About the course

Linux-based systems are an integral part of the infrastructure of many modern companies and they often become a target for attackers. The number of incidents involving Linux systems has been growing steadily in recent years. At the same time, companies are often unable to conduct a full-fledged investigation and properly respond to incidents where Linux systems are involved.

This two-day intensive course is designed to help companies handle incidents involving Linux systems and to give IS specialists an understanding of the three basic elements of Linux DFIR: acquisition methods, memory forensics, and host-based forensics for incident response.

Key topics covered:

  • Introduction to *nix systems forensics
  • BASH basics
  • File system structure
  • Overview of useful tools
  • Data collection
  • Host artifacts
  • Memory artifacts

Skills acquired:

  • Understanding data acquisition methods
  • Using memory forensics and host-based forensics for incident response needs
  • Creating and analyzing forensic images and memory dumps
  • Reconstructing TTPs used by attackers

Target participants:

  • Information security specialists
  • Technical specialists with experience in IS
  • Incident responders

Requirements:

  • Skills and experience in Linux administration
  • A basic understanding of file systems, cyberattack processes, and the principles of malware operation

Course program

Video, theory, demonstration

arrow_drop_down

In this part attendees are introduced to the theory necessary for a successful practical session. We cover the basics and peculiarities of examining hosts with the Linux operating system. Participants also learn the basic BASH commands and the structure of the file system.

Day 1

arrow_drop_down
Theory
Demonstration
Practice

The first day is devoted to creating and analyzing forensic images. We discuss basic host artifacts and ways to analyze them, learn how to collect information about users, build timelines, and identify the most common tactics and techniques used by threat actors. At the end, participants are expected to analyze a real-world case on their own and identify the actions taken by attackers.

Day 2

arrow_drop_down
Theory
Demonstration
Practice

On day two we become familiar with the peculiarities of creating and analyzing memory dumps on Linux. We cover techniques for obtaining information about users and their actions in the system and learn how to look for traces of malicious activity. At the end the attendees independently practice investigating the host involved in the incident, using all the knowledge and skills they acquired earlier.