Description
why Investigating Linux Forensics is important
Why do we need to learn Linux Forensics? Well, nowadays when you look at the number of tools available on different penetration testing systems running Linux, you should stop and ask yourself a basic question "are these tools and systems, always gonna be used for ethical purposes?".
The answer is definitely, NO! Another reason to consider Linux forensics, is you arrive to the crime scene and you find out that your suspect’s desktop is a Linux operating system! If you don’t have the proper skillset, you will be shocked and start to question your knowledge, ability, and skillset. What should I do?
Do I have the skills required to collect data from this system? Where should I look for data and artifacts? What do these artifacts even look like? How can we identify and track user activity? etc.
Training Delivery Details
Instructor Led Training
Live Training: Instructor ( Two Days - 10 hours ) | Certification of Attendance
The course material includes full access to our
INVESTIGATING LINUX SYSTEMS - On-Demand Course
Sessions starts from 9 AM to 2 PM (Eastern Time) or scheduled upon a mutual agreement
Pricing Options
Please make sure you select the enrollment schedule that works best for you. If none of these work and you are still interested in our training, please contact us.
Syllabus
At the completion of this two day live training, you will possess the necessary know-how to effectively and efficiently investigate a compromised Linux system, learn where to find system and application artifacts, and recover deleted data.
- Introduction to Linux Forensics
- Understanding the Linux FHS
- Understanding and Investigating Core Linux Components
- Linux Boot Process
- Linux System and Service Managers
- Acquisition
- Searching and Navigation Linux Systems
- Searching and Navigation Linux Systems
- Network Services & Network Connections
- Searching Devices & Volumes
- Variables, Shells, Profiles, Cronjobs, etc
- Users & Groups
- Processes & Applications
Introduction to Linux
Essential Tools and Techniques
System Analysis
- Intro. to Linux EXT4 File System
- Analysis Using The Sleuth Kit (TSK)
- Analysis Using DebugFS
- Analyzing Linux Logs
- The ProcFS & TmpFS File Systems
File Systems and Log Analysis
- Investigating Linux GUI
- Investingating Linux Desktop Environments
- Linux USB Forensics
GUI & USB Forensics
- What Is The Forensics Report?
- The Importance of Forensics Report
- Forensics Report Sections
- Reporting Standards And Guidelines
- Conclusions And Recommendation
- Case #1 - Investigating a Compromised Web Server
- Case #2 - Investigating Suspicious Processes
- Case #3 - Investigating a Kali Linux Systems
- Case #4 - Investigating a Compromised Cluster
- Case #5 - Traffic Acquisition and Analysis
- Case #6 - Investigating Linux Desktop Environments
- Case #7 - Investigating a Compromised Web Server #2
- Case #8 - Timeline Analysis
Writing Forensics Reports
Hands-on Labs
Instructor
Ali Hadi is a highly accomplished and experienced Senior Cybersecurity Specialist with 14+ years of professional experience in Information Technology. He is currently working as a full-time professor and researcher at the Computer and Digital Forensics and Cybersecurity Departments of Champlain College, USA. Ali is a Co-Founder and the Chief Technology Officer of Cyber 5W. He holds a PhD and MSc degree in Computer Information Systems, as well as a BSc degree in Computer Science. Throughout his professional career, Ali has earned more than 20 professional certifications. Ali is a sought-after consultant in the field of cybersecurity, offering expertise in areas such as digital forensics, incident response, adversary simulation, offensive security, and malware analysis. He is also an established author, speaker, and freelance instructor, having provided technical training to government and private firms as well as other organizations. Ali continues to be an influential figure in the digital forensics community and is dedicated to promoting forensics education and research. More details could be found here or contact him directly through twitter here.
Learning Objectives
After completing this training, will be capable of:
-
Searching through the FHS
-
Working with volumes and mounting forensic case images
-
Search in log files
-
Using TSK to list forensic image info and work with EXT4 file systems
-
Use debugfs and EXT4 journals to recover deleted files
-
Tracking running processes
-
Using the ProcFS to the benefit of your IR
-
Extracting processes from memory
-
Generating and filtering a super timeline
Prerequisites
what should you know before taking the course
This course assumes a basic understanding of Linux operating systems, and prior knowledge in digital forensics is highly recommended.
If you have no previous Linux experience, we recommend you check our FREE course found here (Tsurugi) or here (Ubuntu).
Important: Learners must have experience installing software and running virtual machines within a hypervisor. Please ensure you are comfortable setting up and managing virtual machines independently.
Who is this Training For?
why should you take this training
Anyone who wants to perform Linux investigations, SOC team members, incident response handlers, red team members, malware analysts, and anyone who is curious to know about Linux digital forensics and wants to learn something new.
System Requirements:
what you need to for the course
- Computer or laptop with a Linux (Tsurugi Linux is recommended) and a Windows or Mac Operating System
- Capability of running virtualization software such as VMWare or VirtualBox
- More than 100 GB of disk space for the Virtual Machines and Forensic Images used
- Eric Zimmerman's Timeline Explorer
Cancellation Policy:
Info you need to know to get a refund
Full refunds will be provided up to 14 days before the course start date. You are allowed to change the course schedule up to 10 days before the course starts.