0845 450 6120

Certified Malware Investigator - Malware Investigation

This is a core-level technical course for people looking to extend their digital forensic knowledge beyond conventional device analysis.

COURSE OVERVIEW

On this 5 day practical course you will investigate forensic case studies, applying the principles, knowledge and techniques learnt during the course. It will help you protect your IT environment by showing you how to conduct malware analysis, from first principles all the way to investigating network activity stemming from malicious software infection that your AV software has failed to detect.

WHO SHOULD ATTEND

For those looking to develop their skills in malware identification and analysis, including:

  • Digital forensic analysts
  • Cyber incident investigators
  • Law Enforcement Officers
  • System administrators

Reset

Learning Objectives

THE SKILLS YOU WILL LEARN

  • You will learn how to identify, analyse and interpret malicious software and associated forensic artefacts, including Trojan horses, viruses, worms, backdoors and rootkits
  • How Trojan payloads can be used to bypass anti-virus software, personal and corporate firewalls
  • You will practice malware investigations from mounted, booted and network perspectives, and undertake real-world exercises, including the conversion of E01 forensic images to bootable virtual machine disks
  • The function, structure and operation of the Windows registry, and investigation of malicious software locations in the registry and file system

Practical application of course content will be through the use of case scenarios in order to gain a practical understanding of modern malware beyond the often quoted traditional principles; mount forensic images for analysis; build virtual machines for analysis,

and build a network environment to carry out network forensic analysis.

KEY BENEFITS

The course will give you:

  • The skills to analyse and interpret malicious software, and investigate network activity initiated by malicious software infection
  • An understanding of how to simplify complex evidence, and collate and report results
  • An industry-recognised qualification in malware investigation

Pre-Requisites

Completion of the CFIP course is highly recommended. Otherwise you will need:

  • Knowledge of the principles surrounding forensic investigation and an understanding of the preliminary forensic investigation case considerations
  • Sound experience with the Microsoft Windows operating systems
  • An understanding of how a web page is requested and delivered
  • Ideally an understanding of Command Line Interface (CLI) and TCP/IP networking concepts

Course Content

1. Analysis Environments

a. Identify and define the five analysis environments

b. Identify situations in which each of the investigation environments could be used effectively

c. Identify their respective levels of risk both to the original data as well as other systems

2. Malicious Software

a. Define the term “malicious software”

b. Identify and define different types of malicious software

c. Identify similarities and differences between different types of malicious software

3. Malware Investigation

a. Identify the stages of malware investigation

b. Critically assess the capabilities and limitations of antimalware tools

c. Identify the different means of running software at system start-up

4. Methods of Deception

a. Identify mechanisms of malware delivery

b. Identify mechanisms of disguise

c. Identify client security circumvention

5. Mounted Analysis

a. Mounting forensic images as logical drives

b. Using malware scanners against the mounted image

c. Documenting the results of malware scans

d. Using online scanners for further clarification

6. Booted Analysis

a. Identify approaches to creating a booted analysis environment

b. Experiment with making a Virtual Machine

c. Identifying password implications

d. Identifying and explaining the potential differences between mounted and booted analysis results

7. Network Analysis

a. Identify key reasons for network analysis

b. Methods of building a network for analysis

c. Explaining network communication protocols

d. Using traffic analysis tools for network analysis

e. External Port Analysis

f. Identifying and explaining the potential differences between network and other analysis results

8. Virtualisation Malware

a. Explain how hardware Hypervisor support allows for virtualisation malware

b. Define Type I, Type II and Type III malware

9. Simplifying Complex Evidence

a. Aiming the report at a subject knowledge level fitting the target audience

b. Discuss a sample report outline

Exams & Certification

ACCREDITATIONS

CMI is accredited by CREST and is ideal preparation for the CREST Registered Intrusion Analyst qualification.

CMI has been assessed and accredited by IISP at Level 1: C1, E1 and Level 1+: F2, F3, enabling you to build knowledge, competency and gain hands-on experience in the areas of the Institute’s Skills Framework.

Privacy Notice

In order to provide you with the service requested we will need to retain and use your contact information in accordance with our Privacy Notice. If you choose to provide us with this information you explicitly consent to us using the information as necessary to provide the request service to you. If you do not agree please do not proceed to request the service from us.

Marketing Permissions

Would you like to receive our newsletter and other information on products and services which we think will be of interest to you by email. We will always treat your information with care and in accordance with our Privacy Notice. You are free to withdraw this permission at any time.

 

Online Courses

You may prefer an online course if you are looking for a flexible and cost-effective solution. Online courses allow you to study at your own pace, at a time that suits you.

We have the following eLearning options available:

Our Customers Include