digital forensics

Computer forensics are of interest not only for law enforcement. There is a number of reasons for conducting forensic analyses at enterprise level. Nevertheless, its realisation may be complicated and may pose various problems for administrators. On the one hand, adequate proprietary software is very expensive. On the other hand, in many cases insider knowledge not documented publicly is required.

This training course relies on Linux's strong points. There is hardly an operating system more capable of analysing the multitude of existing file systems used by varied operating systems, of examining specific files' timeline or restoring deleted files. As virtualisation is becoming more important in this context, Virtualbox and KVM are major helpful tools.

In this training course, we will configure a Linux-based examination system and learn the forensic basics of file system analysis. The approaches featured in this training course are applicable to all current dektop operating systems and will be put into practice using the example of Windows.

Based on this training course, we are also offering an advanced training course Linux/BSD server analysis and forensics.

Trainer und Dozenten

Hans-Peter Merkel (Dipl. Ing.) has been training law enforcement officers in Germany and foreign countries for several years . He is assisting law enforcement authorities in searching procedures and is conducting subsequent forensic evaluations. His primary focus is analysis of Linux/BSD internet servers.

Inhalt

Introduction

  • Overview and installation of relevant software applications in forensics
  • Installation/configuration of virtualisation solutions with Virtualbox und KVM
  • Installation of relevant FUSE drivers

Data acquisition

  • First steps with Live CDs, DVDs and bootable USB sticks
  • Creation of forensic images in EWF and AFF

Examining images

  • Insights into partition information
  • Creation of file listings including MAC timestamps with Sleuthkit
  • Image conversion with xmount (ewf, aff, dd, qcow, vd, etc)
  • Logical evaluation of storage media
  • Handling of deleted files and unallocated space
  • Rekonstruction of deleted files
  • File/RAM Slack

File Carving

  • File reconstruction on damaged media using header analysis
  • Retrieval of email adresses, URL's, IP adresses or credit card numbers

Password cracking on Windows systems

  • Cracking LM/NTLM hashes with Ophcrack and Rainbow Tables

Virtualisation

  • Virtualisation of EWF images
  • Solving issues and booting of problematic Windows systems (Bluescreen, AntiWPA, Treiber)

Kurszeiten

Wer möchte, reist bis 22 Uhr am Vortag an und nutzt den Abend bereits zum Fachsimpeln am Kamin oder im Park.

An den Kurstagen dann von 9-18 Uhr (mit 2 Kaffee- und 1 Mittagspause) etwa 60% Schulungen und 40% Übungen. Selbstverständlich arbeitet jeder Teilnehmer am von uns gestellten Notebook oft parallel zum Referenten mit.

Anschließend Abendessen und Angebote für Fachsimpeln, Ausflüge uvm. Wir schaffen eine Atmosphäre, in der Fachleute sich ungezwungen austauschen. Wer das nicht will, wird zu nichts gezwungen und findet auch jederzeit Ruhe.