Level II - Linux Data Forensics:
3-Day Combined Course: Chicago, IL
Cost:
$2,550
Location: 1 East Jackson (State and Jackson)
The student will start with learning a strong understanding of
the workings of a Linux Operating System, then proceeding to hands–on instruction, building a Linux OS, learning the File
System Hierarchy and the Virtual File System layers in Linux.
From here, the student rapidly ascends to learning an array of
open source tools they can use for forensic data acquisition.
This will teach the student how to use and build a more complete
Open Source forensic toolkit for performing audits and investigations.
With these tools, the student will learn how to perform the practice
of mounting images, processing evidence, and hands-on investigation
protocol while preserving the forensic process. This course will
teach the student a strong conceptual understanding of Linux and
the practice of Linux Data Forensics. Students will walk away confident,
knowing they are well prepared for an advanced level course. Linux
Data Forensic is platform independent, can collect forensic
data and perform analysis on all Windows, Linux, Macintosh and
UNIX systems, along with many file systems and storage-devices.
*Please note
the maximum headcount of this class is 20 students.
DAY 1 - Linux Data Forensics
Preliminaries
| - |
Welcome |
| - |
Introductions ASR Data / Security Forensics' |
| - |
Course Overview |
| - |
Defining the terms that will be used in the course |
| - |
The history of Digital Forensics |
| - |
Next Generation and where the market is taking Digital Forensics |
| - |
The holistic approach to Digital Forensics |
| - |
Q and A |
Understanding Linux
| - |
Who is Linas Torvalds |
| - |
Why use Linux Forensics |
| - |
Linux Forensics and platform independence |
| - |
The Future of the Linux OS and Linux Forensics |
Linux and Data Forensics
| - |
Everything is a File |
| - |
Filesystem Types Supported |
| - |
Loopback Device |
| - |
Redirection and Chaining |
| - |
Monitoring and Logging |
Building and Installing a Linux OS
| - |
Hands on Installation |
| - |
Procedures and Practices when installing the Linux OS |
| - |
Kernel, Hardware, shell and available applications |
| - |
Review of contemporary distributions |
| - |
Selecting a distribution |
| - |
Linux Components |
| - |
Host device partitioning |
| - |
Choosing a volume format |
| - |
Selecting a bootloader (GRUB v. LILO) |
| - |
Selecting the initial runlevel |
| - |
Choosing a Desktop Environment |
Linux OS Environment
| - |
Hardware Abstractions |
| - |
Virtual Terminals |
| - |
Filesystem Hierarchy Standards (FHS) |
| - |
Navigating Directories |
| - |
Processes |
| - |
Location of Key Files |
General Administration
| - |
Users and Groups |
| - |
File Permissions |
| - |
Timestamps |
| - |
Log Files and Locations |
| - |
Processes and Monitoring |
| - |
Running as Root |
Assessing Devices
| - |
Device Nomenclature and Recognition |
| - |
Help in Identifying Devices |
| - |
Troubleshooting Device Issues |
Linux Filesystems
| - |
Virtual Filesystems (VFS) explained in detail |
| - |
Procfs explained |
| - |
Ext2 Explained |
| - |
Journalled filesystems (ext3, reiserfs, xfs, etc.) |
Building a Custom Kernel
| - |
Getting the required packages |
| - |
Installing v. Upgrading |
| - |
Patching the Kernel |
| - |
Choosing options specific for Data Forensics |
| - |
Building Modules |
| - |
Troubleshooting Errors |
DAY 2 - Review Day One
Acquisition and Linux
| - |
Attaching Devices |
| - |
Device Recognition |
| - |
Compressing Image Files |
| - |
Chunking Image Files |
System Tools for Data Forensics
| - |
System tools that can be used in processing Data Forensics |
| - |
Recursively Hashing |
| - |
dd, md5sum, sha1, mount, fdisk, grep, find, file, stat,
etc. |
| - |
Installing programs |
| - |
Red Hat Package Manager (RPM), tarballs, and compression |
| - |
How to decompress and install programs |
| - |
Overview of tools to assist in Data Forensics capture –
Autopsy, Sleuth, TASK, Ide, TCT, TCTutils, SMART, partrimage
- |
Mounting Image Files
| - |
Loopback device in detail |
| - |
Mounting Logical Partitions |
| - |
Dealing with Physical Images |
| - |
Carving Partitions from Physical Images |
Processing Evidence
| - |
'file', 'find'
|
| - |
‘grep’, grepmail’, ‘zipgrep’ |
| - |
‘hexdump’, ‘hexedit’, ‘ghex2’,
‘xxd’ |
| - |
‘GQview’, ‘gThumb’, ‘flphoto’ |
Basic Shell Scripting for Forensics
| - |
Requirements |
| - |
Examples |
Preserving your forensic process
| - |
Logging Footsteps |
| - |
Identifying Users |
| - |
Capturing Process and Network Information |
| - |
Dumping Memory |
DAY 3 - Review of Day 2
Legal / Procedural Issues
| - |
Articulate Findings |
| - |
Documenting and Reporting Tips |
| - |
Articulating Methodology |
| - |
Defending the Methodology |
| - |
Presenting and Supporting Opinions |
| - |
Production v. Discovery |
| - |
Responding to Challenges |
| - |
Tips for Testifying Experts |
| - |
Depositions and Cross Examinations |
Advanced Data Forensics and Scenarios Defined
| - |
Postmortem Analysis |
| - |
Steps needed to preserve evidentiary integrity |
| - |
Deeper understanding of disk- based files with a 3rd
party digital capture |
| - |
Network File Systems |
| - |
Enterprise Servers |
| - |
Current and Future Challenges |
Smart for Linux
| - |
SMART Architecture |
| - |
SMART Features |
| - |
SMART and Linux |
| - |
Installing and Running |
| - |
Creating Users |
| - |
Storage Devices |
| - |
Device information and options |
| - |
SMART Preferences |
| - |
Cases and SMART |
| - |
Creating a new case in SMART |
| - |
Archiving a Case – Wiping Destination Media, Filesystems,
Segmentation, Compression, Authenticity |
| - |
SMART Data Viewer - Active, Deleted, Slack and Unallocated |
| - |
SMART Logging |
SMART Servers
| - |
SMART Processes |
| - |
Server Technology |
| - |
Configured Smart Server |
SMART Client
| - |
Requirements |
| - |
Remote Client Software |
| - |
Client to Server Communication |
| - |
Configure SMART Client |
| - |
Communication Technologies |
| - |
Remote Administration Software |
| - |
Securing the Data Transmission |
Importing Images, Authenticating Images and Creating
Hashsets in SMART
| - |
Adding mixed images to a new case |
| - |
Authenticating images |
| - |
"Unencasing" and Encased Image |
| - |
Importing a Ghost Image |
| - |
Importing a DD Image |
| - |
Listing all files |
| - |
Creating Hashsets - Exporting and logging Raw Data |
| - |
Recovering Deleted Files |
| - |
Creating Key Work Dictionary |
| - |
Composing Search Terms |
| - |
Carving Files and Data |
| - |
Interpreting Forensic Data |
| - |
Thumbnails of all Graphics |
| - |
Generating a Report |
| - |
Building a Report |
| - |
Customizing a Report - Things to Include |
SMART Boot CD-ROM
| - |
Architecture and Overview |
| - |
Configuring the X-Server |
| - |
Conducting a "knock and talk" |
| - |
Analysis |
| - |
Included Utilities |
| - |
Methodology |
SMART and RAID
| - |
Linux and RAID |
| - |
RAID |
| - |
Working with RAID |
| - |
Initializing RAID |
| - |
Acquiring RAID |
Class Participation - Practical
| - |
Sample Evidence Files, supplied to all Students to work
on their analytical skill set. The Students will document
their Step – by – Step process, extracting and
presenting evidence including recovery of deleted files, interpretation
of file system Meta – data in unallocated space, recognizing
various data and file formats and self-paced investigation.
Graded by your peers. |
Final Summary of the course
| - |
Q and A |
| |
|
| - |
An Introduction of what to expect from Part 2 - The Advanced
Course |
Registration Form
|