Linux Forensics
A practical course exploring the world of Linux-based systems.
40 Hours
Blue Team
40 Hours
Blue Team


According to Alexa Traffic Rank, 96.5% of the most popular websites and 92% of the machines in Amazon’s Cloud use Linux-based operating systems. If your organization has servers and services exposed to the Internet and/or running on Cloud infrastructure, the chances are they are running Linux. When enterprise servers come under attack, incident response and investigation teams must respond quickly and effectively. Their ability to react relies on their understanding of the Linux landscape. Skilled professionals can detect the nature of the incident, the severity of the infection, and the extent of the damage before collecting valuable information.

The course covers the following topics:


It’s important to improve the accordion’s behaviour

Digital forensics in rapid-changing space
  • Post-mortem (forensics) vs. real time (incident response)
  • What is host forensics?
  • The order of volatility and evidence types
  • The methodology of running an investigation
  • Open source: Yes we can!
  • Building your own examination platform
Disk and filesystem analysis
  • Media analysis concepts
  • The Sleuth Toolkit
  • Partitioning and disk layouts
  • Special containers
  • Hashing
  • File carving
  • Forensic RAW Imaging with dd
  • Converting virtual storage to RAW images
Generating filesystem timelines
  • Filesystem MACB timestamps
  • Generating body files from images and mounted media
  • Timeline generation and analysis with fls and autopsy
  • Indexing modifications, access, and creation with Linux shell
  • Timeline generation and analysis
Linux filesystem artifacts
  • Linux file systems (ext2, ext3)
  • Linux boot process and services
  • Linux system organization and artifacts
  • User accounts
  • Home directories
  • Bash history
  • System logs
  • Cron jobs
Server- and service-related artifacts
  • Linux syslog (Debian) and /var/log/messages (red-hat)
  • Linux auth.log (Debian) and /var/log/secure (red-hat)
  • Parsing bash history and adding timestamps to bash history
  • Other logs: /var/log/boot.log, /var/log/dmesg, /var/log/kern.log
  • Cron logs
  • Package managers log (apt, yum etc.)
  • Web server logs: Parsing and configuring apache/nginx logs
  • Database logs (example: mysqld.log and mysql.log)
  • Bonus: Customizing iptables to log every connection
Super timeline all the things
  • Super timelines: What and why
  • Getting started with Plaso
  • Creating timelines
  • Using collection filters
  • Event filters
  • Analysis plugins
  • Analyzing Plaso output with Elasticsearch and Kibana
Linux memory forensics
  • Linux memory acquisition
  • Generating Linux profiles for volatility
  • Processes and process memory
  • Networking artifacts
  • Kernel memory artifacts
  • Filesystem in memory
  • Userland rootkits
  • Kernel-mode rootkits
  • Parsing “free-memory” with volatility strings
The Linux forensic challenge
  • Linux Web server Breach CTF
  • Multi-step “targeted” attack
  • Challenge walkthrough and investigative conclusions
  • Workshop summary
Don't touch this tab

SOTERIA Global is a global leader in cyber-security training solutions and services.

The cyber world is now a part of our everyday life. New technology emerges daily, and as opportunities increase, so do cyber risks. Threats constantly evolve, and we must protect our valuable assets.

A successful cyber defense has many factors, but they all have one thing in common: dedicated, skilled individuals.

SOTERIA Global experts develop our solutions and rely on the best technological assets in the market. Our impressive global presence expands over four continents, giving us access to the best cybersecurity professionals.

Our solutions range from customized training programs to developing cyber-oriented facilities, ensuring that individuals and organizations are ready to face real-world threats. Over the years, we have worked with various organizations across many sectors, giving us the skillset to shape and adapt our solutions to meet our client’s needs.

    • Analysts
    • Security researchers
    • Forensics researchers
    • IT specialists
    • Incident response teams
    • Advanced knowledge of Linux operating systems
    • Familiarity with TCP/IP protocols
    • Familiarity with cyberwarfare methods is advantageous
    • Prior experience working with Linux and bash is advantageous
    • Perform disk level forensics investigations
    • Perform filesystem forensics investigations
    • Perform service level forensics investigations
    • Perform Memory forensics investigations
    • Perform well managed forensic investigations on Linux based systems