What to bring:
Students must supply their own laptop with a Linux installation, including X windows. This installation can be either native, or in VMware. The Linux installation must have at least 300 mb of free space.
The laptop should have a DVD drive.
Development tools (e.g. gcc, make, etc.) must be installed on the laptop, however no development experience is required. All tools will be provide on DVD-ROM.
Who Should Take this Course:
- Corporate Security Officers
- System Administrators
- Law Enforcement Officers
Key Learning Objectives
- Gain an understanding of how forensic tools operate and function, allowing you to better utilize (and evade!) them
- Understand the forensic process
- Learn in-depth file system implementation details
- Conduct a successful digital forensic investigation
The continuing increase in digital crimes spurs the demand for effective digital forensic investigation skills. This course teaches how to conduct a successful digital forensic investigation, and builds a solid base of knowledge for further learning. Using a task-oriented approach, participants will learn digital forensic analysis techniques and methodologies which can be applied immediately. During the course, strong emphasis is placed on technical understanding and skills.
The core curriculum of the course revolves around multiple File System Intensive sessions, focusing on file systems used on both Windows and UNIX/Linux platforms such as NTFS and Ext2FS. These File System Intensives use a combination of lectures and task-oriented hands-on lab exercises to instruct and reinforce the deep, low-level, file system knowledge crucial for effective digital forensic analysis and investigations. The lab exercises will teach core skills, such as how to:
- seize and preserve digital media
- recover deleted files (both manually and with tools)
- uncover evidence of tampering
Each File System Intensive concludes with a sample investigation, reinforcing the skills developed within the course and building an understanding of how to successfully conduct a real investigation.
As well as using specific forensic tools, such as The Sleuthkit, the File System Intensives use standard file system tools to build familiarity with file system data structures. In addition, the Grugq's own forensic tool, PIZDATA, an interactive, programmable, file system analysis tool will be used extensively. PIZDATA allows forensic investigators to rapidly develop new tools, as well as share analysis scripts easily between investigators, and this course will teach how to develop PIZDATA based tools.
During the File System Intensive sessions, students will learn about the forensic analysis process, as well as the techniques and methodologies necessary for successful digital forensic investigations.
Students will be presented with the following materials to be used and referenced throughout the duration of the course:
- Open Source forensic software on DVD-ROM
- Case study file system images on DVD-ROM
Students should be comfortable using Linux as an operating environment. Students must supply their own laptop with a Linux installation, including X windows. This installation can be either native, or in VMware. The Linux installation must have at least 300 mb of free space. Development tools (e.g. gcc, make, etc.) must be installed on the laptop, however no development experience is required. All tools will be provide on DVD-ROM.
The Grugq has been at the forefront of forensic research for the last six years, during which he has been pioneering in the realm of anti-forensic research and development. During this time, he has also worked with leading IT security consultancies and a major financial institution. Most recently he has been involved with an innovative security software development start-up company. Currently the director of gxlabs, an information security company, the grugq continues his research on security, forensics and beer.