Computer forensics are of interest not only for law enforcement. There is a number of reasons for conducting forensic analyses at enterprise level. Nevertheless, its realisation may be complicated and may pose various problems for administrators. On the one hand, adequate proprietary software is very expensive. On the other hand, in many cases insider knowledge not documented publicly is required.
This training course relies on Linux's strong points. There is hardly an operating system more capable of analysing the multitude of existing file systems used by varied operating systems, of examining specific files' timeline or restoring deleted files. As virtualisation is becoming more important in this context, Virtualbox and KVM are major helpful tools.
In this training course, we will configure a Linux-based examination system and learn the forensic basics of file system analysis. The approaches featured in this training course are applicable to all current dektop operating systems and will be put into practice using the example of Windows.
Based on this training course, we are also offering an advanced training course Linux/BSD server analysis and forensics.
Trainer und Dozenten
Hans-Peter Merkel (Dipl. Ing.) has been training law enforcement officers in Germany and foreign countries for several years . He is assisting law enforcement authorities in searching procedures and is conducting subsequent forensic evaluations. His primary focus is analysis of Linux/BSD internet servers.
Inhalt
Introduction
- Overview and installation of relevant software applications in forensics
- Installation/configuration of virtualisation solutions with Virtualbox und KVM
- Installation of relevant FUSE drivers
Data acquisition
- First steps with Live CDs, DVDs and bootable USB sticks
- Creation of forensic images in EWF and AFF
Examining images
- Insights into partition information
- Creation of file listings including MAC timestamps with Sleuthkit
- Image conversion with xmount (ewf, aff, dd, qcow, vd, etc)
- Logical evaluation of storage media
- Handling of deleted files and unallocated space
- Rekonstruction of deleted files
- File/RAM Slack
File Carving
- File reconstruction on damaged media using header analysis
- Retrieval of email adresses, URL's, IP adresses or credit card numbers
Password cracking on Windows systems
- Cracking LM/NTLM hashes with Ophcrack and Rainbow Tables
Virtualisation
- Virtualisation of EWF images
- Solving issues and booting of problematic Windows systems (Bluescreen, AntiWPA, Treiber)
- First steps with Live CDs, DVDs and bootable USB sticks
- Creation of forensic images in EWF and AFF
Examining images
- Insights into partition information
- Creation of file listings including MAC timestamps with Sleuthkit
- Image conversion with xmount (ewf, aff, dd, qcow, vd, etc)
- Logical evaluation of storage media
- Handling of deleted files and unallocated space
- Rekonstruction of deleted files
- File/RAM Slack
File Carving
- File reconstruction on damaged media using header analysis
- Retrieval of email adresses, URL's, IP adresses or credit card numbers
Password cracking on Windows systems
- Cracking LM/NTLM hashes with Ophcrack and Rainbow Tables
Virtualisation
- Virtualisation of EWF images
- Solving issues and booting of problematic Windows systems (Bluescreen, AntiWPA, Treiber)
- File reconstruction on damaged media using header analysis
- Retrieval of email adresses, URL's, IP adresses or credit card numbers
Password cracking on Windows systems
- Cracking LM/NTLM hashes with Ophcrack and Rainbow Tables
Virtualisation
- Virtualisation of EWF images
- Solving issues and booting of problematic Windows systems (Bluescreen, AntiWPA, Treiber)
- Virtualisation of EWF images
- Solving issues and booting of problematic Windows systems (Bluescreen, AntiWPA, Treiber)
Kurszeiten
Wer möchte, reist bis 22 Uhr am Vortag an und nutzt den Abend bereits zum Fachsimpeln am Kamin oder im Park.
An Kurstagen gibt es bei uns ab 8 Uhr Frühstück.
Unsere Kurse beginnen um 9 Uhr und enden um 18 Uhr.
Neben den kleinen Pausen gibt es eine Stunde Mittagspause mit leckerem, frisch in unserer Küche zubereitetem Essen.
Nach der Schulung anschließend Abendessen und Angebote für Fachsimpeln, Ausflüge uvm. Wir schaffen eine Atmosphäre, in der Fachleute sich ungezwungen austauschen. Wer das nicht will, wird zu nichts gezwungen und findet auch jederzeit Ruhe.