Digital Forensics Certified Malware Investigator (CMI)

Provided by

About the course

Digital Forensics
Certified Malware Investigator (CMI)
Core - level course

Book your training three months in advance of the course start date and get a 20% discount, as reflected in the pricing above.

This is a core-level technical course for people looking to extend their digital forensic knowledge beyond conventional device analysis. It will help you protect your IT environment by showing you how to conduct malware analysis, from first principles all the way to investigating network activity stemming from malicious software infection that your AV software has failed to detect.

How will I benefit?
The course will give you:

The skills to analyse and interpret malicious software, and investigate network activity initiated by malicious software infection
An understanding of how to simplify complex evidence, and collate and report results
An industry-recognised qualification in malware investigation
“Good practical exercises that could be used in real world matters."

Computer Forensics Senior Manager

Consilio

"I thought the course was well paced and the instructor explained technical things in a really easy way to understand."

CMI delegate
​West Midlands Police


What will I learn?

  • You will learn how to identify, analyse and interpret malicious software and associated forensic artefacts, including trojan horses, viruses and worms
  • You will practice malware investigations from mounted, booted and network perspectives, and undertake real-world exercises, including the conversion of E01 forensic images to bootable virtual machine disks


Who should attend?

  • Digital forensic analysts
  •  Law enforcement officers
  • Cyber incident investigators
  • System administrators looking to develop their skills in malware identification and analysis.

COURSE OVERVIEW

On this five-day practical course you will investigate forensic case studies, applying the principles, knowledge and techniques learnt during the course. It will help you protect your IT environment by showing you how to conduct malware analysis, from first principles all the way to investigating network activity stemming from malicious software
infection that your AV software has failed to detect.

THE SKILLS YOU WILL LEARN

  • You will learn how to identify, analyse and interpret malicious software and associated forensic artefacts, including:

Trojan horses, viruses, worms,
backdoors and rootkits

  • How Trojan payloads can be used to bypass anti-virus software, personal and corporate firewalls
  • You will practice malware investigations from mounted,booted and network perspectives, and undertake real-world exercises, including the conversion of E01forensic images to bootable virtual machine disks
  • The function, structure and operation of the Windows registry, and investigation of malicious software locations in the registry and file system

Practical application of course content will be through the use of case scenarios in order to gain a practical understanding of modern malware beyond the often quoted traditional principles; mount forensic images for analysis; build virtual machines for analysis, and build a network environment to carry out network forensic analysis.

KEY BENEFITS
The course will give you:

  • The skills to analyse and interpret malicious software, and investigate network activity initiated by malicious software infection
  • An understanding of how to simplify complex evidence, and collate and report results
  • An industry-recognised qualification in malware investigation

WHO SHOULD ATTEND
For those looking to develop their skills in malware identification and analysis, including:

  • Digital forensic analysts
  • Cyber incident investigators
  • Law Enforcement Officers
  • System administrators

PREREQUISITES
Completion of the 7Safe CFIP course is highly recommended. Otherwise you will need:

  • Knowledge of the principles surrounding forensic investigation and an understanding of the preliminary forensic investigation case considerations
  • Sound experience with the Microsoft Windows operating systems
  • An understanding of how a web page is requested and delivered
  • Ideally an understanding of Command Line Interface (CLI) and TCP/IP networking concepts

 

WHAT QUALIFICATION 
WILL I RECEIVE?

Those delegates successfully passing the exam at the end
of the course will be awarded 7Safe’s Certified Malware
Investigator (CMI) qualification.


SYLLABUS

1. Analysis Environments
a. Identify and define the five
analysis environments
b. Identify situations in which each
of the investigation environments
could be used effectively
c. Identify their respective levels of
risk both to the original data as
well as other systems

2. Malicious Software
a. Define the term “malicious
software”
b. Identify and define different types
of malicious software
c. Identify similarities and
differences between different
types of malicious software

3. Malware Investigation
a. Identify the stages of malware
investigation
b. Critically assess the capabilities and
limitations of anti-malware tools
c. Identify the different means of
running software at system start-up

4. Methods of Deception
a. Identify mechanisms of malware
delivery
b. Identify mechanisms of disguise
c. Identify client security
circumvention

5. Mounted Analysis
a. Mounting forensic images as
logical drives
b. Using malware scanners against
the mounted image
c. Documenting the results of
malware scans
d. Using online scanners for further
clarification

6. Booted Analysis
a. Identify approaches to creating
a booted analysis environment
b. Experiment with making a Virtual
Machine
c. Identifying password implications
d. Identifying and explaining the
potential differences between
mounted and booted analysis
results

7. Network Analysis
a. Identify key reasons for network
analysis
b. Methods of building a network
for analysis
c. Explaining network
communication protocols
d. Using traffic analysis tools for
network analysis
e. External Port Analysis
f. Identifying and explaining the
potential differences between
network and other analysis results

8. Virtualisation Malware
a. Explain how hardware Hypervisor
support allows for virtualisation
malware
b. Define Type I, Type II and Type III
malware

9. Simplifying Complex Evidence
a. Aiming the report at a subject
knowledge level fitting the target
audience
b. Discuss a sample report outline

Related article

Is the online Cyber Security MSc from the University of Liverpool the right path for you? If you are looking to take the next step in your IT caree...