Linux Disk Forensics w/ Hal Pomeranz
June 20 @ 9:00 am – June 21 @ 6:00 pm EDT
Instructor: Hal Pomeranz
Course Length: 16 Hours
Includes: Twelve months of complimentary access to the Antisyphon Cyber Range, certificate of participation, six months access to class recordings.
Class Dates | Class Times |
---|---|
Thursday, June 20, 2024: | 9:00 AM-6:00 PM* |
Friday, June 21, 2024: | 10:00 AM-6:00 PM |
This class is part of the Incident Response Summit. Registration for any Incident Response Summit class includes registration for the summit and all of its presentations, talks, and streams.
Clicking on the button above will take you
to our registration page on the website.
Pricing:
Course Description
Linux is everywhere– running in the cloud, on cell phones, and in embedded devices that make up the “Internet of Things”. Often neglected by their owners, vulnerable Linux systems are low-hanging fruit for attackers wishing to create powerful botnets or mine cryptocurrencies. Ransomware type attacks may target Linux-based database systems and other important infrastructure.
As attacks against Linux become more and more common, there is an increasing demand for skilled Linux investigators. But even experienced forensics professionals may lack sufficient background to properly conduct Linux investigations. Linux is its own particular religion and requires dedicated study and practice to become comfortable.
This 16-hour, hands-on course is a quick start into the world of Linux forensics. Learn how to use memory forensics to rapidly triage systems and spot attacker malware and rootkits. Learn where the most critical on-disk artifacts live and how they can help further an investigation. Rapidly process Linux logs and build a clearer picture of what happened on the system.
KEY TAKEAWAYS:
- Linux live collection and analysis
- Linux memory forensic techniques
- Rapid triage for key Linux artifacts
- Accessing complex Linux disk geometries
- Linux log analysis
- File system internals and deleted data recovery
WHO SHOULD TAKE THIS COURSE:
- Experienced forensic professionals wanting to expand their Linux knowledge
- SOC analysts needing a stronger grounding in Linux
- Administrators/developers defending Linux infrastructures
AUDIENCE SKILL LEVEL:
This course is an introduction to Linux forensics, but not an introduction to forensics. The course assumes at least some knowledge of digital forensic methods, such as evidence acquisition. This course is heavily command-line driven, so basic familiarity with the Linux command-line is helpful.
STUDENT REQUIREMENTS:
- High speed Internet access
- A BitTorrent client for downloading course materials (e.g., Transmission https://transmissionbt.com/download/)
- A computer with at least 150GB of free space and capable of running a 64-bit VMware virtual machine using 16GB of RAM
WHAT A STUDENT SHOULD BRING:
A properly configured computer and natural curiosity
WHAT STUDENTS WILL BE PROVIDED WITH:
Students will receive course slides and author notes in PDF form, lab exercises and virtual machine, and sample forensic images. This material can be downloaded via https://archive.org/download/HalLinuxForensics/HalLinuxForensics_archive.torrent
Day Three – Linux Disk Analysis
Disk Acquisition and Access
- Acquisition scenarios and tools
- Complex disk geometries
- Setup and teardown walk-throughs
LAB: Disk Image Mounting Challenge
Rapid Disk Triage
- Critical system directories
- System profiling
- Common back doors
- Persistent malware
- Finding recently modified files
LAB: Disk Triage
Timeline Analysis
- Why timeline analysis?
- Unix timestamps
- Generating timeline
LAB: Timeline Analysis
Linux Log Basics
- User access (wtmp, btmp, lastlog)
- Understanding where logs live via syslog.conf
- Linux Syslog log format
- Which logs are most useful?
LAB: Using Logs to Enhance Timeline Analysis
Digging Deeper Into Logs
- Web server logs
- Kernel logging with auditd
- Searching kernel audit logs
- Keystroke logging
LAB: Web Server Compromise Logs
Day Four – Digging Deeper
User Artifacts:
- bash_history
- SSH artifacts, inbound and outbound
- Editing history
- Recently opened file history
- Web history
LAB: Post-Exploitation Activity
EXT File System Analysis:
- Key data structures and layout
- Tools for examining EXT
- Reverse-engineering EXT case study
LAB: Recover Deleted Exploit
XFS File System Analysis:
- Key data structures and layout
- Tools for examining XFS
- Data recovery methods
LAB: XFS file system walkthrough
Web Compromise – Capstone Exercise
- Spotting patterns of activity
- Separating multiple actors
- Matching logs to system activity
- Pivoting to find further information
Trainer & Author
Hal Pomeranz is an independent digital forensic investigator who has consulted on cases ranging from intellectual property theft, to employee sabotage, to organized cybercrime and malicious software infrastructures. He has spent more than thirty years providing pragmatic Information Technology and Security solutions for some of the world’s largest commercial, government, and academic institutions.