- This event has passed.
September 12 @ 9:00 am – 5:00 pm EDT
Instructor: Hal Pomeranz
Course Length: 4 days, 32 Hours
Includes: Twelve months of complimentary access to the Antisyphon Cyber Range, certificate of participation, six months access to class recordings.
Clicking on this button will take you to our registration form on Cvent.
Linux is everywhere– running in the cloud, on cell phones, and in embedded devices that make up the “Internet of Things”. Often neglected by their owners, vulnerable Linux systems are low-hanging fruit for attackers wishing to create powerful botnets or mine cryptocurrencies. Ransomware attacks target Linux-based database systems and other important infrastructure.
As attacks against Linux become more and more common, there is an increasing demand for skilled Linux investigators. But even experienced forensics professionals may lack sufficient background to properly conduct Linux investigations. Linux is its own particular religion and requires dedicated study and practice to become comfortable.
This four-day, hands-on course is a quick start into the world of Linux forensics. Learn how to rapidly triage systems and spot attacker malware and rootkits. Learn where the most critical on-disk artifacts live and how they can help further an investigation. Rapidly process Linux logs and build a clearer picture of what happened on the system. Look at the internals of common Linux file systems and learn how to recover deleted data.
- Linux live collection and analysis
- Linux memory forensic techniques
- Rapid triage for key Linux artifacts
- Accessing complex Linux disk geometries
- Linux log analysis
- File system internals and deleted data recovery
Who Should Take This Course
- Experienced forensic professionals wanting to expand their Linux knowledge
- SOC analysts needing a stronger grounding in Linux
- Administrators/developers defending Linux infrastructures
Audience Skill Level
This course is an introduction to Linux forensics, but not an introduction to forensics. The course assumes at least some knowledge of digital forensic methods, such as evidence acquisition. This course is heavily command-line driven, so basic familiarity with the Linux command-line is helpful.
- High speed Internet access
- A BitTorrent client for downloading course materials (e.g., Transmission https://transmissionbt.com/download/)
- A computer with at least 150GB of free space and capable of running a 64-bit VMware virtual machine using 16GB of RAM
What Each Student Should Bring
A properly configured computer and natural curiosity
What Students Will Be Provided With
Students will receive course slides and author notes in PDF form, lab exercises and virtual machine, and sample forensic images. This material can be downloaded via https://archive.org/download/HalLinuxForensics/HalLinuxForensics_archive.torrent
Day One – Linux Live Capture
Live Capture with UAC
- The case for live capture
- Configuring and running UAC
- Deployment options
LAB: Collecting data with UAC
Live Analysis and Triage – File System
- Standard directory layout, ownerships, and permissions
- Spotting malicious executables
- Deeper dives with /proc
LAB: Too much evil!
Live Analysis and Triage – Processes
- The process hierarchy
- Typical process ownership
- Suspicious process anti-patterns
LAB: Even more evil!
Live Analysis and Triage – Users and Groups
- Superuser, application users, and regular users
- Processes and users anti-patterns
- User back doors
LAB: Find the back door(s)
Day Two – Memory Forensics
Memory Forensics With bulk-extractor
- Running bulk-extractor
- Useful artifacts
- Examining extracted PCAPs
LAB: No profile? No problem!
Memory Forensics – Acquisition
- Why memory forensics?
- Linux Challenges
- Building memory analysis profiles
- Acquisition tools and scenarios
LAB: Memory Capture and Volatility Profile Creation
Memory Forensics – Analysis
- Kernel messages
- Command history
LAB: What’s In Memory?
Memory Forensics – Case Study
- Spotting the rootkit module in memory
- Looking for hooks
- Using indicators of compromise
LAB: Rootkit Investigation
Day Three – Linux Disk Analysis
Disk Acquisition and Access
- Acquisition scenarios and tools
- Complex disk geometries
- Setup and teardown walk-throughs
LAB: Disk Image Mounting Challenge
Rapid Disk Triage
- Critical system directories
- System profiling
- Common back doors
- Persistent malware
- Finding recently modified files
LAB: Disk Triage
- Why timeline analysis?
- Unix timestamps
- Generating timeline
LAB: Timeline Analysis
Linux Log Basics
- User access (wtmp, btmp, lastlog)
- Understanding where logs live via syslog.conf
- Linux Syslog log format
- Which logs are most useful?
LAB: Using Logs to Enhance Timeline Analysis
Digging Deeper Into Logs
- Web server logs
- Kernel logging with auditd
- Searching kernel audit logs
- Keystroke logging
LAB: Web Server Compromise Logs
Day Four – Digging Deeper
- SSH artifacts, inbound and outbound
- Editing history
- Recently opened file history
- Web history
LAB: Post-Exploitation Activity
EXT File System Analysis:
- Key data structures and layout
- Tools for examining EXT
- Reverse-engineering EXT case study
LAB: Recover Deleted Exploit
XFS File System Analysis:
- Key data structures and layout
- Tools for examining XFS
- Data recovery methods
LAB: XFS file system walkthrough
Web Compromise – Capstone Exercise
- Spotting patterns of activity
- Separating multiple actors
- Matching logs to system activity
- Pivoting to find further information
LAB: Choose your own adventure(s)
Trainer & Author
Hal Pomeranz is an independent digital forensic investigator who has consulted on cases ranging from intellectual property theft, to employee sabotage, to organized cybercrime and malicious software infrastructures. He has spent more than thirty years providing pragmatic Information Technology and Security solutions for some of the world’s largest commercial, government, and academic institutions.