Difference between revisions of "Training Digital Forensics with Open Source Tools"
From BruCON 2017
m (Protected "Training Digital Forensics with Open Source Tools" ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite))) |
|||
(One intermediate revision by the same user not shown) | |||
Line 5: | Line 5: | ||
Then, we will dive in common file-system structures and their interesting meta-data. Every steps will rely on several open source tools from acquisition to analysis. Finally we will see how to develop our own Python scripts by using DFF's API. | Then, we will dive in common file-system structures and their interesting meta-data. Every steps will rely on several open source tools from acquisition to analysis. Finally we will see how to develop our own Python scripts by using DFF's API. | ||
− | =Objectives= | + | ===Course Objectives=== |
− | + | * Digital Forensics with Open Source tools is a training which aims to present only open source tools used at each step of an investigation from acquisition to analysis of Windows workstation. During the course, attendees will: | |
− | + | ** create their tool arsenal to deal with digital forensics | |
− | + | ** discover tools usable either in command line or through graphical interface | |
+ | ** be familiar with some anti-forensics techniques | ||
+ | ** become a ninja with open source digital forensics tools and especially with Digital Forensics Framework | ||
− | =Prerequisites= | + | ===Course Outline=== |
− | + | * Overview concerning digital forensics and associated process | |
+ | * How to acquire an hard drive from console (server) and through GUI | ||
+ | ** raw acquisition, forensics container, split files, hashing | ||
+ | * Analysis of volumes (DOS / GPT) | ||
+ | ** presentation of data structures | ||
+ | ** classical and unallocated area, where to hide information | ||
+ | * Analysis of FAT Filesystem | ||
+ | ** data structures | ||
+ | ** Differences between 12 / 16 / 32 | ||
+ | ** Cluster walking | ||
+ | ** deleted items | ||
+ | ** MAC time | ||
+ | * Analysis of NTFS filesystem | ||
+ | ** data structures | ||
+ | ** MFT internals | ||
+ | ** deleted items | ||
+ | ** MAC times (all of them) | ||
+ | * How to mount volumes of an acquisition (ewf, split dd, ...) | ||
+ | * How to look for files and folders based on their metadata | ||
+ | * How to look for files and folder based on their content | ||
+ | * Windows system analysis | ||
+ | ** user / group accounts | ||
+ | ** connected devices | ||
+ | ** system information (install date, shutdown, ...) | ||
+ | ** login attempts | ||
+ | ** launched executables | ||
+ | * User analysis | ||
+ | ** recent documents | ||
+ | ** browser analysis | ||
+ | ** skype analysis | ||
+ | * How to acquire volatile memory | ||
+ | * How to analyze volatile memory | ||
+ | ** Memory management overview (segmentation / pagination) | ||
+ | ** Windows kernel structures | ||
+ | ** Process management | ||
+ | ** Opened files | ||
+ | ** Loaded drivers | ||
+ | |||
+ | ===Course Prerequisites=== | ||
+ | Technical requirements for the training : | ||
+ | |||
+ | * Laptop with at least 3 GB RAM | ||
+ | * Kali Linux (or Debian based distro) installed in Virtualbox with Windows / Linux / Mac as the Host or even better Kali installed as default host | ||
+ | * Admin / Root on the laptop so you can install software | ||
+ | * Minimal GNU/Linux knowledge | ||
+ | * Python scripting knowledge | ||
=Trainer Biography= | =Trainer Biography= | ||
− | Frédéric Baguelin is core developer of the Open Source project Digital Forensics Framework (www.digital-forensic.org). Directly after finishing his studies in computer science he decided with three smart dudes to create ArxSys. His everyday life consists of reading hexa, writing Python and C++ and developing trainings around forensics and open source tools. He is convinced that free and Open Source software culture is a chance to make rapid innovation and contribute to spread knowledge for future generations. He is also always available to troll | + | Frédéric Baguelin is core developer of the Open Source project Digital Forensics Framework (www.digital-forensic.org). Directly after finishing his studies in computer science he decided with three smart dudes to create ArxSys. His everyday life consists of reading hexa, writing Python and C++ and developing trainings around forensics and open source tools. He is convinced that free and Open Source software culture is a chance to make rapid innovation and contribute to spread knowledge for future generations. He is also always available to troll while drinking good beers. |
− | while drinking good beers. | ||
''Mon. 22 - Tue. 23 September 2014 (09:00 - 17:00)'' | ''Mon. 22 - Tue. 23 September 2014 (09:00 - 17:00)'' |
Latest revision as of 09:59, 8 September 2014
Contents
Digital Forensics with Open Source Tools by Frédéric Baguelin
Course Description
This training deals with performing digital forensics with open source tools on Windows and Linux. It starts with an introduction to digital forensics concepts and methodologies. After theory, let's practice by performing hard drives and volatile memory acquisition. Then, we will dive in common file-system structures and their interesting meta-data. Every steps will rely on several open source tools from acquisition to analysis. Finally we will see how to develop our own Python scripts by using DFF's API.
Course Objectives
- Digital Forensics with Open Source tools is a training which aims to present only open source tools used at each step of an investigation from acquisition to analysis of Windows workstation. During the course, attendees will:
- create their tool arsenal to deal with digital forensics
- discover tools usable either in command line or through graphical interface
- be familiar with some anti-forensics techniques
- become a ninja with open source digital forensics tools and especially with Digital Forensics Framework
Course Outline
- Overview concerning digital forensics and associated process
- How to acquire an hard drive from console (server) and through GUI
- raw acquisition, forensics container, split files, hashing
- Analysis of volumes (DOS / GPT)
- presentation of data structures
- classical and unallocated area, where to hide information
- Analysis of FAT Filesystem
- data structures
- Differences between 12 / 16 / 32
- Cluster walking
- deleted items
- MAC time
- Analysis of NTFS filesystem
- data structures
- MFT internals
- deleted items
- MAC times (all of them)
- How to mount volumes of an acquisition (ewf, split dd, ...)
- How to look for files and folders based on their metadata
- How to look for files and folder based on their content
- Windows system analysis
- user / group accounts
- connected devices
- system information (install date, shutdown, ...)
- login attempts
- launched executables
- User analysis
- recent documents
- browser analysis
- skype analysis
- How to acquire volatile memory
- How to analyze volatile memory
- Memory management overview (segmentation / pagination)
- Windows kernel structures
- Process management
- Opened files
- Loaded drivers
Course Prerequisites
Technical requirements for the training :
- Laptop with at least 3 GB RAM
- Kali Linux (or Debian based distro) installed in Virtualbox with Windows / Linux / Mac as the Host or even better Kali installed as default host
- Admin / Root on the laptop so you can install software
- Minimal GNU/Linux knowledge
- Python scripting knowledge
Trainer Biography
Frédéric Baguelin is core developer of the Open Source project Digital Forensics Framework (www.digital-forensic.org). Directly after finishing his studies in computer science he decided with three smart dudes to create ArxSys. His everyday life consists of reading hexa, writing Python and C++ and developing trainings around forensics and open source tools. He is convinced that free and Open Source software culture is a chance to make rapid innovation and contribute to spread knowledge for future generations. He is also always available to troll while drinking good beers.
Mon. 22 - Tue. 23 September 2014 (09:00 - 17:00)