back to overview
Incident Analysis

Delivery: classroom // Duration: 3 days

This course is a practical Incident Analysis workshop, that puts one’s mind on the analysis of Windows systems including a bit of network traffic and that contains several hands-on exercises. It is a course that serves as an introduction to many areas which are relevant for an Incident. Topics like Incident Handling and the Incident Response Process are not part of the course.


Learning Objectives

During this course, you will learn a lot about windows/ malware internals, and how to

  • Identify Indicators of Compromise

  • Analyze network traffic abnormalities

  • Analyze hard disks and core images forensically

  • Distinguish malware from harmless software

  • Analyze malware (behavior)

  • Correlate log data with a special Incident


Course Content

Day one

  • Conceptual basis

  • Analysis of network traffic: Connection oriented

    • Based on Pattern

    • Manual

  • Correlation of several log sources for an accurate analysis of a certain event.

  • Windows Analysis Basics: Windows architecture

    • Analysis of relevant Event Logs

    • Registry Analysis

    • Malware Persistence techniques

Day two

  • File system analysis using the example of NTFS: Investigating and restoring deleted files

    • Creation of a timeline of file system activities

  • Extracting files from Disk Dump

  • Malware analysis – Part 1: Tools and techniques of static analysis

    • Analysis and practical implementation of DLL Injections

    • Analysis of defective PDF- and Word-Documents

    • Dynamic analysis of JavaScript

Day three

  • Malware analysis – Part 2: Shellcode basics

    • Tools and techniques of dynamic analysis

    • Dynamic analysis through Cuckoo

  • Memory analysis with Volatility: Operating system data in RAM

    • Malware Hide techniques

    • Analysis of selected assault techniques 


Target Audience

  • Members of a CERT

  • IT-Security Officers

  • Interested parties on this topic


Pre-requisite for Course Registration

Network and programming experience as well as knowledge about popular hacking methods are of advantage. For practical exercises, Virtual Box should be already preinstalled on the laptop. Furthermore, the participant should have administrative rights on the host computer for potential configurations. As the majority of the exercises will take place on the Linux command line, experience in this respect is helpful, but not necessary.


How to get to the ISH Campus?

Address: Südallee 1 85326 Munich, Germany
Phone: +49 (0)89 975 32275

By car - from the A92 / Munich

Leaving the motorway A92 you will find yourself at the "Zentralallee". When reaching the first bridge, turn right and leave the "Zentralallee" following the sign with direction "Cargo/FOC".  When reaching the second bridge turn right again following "FOC". Continue to follow the street  until the end - for approx. 1,5 km -  and turn left. On your right you will reach the “Luftpostleitstelle” where the ISH is located. 

By S-Bahn / airplane

Take the S-Bahn line S8 or S1 and drive to the “Besucherpark”. Exit the S-Bahn station towards the Flight Operations Center (FOC / Lufthansa) and at the bottom of the stairs, turn left and follow the road for approx. 1,5 km, leaving the "Frachtgebäude/Cargo" at your right hand side. At its end turn left and you will reach the "Luftpostleitstelle" where the ISH is located. 

Are events and trainings in English or in German?

Since we want to provide the best trainings and events for “Securing the Global future” we offer our programs in both English and German. You can tell which language the training or event is in by which flag icon is listed next to the title. A British flag for English or the German flag for Deutsch.

How can I book an open class or company training?

For our "CDC Handling" open class trainings please register via our online registration form. If you plan a company training please arrange a date with our training department, as we offer these trainings on demand.

Which hotels are in the area?

While there are a wide range of hotels around the airport we have personally stay at both the Hilton and Hotel Novotel, and find them to be very nice and accommodating.

Hilton Munich Airport

Address: Terminalstraße Mitte 20, 85356 München-Flughafen
Phone: +49 (0)89 97820

Hotel Novotel

Address: Nordallee 29, 85356 München

Phone: +49 (0)89 9705130