2015/02/12 – 2015/02/12
141 Catherine St.
Description:
The Ottawa Chapter of the High Tech Crime investigation Association (HTCIA) is presenting a hands-on full day Linux Forensics training session on February 12, 2015. This session will bring together three subject matter experts to give you a complete primer in using Linux and other open source tools to perform forensic examinations.
What You Will Learn:
Attendees will learn how to use command line Linux to conduct some fundamental computer forensic functions. Using the SANS Sift Workstation for hands on exercises, attendees will learn how to use the Linux mount command to mount an image or a physical device (i.e. hard drive, thumb drive) in a read-only manner. They will also learn how to use dd to make a complete forensic image of a physical device, how to use the MD5 hashing function to verify an image, and then how to use commands such as find, grep, and scalpel to search for data and carve data. Attendees will be provided with a list of additional resources they can pursue to further their knowledge in this field, as well as a USB flash drive with all the course materials preloaded.
Instructors:
JACQUES BOUCHER, a recently retired member of the Royal Canadian Mounted Police. He spent the last 12 years of his service with the RCMP working in the field of computer forensics. This included a 3 year rotation at the Canadian Police College where among other things he was one of two on staff instructors that delivered a two week Linux forensic investigator course to law enforcement forensic investigators across Canada and abroad. In 2007 he also delivered a beginner to intermediate hands on session on Linux BASH scripting to members of OCLUG – the Ottawa Canada Linux Users Group. He is now employed with Canada Revenue Agency as a Computer Search and Evidence Recovery (CSER) investigator.
S/SGT STÉPHANE DENIS, a 29 year member of the Royal Canadian Mounted Police with 18 years of computer forensics experience. He has was an analyst for 7 years and managed the Network Intrusion and Operations Team for 2 years and the Technological Crime Learning Institute for 1 year. He has been an instructor for 9 years and is currently a Senior Computer Forensic Instructor at the Canadian Police College where he developed the first Linux Forensic Techniques course in 2003.
ERIC ROWE, a project leader in the Forensics and Informatics Section of the Criminal Investigations Division at Canada Revenue Agency. Before joining Canada Revenue Agency he spent seven years as Senior Computer Forensic Instructor at the Canadian Police College, a branch of the Royal Canadian Mounted Police. He has also worked as a finance advisor at Elections Canada, as a forensic and network support technician at the Canada Customs and Revenue Agency, as a system administrator at the University of British Columbia, and as a graduate fellow at Simon Fraser University.
Prerequisites and Requirements:
Attendees do not require in depth experience with Linux, but they must be comfortable opening up a terminal window, listing files, navigating the folder structure from the command line, and creating folders. A cheat sheet is available through SANS (and certainly elsewhere online) listing command equivalencies between Windows and Linux to help those new to Linux. You can use that and a copy of the SANS Sift workstation (freely available to acquire the necessary pre-required knowledge to take this course. There are other more advanced resources to help you use the SANS Sift workstation (i.e. YouTube videos) should you wish to expand your knowledge beyond the basics prior to attending this session.
You can acquire some of the linux expertise here
You are required to bring a computer capable of running VMWare player with 2GB available for the VM, the most recent version of the SANS Sift workstation (free) and VMWare Player (free). Some familiarity with using a VM is certainly an asset. If you have never used a VM, you are encouraged to explore the SANS Sift Workstation VM as part of your exposure to the world of VMs. Instructors will be using Windows based computers. If you are using a different OS you should be fine.
Syllabus
By the end of this day you will know how to use Linux to acquire digital evidence, mount it to view its content, and search through it. This will be achieved through a combination of presentations, instructor demos, and hands on activities using the SANS Sift Workstation.
- Intro/overview of Linux forensics and Sift Workstation
- Acquiring digital evidence
- In this session you will learn how to acquire devices, verify the integrity of an image file, clone a drive, and restore an image back to a drive.
- Mounting digital evidence
- In this session you will learn how to mount physical devices, raw image files, and EnCase image files. You will learn how to do this in a forensically sound manner and verify that the process was indeed forensically sound.
- Searching digital evidence
- In this session you will learn how to search through a hierarchy of files for files matching specific patterns, how to search within files, how to search unallocated space, and how to carve files based on headers/footers.
- Where do I go from here?
- We’ll wrap up the day with a quick overview of where you can go from here to continue developing your Linux forensics skills.
Pricing:
The cost for a full day of training including breakfast, lunch and snacks is:
- HTCIA members – $150
- Non-members – $250
- Students – $ 75
Note: The non-member fee includes, for eligible people, the opportunity to register for free HTCIA membership for one year.
IMPORTANT: Registration is limited to 30 so that everyone can gain the best value from the instructors, who will be circulating in the room. Register early to guarantee your spot. After the first 30 registrations we will start a waiting list in case of last minute cancellations. If registration is full and you would like to sign up for the waiting list, please send an email to membership <at> htcia <dash> ottawa <dot> org asking to be placed on the waiting list. You will be contacted in the order you signed up in the event a spot opens up.