ENISA Incident Handling Training Workshop

Incident Handling Training Workshop

The workshop is full. Subscriptions are closed.

CERT.be is organizing an incident handling workshop together with ENISA. Originally intended for new CERT.be analysts, we invite other interested participants to join the workshop.

Also see the PDF : CERT.be / ENISA ENISA Incident Handling Training Workshop

For whom?

The training is intended for people who are new to an Incident Response Team and need training on the basics of incident handling. The training can also be useful for experienced ICT experts who need to become acquainted with the security topics broached in the training.


The workshop will take place in Brussels on the 19th and 20th of January 2016.

The subscription is free but the number of available seats is limited. CERT reserves the right to decline your participation. If the workshop is full, you will be put on a waitinglist, if any participant cancels, we will notify you. If there is a lot of interest, we can also contact you for possible future trainings.


Day 1 : 19th January 2016
12:30 Welcome introduction CERT.be, Christian Van Heurck
12:45 Training introduction ENISA, Lauri Palkmets
13:00 Triage and Basic Incident Handling ENISA, Yonas Leguesse
15:00 Coffee break  
15:15 Malware analysis and memory forensics ENISA, Lauri Palkmets
16:45 Wrap up discussion; Q/A ENISA, Yonas Leguesse
17:00 End of the training day  

Day 2 : 20th January 2016
09:00 Incident handling 2.0 ENISA, Yonas Leguesse
11:00 Coffee break  
11:15 Artifact Analysis ENISA, Lauri Palkmets
12:30 Lunch break  
13:30 Artifact Analysis ENISA, Lauri Palkmets
15:00 Coffee break  
15:15 Artifact Analysis ENISA, Lauri Palkmets
16:45 Wrap up discussion; Q/A ENISA, Lauri Palkmets
17:00 End of the training day  

How to subscribe?

The workshop is full. Subscriptions are closed.

Send an e-mail to cert @cert.be and state :

  • Description of your organization
  • Your name and responsibilities
  • Your computer security experience / role
  • 4 to 8 lines with your motivation why you want to participate and what you expect to learn

Note that the final subscription deadline is 15-December 2015.


The participants are expected to have:

  • good understanding of operating system fundamentals (Linux, Windows)
  • good understanding of computer networks
  • basic understanding of malware analysis
  • basic research and analysis skills

Participants need to bring their own laptop. You can not participate if you do not bring a laptop. The laptop should be able to run virtual images (either VirtualBox or a similar application). The laptop should preferably have at least 4 GB of RAM, capable processor (i5 or i7), and at least 20 GB of free HD space. You should be able to install applications and use USB memory sticks on your computer (preferably USB 3.0). More info can be found in the Virtual Image HowTo by ENISA.


The training takes places on the 19th and 20th of January 2016 in Belgium Louizalaan 231, 1050 Brussels. See the website of Belnet for transport details.

CERT.be foresees lunch (sandwiches) for the second day. Coffee and other beverages will be foreseen during the two days. There's no "official" social event but CERT.be will have a restaurant reservation the evening of the first day for the participants. You have to pay for your own food and drinks.

ENISA foresees a certificate and evaluation forms.


Memory Forensics

The course of Memory Forensics is based on ENISA training material

and will introduce concepts, tools and techniques used for Memory Forensics.

At the beginning, the trainer will introduce the basic concepts of memory forensics, such as acquisition of memory and its analysis. In the first part the participants will learn how to acquire memory images from Windows and Linux operating systems. During the second and third part, the participants will perform basic analysis tasks while working with Windows and Linux memory dumps. Following the analysis tasks, the participants are confronted with advanced analysis techniques, such as identifying and isolating a malware sample from a given memory image. Using the provided virtual machine, the participants will be able to follow a hands-on tutorial.

Training objectives:

  • Familiarize with memory capture techniques and forensics
  • Familiarisation with tools used for memory forensics
  • Using memory captures to extract unpacked artefacts
  • Perform malware analysis using memory dump

Expected audience: Incident handlers’ with a good understanding of:

  • Fundamentals of operating systems (Linux, Windows)
  • Basic analysis skills
  • Basic understanding of malware analysis

Artifact Analysis

The course of Artifact Analysis is based on ENISA training material and will give the participants an overview of the most common tools and methodologies used to perform malware analysis on artifacts, such as binary or documents, found on Windows systems. At the end of the session, participants will learn how to configure an artifact analysis environment, store and process artifacts in order to extract host and network-based indicators from a malicious program using dynamic and static analysis techniques.

During the training participants will be presented on behavioural analysis concepts and how these can be used to analyse a sample’s interaction with its environment. The training will provide use cases on when such techniques should be used and their limitations. The goal is to train analysts on the basic rules of safe malware analysis and extraction of useful evidence, as part of a forensics investigation.

Training objectives:

  • Configure and prepare an artifact analysis environment
  • Understand how static properties of suspicious programs can be used to detect malicious samples
  • Perform behavioural analysis of malicious Windows executables using a sandboxed environment
  • Extract actionable information out of a sample
  • Understand the limitations of these techniques

Expected audience : Incident handlers’ with a good understanding of:

  • Operating System Concepts
  • Fundamentals of networking
  • Basic research skills