Enterprise Forensics and Response with Gerard Johansen

The focus of the lecture portion of the course work is understanding the incident investigation process, objective oriented analysis and response, intrusion analysis and an exploration of attacker Tactics and Techniques.

The technical portion of the course will focus on how to conduct incident investigations at enterprise scale using the remote evidence acquisition and analysis tool Velociraptor along with other free and open-source tools. The focus of the technical portion will be on extracting usable Indicators of Compromise (IOCs) related to specific MITRE ATT&CK tactics. For example, students will be instructed on extracting and analyzing evidence related to the Execution TA0002 of malicious code or LOLBAS. From here, they will be tasked with addressing containment and eradication measures.

This course will combine technical elements along with lecture that provides students with both an investigative construct and techniques that allows them to analyze evidence and provide stakeholders with data necessary to limit the damage of modern cyber-attacks.

Blue Team Summit (Aug 28th – Aug 29th, 2025)

• August 28th – 9:00 AM to 6:00 PM EDT
• August 29th – 9:00 AM to 6:00 PM EDT

Key Takeaways

At the conclusion of the course, students will be able to apply an investigative construct and digital forensic techniques that allow them to respond and investigate incidents so that key data points are located and acted on in a timely manner. It is also anticipated that students will be able to incorporate the tools explored in the course into their own environment to aid in incident investigations.

Who Should Take This Course

This course is geared towards incident response personnel, digital forensic professionals or Security Operations practitioners who may have to conduct incident investigations. Additionally, those new to the blue team or security analysis will also benefit greatly from both the lecture and technical material.

Audience Skill Level

Basic. Students do not need a good degree of technical skill or experience but should be familiar with digital forensic concepts, how to work within a Linux or Windows command line, and understand Windows system internals processes such as Amcahce or Link file usage.

Student Requirements

Students should be comfortable with the Windows and Linux command line and PowerShell. Some familiarity with open-source tools such as Atomic Red Team and Caldera would be helpful, but all labs will be comprehensively documented and instructed so that those that have had no exposure will be able to follow along.

Students should have some exposure to incident response and digital forensic concepts and common adversary TTPs found within the MITRE ATT&CK Framework.

Students may want to be familiar with Eric Zimmerman’s suite of tools and the corresponding evidence sources that are analyzed with those tools. Students will also be better prepared if they are familiar with adversary TTPs through such sites as thedfirreport.com and the MITRE ATT&CK Framework.

What Each Student Should Bring

Students will be provided a Windows virtual machine that contains all the necessary tools. Students will be required to have some form of virtualization software such as VMWare or VirtualBox.

What Each Student Will Be Provided With

Students will be provided a Windows virtual system that contains Atomic Red Team, Eric Zimmerman’s suite of tools, the Velociraptor executable and Wireshark. Additionally, the VM will contain a text document with all command line instructions written out.

Students will be provided PDF copies of the entire lecture set and detailed instructions for all labs. The intent is that students will be able to replicate the entire course later if they would like to.