Training Digital Forensics with Open Source Tools

Training Digital Forensics with Open Source Tools

From BruCON 2017

Revision as of 09:21, 4 September 2014 by Treyka (talk | contribs) (Digital Forensics with Open Source Tools by Frédéric Baguelin)

Jump to: navigation, search

Digital Forensics with Open Source Tools by Frédéric Baguelin

Course Description

This training deals with performing digital forensics with open source tools on Windows and Linux. It starts with an introduction to digital forensics concepts and methodologies. After theory, let's practice by performing hard drives and volatile memory acquisition. Then, we will dive in common file-system structures and their interesting meta-data. Every steps will rely on several open source tools from acquisition to analysis. Finally we will see how to develop our own Python scripts by using DFF's API.

Course Objectives

  • Digital Forensics with Open Source tools is a training which aims to present only open source tools used at each step of an investigation from acquisition to analysis of Windows workstation. During the course, attendees will:
    • create their tool arsenal to deal with digital forensics
    • discover tools usable either in command line or through graphical interface
    • be familiar with some anti-forensics techniques
    • become a ninja with open source digital forensics tools and especially with Digital Forensics Framework

Course Outline

  • Overview concerning digital forensics and associated process
  • How to acquire an hard drive from console (server) and through GUI
    • raw acquisition, forensics container, split files, hashing
  • Analysis of volumes (DOS / GPT)
    • presentation of data structures
    • classical and unallocated area, where to hide information
  • Analysis of FAT Filesystem
    • data structures
    • Differences between 12 / 16 / 32
    • Cluster walking
    • deleted items
    • MAC time
  • Analysis of NTFS filesystem
    • data structures
    • MFT internals
    • deleted items
    • MAC times (all of them)
  • How to mount volumes of an acquisition (ewf, split dd, ...)
  • How to look for files and folders based on their metadata
  • How to look for files and folder based on their content
  • Windows system analysis
    • user / group accounts
    • connected devices
    • system information (install date, shutdown, ...)
    • login attempts
    • launched executables
  • User analysis
    • recent documents
    • browser analysis
    • skype analysis
  • How to acquire volatile memory
  • How to analyze volatile memory
    • Memory management overview (segmentation / pagination)
    • Windows kernel structures
    • Process management
    • Opened files
    • Loaded drivers

Course Prerequisites

Technical requirements for the training :

  • Laptop with at least 3 GB RAM
  • Kali Linux (or Debian based distro) installed in Virtualbox with Windows / Linux / Mac as the Host or even better Kali installed as default host
  • Admin / Root on the laptop so you can install software
  • Minimal GNU/Linux knowledge



Course Contents



Students should have a Linux background and Python scripting knowlegde

Trainer Biography

Frédéric Baguelin is core developer of the Open Source project Digital Forensics Framework ( Directly after finishing his studies in computer science he decided with three smart dudes to create ArxSys. His everyday life consists of reading hexa, writing Python and C++ and developing trainings around forensics and open source tools. He is convinced that free and Open Source software culture is a chance to make rapid innovation and contribute to spread knowledge for future generations. He is also always available to troll while drinking good beers.

Mon. 22 - Tue. 23 September 2014 (09:00 - 17:00)


Back to Training Overview