ABOUT THE PROGRAM
The course covers the following topics:
DON'T TOUCH THIS TAB
It’s important to improve the accordion’s behaviour
Digital forensics in rapid-changing space
- Post-mortem (forensics) vs. real time (incident response)
- What is host forensics?
- The order of volatility and evidence types
- The methodology of running an investigation
- Open source: Yes we can!
- Building your own examination platform
Disk and filesystem analysis
- Media analysis concepts
- The Sleuth Toolkit
- Partitioning and disk layouts
- Special containers
- Hashing
- File carving
- Forensic RAW Imaging with dd
- Converting virtual storage to RAW images
Generating filesystem timelines
- Filesystem MACB timestamps
- Generating body files from images and mounted media
- Timeline generation and analysis with fls and autopsy
- Indexing modifications, access, and creation with Linux shell
- Timeline generation and analysis
Linux filesystem artifacts
- Linux file systems (ext2, ext3)
- Linux boot process and services
- Linux system organization and artifacts
- User accounts
- Home directories
- Bash history
- System logs
- Cron jobs
Server- and service-related artifacts
- Linux syslog (Debian) and /var/log/messages (red-hat)
- Linux auth.log (Debian) and /var/log/secure (red-hat)
- Parsing bash history and adding timestamps to bash history
- Other logs: /var/log/boot.log, /var/log/dmesg, /var/log/kern.log
- Cron logs
- Package managers log (apt, yum etc.)
- Web server logs: Parsing and configuring apache/nginx logs
- Database logs (example: mysqld.log and mysql.log)
- Bonus: Customizing iptables to log every connection
Super timeline all the things
- Super timelines: What and why
- Getting started with Plaso
- Creating timelines
- Using collection filters
- Event filters
- Analysis plugins
- Analyzing Plaso output with Elasticsearch and Kibana
Linux memory forensics
- Linux memory acquisition
- Generating Linux profiles for volatility
- Processes and process memory
- Networking artifacts
- Kernel memory artifacts
- Filesystem in memory
- Userland rootkits
- Kernel-mode rootkits
- Parsing “free-memory” with volatility strings
The Linux forensic challenge
- Linux Web server Breach CTF
- Multi-step “targeted” attack
- Challenge walkthrough and investigative conclusions
- Workshop summary
Don't touch this tab
ABOUT SOTERIA GLOBAL
SOTERIA Global is a global leader in cyber-security training solutions and services.
The cyber world is now a part of our everyday life. New technology emerges daily, and as opportunities increase, so do cyber risks. Threats constantly evolve, and we must protect our valuable assets.
A successful cyber defense has many factors, but they all have one thing in common: dedicated, skilled individuals.
SOTERIA Global experts develop our solutions and rely on the best technological assets in the market. Our impressive global presence expands over four continents, giving us access to the best cybersecurity professionals.
Our solutions range from customized training programs to developing cyber-oriented facilities, ensuring that individuals and organizations are ready to face real-world threats. Over the years, we have worked with various organizations across many sectors, giving us the skillset to shape and adapt our solutions to meet our client’s needs.
COURSE INFO
Target audience
- Analysts
- Security researchers
- Forensics researchers
- IT specialists
- Incident response teams
Prerequisites
- Advanced knowledge of Linux operating systems
- Familiarity with TCP/IP protocols
- Familiarity with cyberwarfare methods is advantageous
- Prior experience working with Linux and bash is advantageous
Skills Gained
- Perform disk level forensics investigations
- Perform filesystem forensics investigations
- Perform service level forensics investigations
- Perform Memory forensics investigations
- Perform well managed forensic investigations on Linux based systems