Training – Forensics

IT Forensics for System Administrators

Dealing with the organisational aspects of incident handling and forensics may sound like dry paperwork far away from the technical details of day-to-day sysadmins tasks. However, organisational preparation can help tremendously in the course of an investigation. For example answering simple practical questions like “who’s in charge?” or “what are we looking for?”, even “why are we doing this?”. This module introduces the basic steps of incident handling and forensic investigations and introduces attendees to the principles of forensic investigations that should be adhered to for an investigation to succeed.

  • 1: Organisation

    (slides) (recording)
    Dealing with the organisational aspects of incident handling and forensics may sound like dry paperwork far away from the technical details of day-to-day sysadmins tasks.
    However, organisational preparation can help tremendously in the course of an investigation. For example answering simple practical questions like “who’s in charge?” or “what are we looking for?”, even “why are we doing this?”.
    This module introduces the basic steps of incident handling and forensic investigations and introduces attendees to the principles of forensic investigations that should be adhered to for an investigation to succeed.

  • 2: From Suspicion to Detection I

    (slides) (recording)
    So, you or someone in your organisation notices “unusual system behaviour” or “suspicious network traffic” but you are not sure what to do about it. The first step in incident response usually is to ascertain whether or not the activity observed really is an incident. While there is no formal process or definition for doing so, there is a large number of locations for possible indicators to look for that may eventually make an incident. Participants will learn what first steps to take after a compromise has been detected.

  • 3. From Suspicion to Detection II

    (slides) (recording)

  • Session 4: Memory Acquisition I

    (slides) (recording)

    Whatever malware is doing on a computer, the code to carry out its activity has to be in the random access memory (RAM). And not only this, lots of other interesting stuff is present there too: IP-addresses of computers it has communicated with, data from attacks against other systems or even exfiltrated data. By getting information directly from the storage, compromised operating system components can be bypassed. No wonder that investigating transient memory has become a hot topic in IT forensics over the last decade.
    Before memory contents can be scrutinised, they will have to be acquired from the computer. This webinar covers the basic principles and techniques behind memory acquisition on Linux, Windows and MacOS operating system.

  • Session 5: Memory Acquisition II

    (slides) (recording)

    Whatever malware is doing on a computer, the code to carry out its activity has to be in the random access memory (RAM). No wonder that investigating transient memory has become a hot topic in IT forensics over the last decade.
    The previous webinar covered the basic, agnostic technique of acquiring memory through the use of kernel drivers and copying tools.
    However, it required access to the operating system with root or administrator privileges. This webinar covers advanced techniques that will relinquish some of these preconditions and are in some cases be better suited for doing the job of memory acquisition.

  • Session 6: Persistent Storage Acquisition I

    (slides) (recording)

    If any data on a computer shall outlast a power switch or a reboot, it has to be written to persistent storage. Even cloud storage is only persistent storage on another computer. Investigating the contents of hard disks, SSDs, and transportable media has been a standard operating procedure of IT forensics since the ’90s and remains to be so. Before storage contents can be scrutinised, they will have to be acquired from the suspect computer. This webinar covers the basic principles and techniques behind persistent storage acquisition on Linux, Windows and MacOS operating systems.

  • Session 7: Persistent Storage Acquisition II

    (slides) (recording)

    If any data on a computer shall outlast a power switch or a reboot, it has to be written to persistent storage. Investigating the contents of hard disks, SSDs, and transportable media is a standard operating procedure of IT forensics. The previous webinar covered the basic, agnostic technique of acquiring persistent storage with raw device access and standard copying tools. However, it required access to the operating system with root or administrator privileges. This webinar covers advanced techniques that will do away with some of this preconditions and might be better suited for the job in some situations.

  • Session 8: Acquisition of Other Evidence

    (slides) (recording)

    Are there more indicators of compromise than the contents of RAM and hard disks? Yes, of course. And it may be vital stuff that it either lost on the suspect systems due to adversary activity or wasn’t there to begin with. One example is represented by crucial log messages that are now only present on a central loghost. Another example would be network traffic information from switches, firewalls or network IDS that may corroborate leads that would otherwise be vague or circumstantial. This webinar introduces some of the more common forms of indicators not present on local systems and how or where to obtain it.

Skip to content