Linux Forensics with Hal Pomeranz

Linux is everywhere– running in the cloud, on cell phones, and in embedded devices that make up the “Internet of Things”. Often neglected by their owners, vulnerable Linux systems are low-hanging fruit for attackers wishing to create powerful botnets or mine cryptocurrencies. Ransomware type attacks may target Linux-based database systems and other important infrastructure.

As attacks against Linux become more and more common, there is an increasing demand for skilled Linux investigators. However, even experienced forensics professionals may lack sufficient background to properly conduct Linux investigations. Linux is its own particular religion and requires dedicated study and practice to become comfortable.

Learn where the most critical on-disk artifacts live and how they can help further an investigation. Rapidly process Linux logs and build a clearer picture of what happened on the system.

Key Takeaways

• Acquiring and analyzing Linux memory
• Accessing complex Linux disk geometries
• Rapid triage for key Linux artifacts
• Linux log analysis

Who Should Take This Course

• Experienced forensic professionals wanting to expand their Linux knowledge
• SOC analysts needing a stronger grounding in Linux
• Administrators/developers defending Linux infrastructures

Audience Skill Level

This course is an introduction to Linux forensics, but not an introduction to forensics. The course assumes at least some knowledge of digital forensic methods, such as evidence acquisition. This course is heavily command-line driven, so basic familiarity with the Linux command-line is helpful.

What Each Student Should Bring

A properly configured computer (see “System Requirements”) and natural curiosity!

• High-speed Internet access
• A BitTorrent client for downloading course materials (e.g., Transmission https://transmissionbt.com/download/)
• At least 150GB of free space and capable of running a 64-bit VMware virtual machine using 4GB of RAM