Introduction to file-system post-mortem forensic analysis

Bio

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to gather, review, report and respond to computer security threats and incidents. CIRCL is the CERT for the private sector, communes and non-governmental entities in Luxembourg. CIRCL provides a reliable and trusted point of contact for any users, companies and organizations based in Luxembourg, for the handling of attacks and incidents. Its team of experts acts like a fire brigade, with the ability to react promptly and efficiently whenever threats are suspected, detected or incidents occur. CIRCL’s aim is to gather, review, report and respond to cyber threats in a systematic and prompt manner. CIRCL is operated by SECURITYMADEIN.LU, which is also the host organization for CASES and C3.

Date: Wednesday, 05. September 2018 09:00 until Wednesday, 05. September 2018 17:00
Room: EternalBlue
Language: EN
Service Details:

IT or operational security teams

1 day

Knowledge of operating systems and IT security is required

Training info

Forensic Analysis is based on the assumption that everything leaves a trace behind. A trace in an information system can be any data that helps to identify space and time actions. Post mortem analysis is a key tool to discover and analyse security incidents. This course will teach the participant how to find answers to what has happened by analysing different layers from the physical medium to the file system up to the application level.

Objectives

Perform disk acquisition the right way
Introduce to file system analysis (NTFS/FAT)
Analyse operating system artifacts (MS Windows)
Find evidences in communication applications (e.g. browser or chat history)
Forensic correlation with threat intelligence platform like MISP

Forensic Analysis is based on the assumption that everything leaves a trace behind. A trace in an information system can be any data that helps to identify space and time actions. Post mortem analysis is a key tool to discover and analyse security incidents. This course will teach the participant on how to find answers to what has happened by analysing different layer from the physical medium to the file system up to the application level.

Perform disk acquisition the right way
Introduce to file system analysis (NTFS/FAT)
Analyse operating system artifacts (MS Windows)
Find evidences in communication applications (e.g. browser or chat history)
Forensic correlation with threat intelligence platform like MISP

Prerequisites

We encourage you to bring a laptop running Linux, either natively or in a virtual machine. An installation of Kali Linux is perfect. Please also download the material from https://www.circl.lu/services/forensic-training-materials/

Who benefits most from this training

Employees of the IT department
Local Incident Response Team
IT security/DFIR interested

Requirement

Knowledge of operating systems and IT security is required

Duration

This is an 8 hours training.

What is included

Training material
Beverages
Light lunch

Overview of the room/facility

EternalBlue

Organiser(s) / Sponsor(s)

Request more information : info@circl.lu