This event has passed.

Linux Forensics

September 15 @ 9:00 am – 5:00 pm EDT

Instructor: Hal Pomeranz
Course Length: 4 days, 32 Hours

Includes: Twelve months of complimentary access to the Antisyphon Cyber Range, certificate of participation, six months access to class recordings.

Pricing:

$1095 per person

Online

Clicking on this button will take you to our registration form on Cvent.

Course Description

Linux is everywhere– running in the cloud, on cell phones, and in embedded devices that make up the “Internet of Things”. Often neglected by their owners, vulnerable Linux systems are low-hanging fruit for attackers wishing to create powerful botnets or mine cryptocurrencies. Ransomware attacks target Linux-based database systems and other important infrastructure.

As attacks against Linux become more and more common, there is an increasing demand for skilled Linux investigators. But even experienced forensics professionals may lack sufficient background to properly conduct Linux investigations. Linux is its own particular religion and requires dedicated study and practice to become comfortable.

This four-day, hands-on course is a quick start into the world of Linux forensics. Learn how to rapidly triage systems and spot attacker malware and rootkits. Learn where the most critical on-disk artifacts live and how they can help further an investigation. Rapidly process Linux logs and build a clearer picture of what happened on the system. Look at the internals of common Linux file systems and learn how to recover deleted data.

Key Takeaways

Linux live collection and analysis
Linux memory forensic techniques
Rapid triage for key Linux artifacts
Accessing complex Linux disk geometries
Linux log analysis
File system internals and deleted data recovery

Who Should Take This Course

Experienced forensic professionals wanting to expand their Linux knowledge
SOC analysts needing a stronger grounding in Linux
Administrators/developers defending Linux infrastructures

Audience Skill Level

This course is an introduction to Linux forensics, but not an introduction to forensics. The course assumes at least some knowledge of digital forensic methods, such as evidence acquisition. This course is heavily command-line driven, so basic familiarity with the Linux command-line is helpful.

Student Requirements

High speed Internet access
A BitTorrent client for downloading course materials (e.g., Transmission https://transmissionbt.com/download/)
A computer with at least 150GB of free space and capable of running a 64-bit VMware virtual machine using 16GB of RAM

What Each Student Should Bring

A properly configured computer and natural curiosity

What Students Will Be Provided With

Students will receive course slides and author notes in PDF form, lab exercises and virtual machine, and sample forensic images. This material can be downloaded via https://archive.org/download/HalLinuxForensics/HalLinuxForensics_archive.torrent

Class Outline

Day One – Linux Live Capture

Live Capture with UAC

The case for live capture
Configuring and running UAC
Deployment options

LAB: Collecting data with UAC

Live Analysis and Triage – File System

Standard directory layout, ownerships, and permissions
Spotting malicious executables
Deeper dives with /proc

LAB: Too much evil!

Live Analysis and Triage – Processes

The process hierarchy
Typical process ownership
Suspicious process anti-patterns

LAB: Even more evil!

Live Analysis and Triage – Users and Groups

Superuser, application users, and regular users
Processes and users anti-patterns
User back doors

LAB: Find the back door(s)

Day Two – Memory Forensics

Memory Forensics With bulk-extractor

Running bulk-extractor
Useful artifacts
Examining extracted PCAPs

LAB: No profile? No problem!

Memory Forensics – Acquisition

Why memory forensics?
Linux Challenges
Building memory analysis profiles
Acquisition tools and scenarios

LAB: Memory Capture and Volatility Profile Creation

Memory Forensics – Analysis

Kernel messages
Processes
Networking
Command history

LAB: What’s In Memory?

Memory Forensics – Case Study

Spotting the rootkit module in memory
Looking for hooks
Using indicators of compromise

LAB: Rootkit Investigation

Day Three – Linux Disk Analysis

Disk Acquisition and Access

Acquisition scenarios and tools
Complex disk geometries
Setup and teardown walk-throughs

LAB: Disk Image Mounting Challenge

Rapid Disk Triage

Critical system directories
System profiling
Common back doors
Persistent malware
Finding recently modified files

LAB: Disk Triage

Timeline Analysis

Why timeline analysis?
Unix timestamps
Generating timeline

LAB: Timeline Analysis

Linux Log Basics

User access (wtmp, btmp, lastlog)
Understanding where logs live via syslog.conf
Linux Syslog log format
Which logs are most useful?

LAB: Using Logs to Enhance Timeline Analysis

Digging Deeper Into Logs

Web server logs
Kernel logging with auditd
Searching kernel audit logs
Keystroke logging

LAB: Web Server Compromise Logs

Day Four – Digging Deeper

User Artifacts:

bash_history
SSH artifacts, inbound and outbound
Editing history
Recently opened file history
Web history

LAB: Post-Exploitation Activity

EXT File System Analysis:

Key data structures and layout
Tools for examining EXT
Reverse-engineering EXT case study

LAB: Recover Deleted Exploit

XFS File System Analysis:

Key data structures and layout
Tools for examining XFS
Data recovery methods

LAB: XFS file system walkthrough

Web Compromise – Capstone Exercise

Spotting patterns of activity
Separating multiple actors
Matching logs to system activity
Pivoting to find further information

LAB: Choose your own adventure(s)

Trainer & Author

Hal Pomeranz is an independent digital forensic investigator who has consulted on cases ranging from intellectual property theft, to employee sabotage, to organized cybercrime and malicious software infrastructures. He has spent more than thirty years providing pragmatic Information Technology and Security solutions for some of the world’s largest commercial, government, and academic institutions.

Linux Forensics