Session 2 - Essentials
Reading: Book 1, pp. 1 - 65

In addition to the reading, please setup your VMWare environment that is described in the first few pages of Book 1, and let me know if you have any issues. Students have usually had the most issues with the networking configuration (Appendix D has guides for different OS’s). Please verify that you can communicate between the Linux Forensic Workstation and your host operating system. For assistance on setting up and configuring the supplied VM’s please refer to appendix B.

I also recommend that you setup your own VMWare image of Windows even if you are already running that as your host OS. It is easier to run many of the hands-on exercises if you don't have to worry about your anti-virus program, administrator privileges, and sensitive data. Just create a simple Windows XP image with a small disk (4-5 gig) and limited memory so that it is faster to acquire.

If you are new to Linux please review the Linux Mini-Workshop found in appendix C as it will be foundational for the entire course.

If you need a copy of VMWare Workstation for class, you can download an evaluation version that is good for 30 days (Evaluate VMWare Workstation for Windows). You will need at least version 6 of Workstation for the SANS images to work correctly.

We will also work through the exercise in Appendix A of Book 1 together in class. No advance preparation is required.

Session 3 - Filesystem Basics & IR Intro
Reading: Book 1, pp. 65 – 129, Book 2 1-19

During this class, We will jump right into File System Basics (ext3, FAT, NTFS). We will finish up class by reviewing the Incident Response and Volatile Evidence Collection material. During class, I will demonstrate live acquisition from your RedHat Hacked machine. It should be in a suspended state when you first load it into VMWare.

I also plan to demonstrate the live tools available on the Helix disc, so please bring your copy if you would like to follow along.

Session 4 - IR and Evidence Acquisition
Reading: Book 2 19-147

Most of this week in class will be spent doing demo’s (very few slides) We will work through several examples of forensics incident response tools such as the lsof and md5sum commands.

I'll also will show you how to do drive acquisitions using several different methods. If you would like to bring your hardware acquisition dongle to class, you can follow along with the demo. And if time allows will bring in some examples we didn’t get to this week.

Session 5 - Investigation and Media Analysis, and Automated Toolkits
Reading: Book 3-4, pp. 1- 172

There’s a lot to chew through this week. One of the most powerful tools available to a forensic analyst is the ability to create file system timelines. This ability is not available in commercial tools and will become a core part of you analysis. We will also review the Windows FAT File system Challenge (Exercise on p. 166 of Book 3-4).

Next we will review some of the most fundamental and critical analysis tools such as file, srch_strings, and grep. We will finish up class with a review of the Sleuthkit and its most popular graphical implementation, Autopsy.

Session 6 - Windows Analysis

Reading: Book 3-4, 173-276

This week we will be diving headlong into the interworking’s of Windows. We will be looking at forensic techniques applied to the Registry, Restore Points, recovering key Windows files and using the fabulous Super Timeline for in-depth analysis. We will look at the wealth of information that you can glean when you know where to look.

It will be a good idea to review Book 3-4 Appendix A –Forensic Essentials Quick Review

This week’s class we will be having a guest speaker John Ritchie. John is a Sr. Security Analyst with the State of Oregon Enterprise Security Office and the author of several forensic tools including the Oregon SIRT Tool Kit.

Session 7 – Volatile Evidence Analysis

Reading: Book 3-4, pp. 277 - 379

This week’s class we will be having a guest speaker John Ritchie. John is a Sr. Security Analyst with the State of Oregon Enterprise Security Office and the author of several forensic tools including the Oregon SIRT Tool Kit.

This week we will also look at the wealth of information found in memory. These techniques can be critical in malware analysis and can help find unknown malware on a system.

Session 8 - Computer Investigative Law

Reading: Book 5, pp. 1 - 70
This class will be a brief overview of the legal topics from Book 5, but obviously we can't cover everything in 2 hours. If you haven't listened to the MP3s yet, I highly recommend listening to the Day 5 recording before class. We will be reviewing the following topics from the book:

Who Can Investigate

Data Collection

Post-Collection Data Preservation

Data Analysis & Report Writing

Presentation of Acquired Data in Court


Session 9 - Advanced Forensics & Forensic Challenge

Reading: Book 6, pp. 1 - 54

We will be reviewing Application Footprinting and Fuzzy Hashing in class, and also starting to talk about the setup for the Forensic Challenge. I will also bring in some malware samples so we can do some live analysis in a virtual environment to demonstrate some of non-programmer malware analysis techniques.


Session 10 - Wrap Up & Forensic Challenge

Reading: Book 6

This is our last together, so we will spend class time going over the forensic challenge case. Come to class prepared to discuss your findings and methodology.