Description

The first module will cover different components of computer hardware. Participants will learn the main components of Storage-Disks, and the structure of the Linux OS.

Technical content

• Drives and Disks
  o The Anatomy of a Drive
  o Data Sizes
  ▪ Data Representation
  ▪ Hexadecimal
  ▪ ASCII
  ▪ Binary
  o Volumes & Partitions
  o Disk Partitioning and the Disk Management Tool
  ▪ MBR vs. GPT
  ▪ Understanding UEFI
  ▪ The HPA
  o Solid State Drive (SSD) Features
• Understanding Linux-OS Structure
  o Linux Directory Structure
  ▪ Bin
  ▪ Dev
  ▪ Etc
  ▪ Usr
  ▪ Proc
  o Services and systemd
  o Users and Groups
  o Understanding Shells

Description

This module will expose participants to the internal components of the Linux OS. Students will learn about tools that will help them with the forensics investigation process.

Technical content

• Understanding Hashes and Encodings
  o Hash as a Digital Signature
  o The Use of Hash for Forensics
  o Base Encodings
• Linux-OS Artifacts
  o User Activity Files
  Profile and Bashrc
  Shell History
  Analyzing Opened Files
  o Physically Accessing Running Process
  o Service Logging Using Journalctl
  o Logfile Analysis
  auth.log
  deamon.log
  syslog or messages
  o Cracking the Shadow and Passwd Files
  o Files in /dev
  o SUID/SGID files
• Data and Files structure
  o Hexadecimal Editing Tools
  Bvi
  Xxd
  Hexedit
  Hexyl
  o File Structure
  Headers and Trailer
  Magic Number
  o Embedded Metadata
  ExifTool
  Exiv2
  o Working with Clusters
  Slack Space
  Unallocated and Allocated Spaces

Description

During this module, participants will master techniques for collecting evidence, accessing and retrieving volatile and non-volatile information.

Technical content

• Forensic Data Carving
  o Using Bvi for Forensics Carving
  Carving files from an existing File
  o Automatic File Carving Tools
  Foremost
  Scalpel
  Bulk-Extractor
  o Files with Basic System-Info and Suspicious User-Info
• Collecting Information
  o Indenting Evidence of Program Execution
  o Detecting Hidden Files and Directories
  o Collecting Network Information
  Network Routing
  Using BMON and TCPTRACK
  Collecting Netstat Information
  o Investigating Server Logs
  Analyzing Webserver Logs
  Analyzing MySQL Logs
  Analyzing FTP and SSH Logs
  o Mounted Filesystems
  o Loaded Kernel Modules
• Drive Data Acquisition
  o Introduction to FTK-Imager CLI
  Exploring System Files
  Creating an Image
  dd and dcfldd as an Alternative Image Capture Tool
  o Capturing Volatile-Memory using LiME vs. using fmem
  Introduction to Memory Acquisition Basics
  Compiling LiME
  Dumping a Memory-File
  Understanding the /proc/kcore

Description

In this module, participants will understand how to uncover hidden information, detect tampered files, work with memory, and analyze the RAM.

Technical content

• Analyzing captured images
  o Features of FTK CLI
  ▪ Extracting Protected Files
  ▪ Mounting an Image as a drive
  ▪ Volatile Memory Capturing
  o Analyzing Inode Numbering
  o Building Timelines as a CSV
  o Extracting and Examining System Logs
• Advanced Linux-OS Analysis
  o Strace and Ltrace
  o Understanding Obfuscation
  o Working with Binaries
  ▪ Introduction to ELF Files
  ▪ Headers, Sections, and Strings
  ▪ Program headers and Program loading
  o Introduction to GDB
• Working with Volatile-Memory
  o Extracting Data from RAM
  o Identifying Network Connections
  o Dumping Processes from Memory

Description

Participants will study different forensics reports prepared by investigators following past incidents and learn how to write a professional summary, including which points to consider when addressing the documentation of findings of an event.

Technical content

• Introduction to Report Writing
  o Device Identification
  o Preservation of Data
  o Collecting Evidence
  o Examination and Analysis
  o Documentation
  o Evidence Presentation
  o Final Guidelines
• Tools for Correct Reporting
  o Autopsy
  o Dradis