Linux Forensics

BT214

Table of Contents

Description

OS Forensics is the ART of extracting evidence and important artifacts from a digital crime scene that can help the investigator in reconstructing the chain of events. During this course, participants will learn the basics of computer hardware and the Linux-OS filesystem. The participants will learn to collect and analyze forensic evidence and write official reports.

How to make the most of this course?

In order to succeed in the course, the following requirements must be met:

  • Participation in all practical laboratories
  • Self-work at home between lessons
  • Repetition of materials, self-learning, performing tasks, etc…

In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.
A personal computer suitable for running virtual machines, with an Internet connection
Transition of the scenarios in the Cyberium Arena.

Target audience

  • Law enforcement officers & intelligence corps
  • Incident responders
  • Computer investigators
  • IT/network administrators

Objectives

  • Accessing concealed files on the system and extracting relevant information
  • Mastering the steps of incident response
  • Analyzing relevant case studies

Pre-requisites

ThinkCyber Level-1 Courses

Syllabus

Description

The first module will cover different components of computer hardware. Participants will learn the main components of Storage-Disks, and the structure of the Linux OS.

Technical content

  • Drives and Disks
    o The Anatomy of a Drive
    o Data Sizes
    ▪ Data Representation
    ▪ Hexadecimal
    ▪ ASCII
    ▪ Binary
    o Volumes & Partitions
    o Disk Partitioning and the Disk Management Tool
    ▪ MBR vs. GPT
    ▪ Understanding UEFI
    ▪ The HPA
    o Solid State Drive (SSD) Features
  • Understanding Linux-OS Structure
    o Linux Directory Structure
    ▪ Bin
    ▪ Dev
    ▪ Etc
    ▪ Usr
    ▪ Proc
    o Services and systemd
    o Users and Groups
    o Understanding Shells

Description

This module will expose participants to the internal components of the Linux OS. Students will learn about tools that will help them with the forensics investigation process.

Technical content

  • Understanding Hashes and Encodings
    o Hash as a Digital Signature
    o The Use of Hash for Forensics
    o Base Encodings
  • Linux-OS Artifacts
    o User Activity Files
    ▪ Profile and Bashrc
    ▪ Shell History
    ▪ Analyzing Opened Files
    o Physically Accessing Running Process
    o Service Logging Using Journalctl
    o Logfile Analysis
    ▪ auth.log
    ▪ deamon.log
    ▪ syslog or messages
    o Cracking the Shadow and Passwd Files
    o Files in /dev
    o SUID/SGID files
  • Data and Files structure
    o Hexadecimal Editing Tools
    ▪ Bvi
    ▪ Xxd
    ▪ Hexedit
    ▪ Hexyl
    o File Structure
    ▪ Headers and Trailer
    ▪ Magic Number
    o Embedded Metadata
    ▪ ExifTool
    ▪ Exiv2
    o Working with Clusters
    ▪ Slack Space
    ▪ Unallocated and Allocated Spaces

Description

During this module, participants will master techniques for collecting evidence, accessing and retrieving volatile and non-volatile information.

Technical content

  • Forensic Data Carving
    o Using Bvi for Forensics Carving
    ▪ Carving files from an existing File
    o Automatic File Carving Tools
    ▪ Foremost
    ▪ Scalpel
    ▪ Bulk-Extractor
    o Files with Basic System-Info and Suspicious User-Info
  • Collecting Information
    o Indenting Evidence of Program Execution
    o Detecting Hidden Files and Directories
    o Collecting Network Information
    ▪ Network Routing
    ▪ Using BMON and TCPTRACK
    ▪ Collecting Netstat Information
    o Investigating Server Logs
    ▪ Analyzing Webserver Logs
    ▪ Analyzing MySQL Logs
    ▪ Analyzing FTP and SSH Logs
    o Mounted Filesystems
    o Loaded Kernel Modules
  • Drive Data Acquisition
    o Introduction to FTK-Imager CLI
    ▪ Exploring System Files
    ▪ Creating an Image
    ▪ dd and dcfldd as an Alternative Image Capture Tool
    o Capturing Volatile-Memory using LiME vs. using fmem
    ▪ Introduction to Memory Acquisition Basics
    ▪ Compiling LiME
    ▪ Dumping a Memory-File
    ▪ Understanding the /proc/kcore

Description

In this module, participants will understand how to uncover hidden information, detect tampered files, work with memory, and analyze the RAM.

Technical content

  • Analyzing captured images
    o Features of FTK CLI
    ▪ Extracting Protected Files
    ▪ Mounting an Image as a drive
    ▪ Volatile Memory Capturing
    o Analyzing Inode Numbering
    o Building Timelines as a CSV
    o Extracting and Examining System Logs
  • Advanced Linux-OS Analysis
    o Strace and Ltrace
    o Understanding Obfuscation
    o Working with Binaries
    ▪ Introduction to ELF Files
    ▪ Headers, Sections, and Strings
    ▪ Program headers and Program loading
    o Introduction to GDB
  • Working with Volatile-Memory
    o Extracting Data from RAM
    o Identifying Network Connections
    o Dumping Processes from Memory

Description

Participants will study different forensics reports prepared by investigators following past incidents and learn how to write a professional summary, including which points to consider when addressing the documentation of findings of an event.

Technical content

  • Introduction to Report Writing
    o Device Identification
    o Preservation of Data
    o Collecting Evidence
    o Examination and Analysis
    o Documentation
    o Evidence Presentation
    o Final Guidelines
  • Tools for Correct Reporting
    o Autopsy
    o Dradis

Labs

The following labs are part of the actual BT214 course:
  • Lab 1 OS Structure
  • Lab 2 Hashes and Encoding
  • Lab 3 Linux Artifacts
  • Lab 4 Data Structure
  • Lab 5 Data Carving
  • Lab 6 Data Acquisition
  • Lab 7 Linux Memory
  • Lab 8 Volatility
BT214

 Course type

This course is delivered in the following ways:

  • Virtual classroom with proctored labs and scenarios executed in our Cyberium Arena
  • In situe classroom with proctored labs and scenarios executed in our Cyberium Arena

All sessions are recorded and attendees can replay them  during 30 days. All course material is electronically made available to the participant.

 Course Group:
Defense

LEVEL
0%
HOURS
1

 Hands-on / Theory MiX

The following course incorporates a high level of hands-on labs exercises, as well as real life case studies.

Hands-on
1 %
Labs
1
Case Studies
1

Certification

This course prepares the participant to the following certification:

  • CLFP (7safe)

Required EqUIPMENT

Network connection

As this course extensively uses a cloud based Learning Management System, including a lab arena, attendees need a stable broadband connection to the Internet.

BYOD – Bring Your Own Device

As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:

  • Audio and Video
  • 8 GB RAM
  • 200 GB Disk Space
  • Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)

And also a Good Headset with Mic

More Details

Subscribe