Log Analysis for Incident Response
Log Analysis for Incident Response Intermediate • One-Day Instructor-Led Course
Artifacts left behind once an attack has been executed within a network environment can be found in many different places and can often seem very random and arbitrary in nature. These artifacts can be given a greater meaning and ultimately tell the entire story of the attack if their events can be correlated and tied together by a common information source. Log files often provide the ‘glue’ that helps put all the artifact puzzle pieces together. This one-day course offers the student an introduction into the artifacts that can be found within log files and provide the information that allows incident responders the most complete view of an incident’s events. During this one-day workshop, participants will review the following:
Log Analysis Theory Log Sources Log Analysis Process Log Correlation o Multiple Log Sources o Event Timing
The class includes multiple hands-on labs that allow students to apply what they have learned in the workshop. Prerequisites To obtain the maximum benefit from this class, you should meet the following requirements: Read and understand the English language Basic knowledge of and experience using personal computers including working with files and folders and basic navigation skills. The skills gained from the Networking for Incident Response five-day class. Basic understanding of Digital Attacks Class Materials and Software You will receive class related information and materials as presented in class as well as lab exercises.
(Continued on other side)
For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
Log Analysis for Incident Response Intermediate • One-Day Instructor-Led Course
(Continued) Module 1: Introduction Topics Introduction of Instructor and Students Class Objectives Module 2: Log Analysis Theory Objectives: Defining Log Data System Audit Policies Network Activity Logging Log Sources
Module 3: Log Analysis Process Objectives: Starting Evidence Paths o Common Start Points o Scenario Driven Paths Log Analysis Tools Log Analysis Labs: o System Log Files o Network Device Log Files o Unknown Log Files Module 4: Log Correlation Objectives: Log Correlation o Theory o Process o Tools Log Manipulation o Multiple Log Sources o Event Timing
For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
Artifacts left behind once an attack has been executed within a network environment can be found in many different places and can often seem very random and arbitrary in nature. These artifacts can be given a greater meaning and ultimately tell the entire story of the attack if their events can be correlated and tied together by a common information source. Log files often provide the ‘glue’ that helps put all the artifact puzzle pieces together. This one-day course offers the student an introduction into the artifacts that can be found within log files and provide the information that allows incident responders the most complete view of an incident’s events. During this one-day workshop, participants will review the following:
Log Analysis Theory Log Sources Log Analysis Process Log Correlation o Multiple Log Sources o Event Timing
The class includes multiple hands-on labs that allow students to apply what they have learned in the workshop. Prerequisites To obtain the maximum benefit from this class, you should meet the following requirements: Read and understand the English language Basic knowledge of and experience using personal computers including working with files and folders and basic navigation skills. The skills gained from the Networking for Incident Response five-day class. Basic understanding of Digital Attacks Class Materials and Software You will receive class related information and materials as presented in class as well as lab exercises.
(Continued on other side)
For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
Log Analysis for Incident Response Intermediate • One-Day Instructor-Led Course
(Continued) Module 1: Introduction Topics Introduction of Instructor and Students Class Objectives Module 2: Log Analysis Theory Objectives: Defining Log Data System Audit Policies Network Activity Logging Log Sources
Module 3: Log Analysis Process Objectives: Starting Evidence Paths o Common Start Points o Scenario Driven Paths Log Analysis Tools Log Analysis Labs: o System Log Files o Network Device Log Files o Unknown Log Files Module 4: Log Correlation Objectives: Log Correlation o Theory o Process o Tools Log Manipulation o Multiple Log Sources o Event Timing
For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
