Session 2 - Essentials Reading: Book 1, pp. 1 - 65 In addition to the reading, please setup your VMWare environment that is described in the first few pages of Book 1, and let me know if you have any issues. Students have usually had the most issues with the networking configuration (Appendix D has guides for different OS’s). Please verify that you can communicate between the Linux Forensic Workstation and your host operating system. For assistance on setting up and configuring the supplied VM’s please refer to appendix B. I also recommend that you setup your own VMWare image of Windows even if you are already running that as your host OS. It is easier to run many of the hands-on exercises if you don't have to worry about your anti-virus program, administrator privileges, and sensitive data. Just create a simple Windows XP image with a small disk (4-5 gig) and limited memory so that it is faster to acquire. If you are new to Linux please review the Linux Mini-Workshop found in appendix C as it will be foundational for the entire course. If you need a copy of VMWare Workstation for class, you can download an evaluation version that is good for 30 days (Evaluate VMWare Workstation for Windows). You will need at least version 6 of Workstation for the SANS images to work correctly. We will also work through the exercise in Appendix A of Book 1 together in class. No advance preparation is required. Session 3 - Filesystem Basics & IR Intro Reading: Book 1, pp. 65 – 129, Book 2 1-19 During this class, We will jump right into File System Basics (ext3, FAT, NTFS). We will finish up class by reviewing the Incident Response and Volatile Evidence Collection material. During class, I will demonstrate live acquisition from your RedHat Hacked machine. It should be in a suspended state when you first load it into VMWare. I also plan to demonstrate the live tools available on the Helix disc, so please bring your copy if you would like to follow along. Session 4 - IR and Evidence Acquisition Reading: Book 2 19-147 Most of this week in class will be spent doing demo’s (very few slides) We will work through several examples of forensics incident response tools such as the lsof and md5sum commands. I'll also will show you how to do drive acquisitions using several different methods. If you would like to bring your hardware acquisition dongle to class, you can follow along with the demo. And if time allows will bring in some examples we didn’t get to this week. Session 5 - Investigation and Media Analysis, and Automated Toolkits Reading: Book 3-4, pp. 1- 172 There’s a lot to chew through this week. One of the most powerful tools available to a forensic analyst is the ability to create file system timelines. This ability is not available in commercial tools and will become a core part of you analysis. We will also review the Windows FAT File system Challenge (Exercise on p. 166 of Book 3-4). Next we will review some of the most fundamental and critical analysis tools such as file, srch_strings, and grep. We will finish up class with a review of the Sleuthkit and its most popular graphical implementation, Autopsy. Session 6 - Windows Analysis Reading: Book 3-4, 173-276 This week we will be diving headlong into the interworking’s of Windows. We will be looking at forensic techniques applied to the Registry, Restore Points, recovering key Windows files and using the fabulous Super Timeline for in-depth analysis. We will look at the wealth of information that you can glean when you know where to look. It will be a good idea to review Book 3-4 Appendix A –Forensic Essentials Quick Review This week’s class we will be having a guest speaker John Ritchie. John is a Sr. Security Analyst with the State of Oregon Enterprise Security Office and the author of several forensic tools including the Oregon SIRT Tool Kit. Session 7 – Volatile Evidence Analysis Reading: Book 3-4, pp. 277 - 379 This week’s class we will be having a guest speaker John Ritchie. John is a Sr. Security Analyst with the State of Oregon Enterprise Security Office and the author of several forensic tools including the Oregon SIRT Tool Kit. This week we will also look at the wealth of information found in memory. These techniques can be critical in malware analysis and can help find unknown malware on a system. Session 8 - Computer Investigative Law Reading:
Book 5, pp. 1 - 70 Who Can Investigate Data Collection Post-Collection Data Preservation Data Analysis & Report Writing Presentation of Acquired Data in Court
Session 9 - Advanced Forensics & Forensic Challenge Reading:
Book 6, pp. 1 - 54
Session 10 - Wrap Up & Forensic Challenge Reading:
Book 6
|
|
|