responders who need to quickly identify a security breach
  • Forensic Investigators needing to analyze the state of a running system
  • Malware Analysts requiring a thorough understanding of operating system intrusions

Ready to Jumpstart Your IT Career?