Linux Forensics (4d)

    If the scheduled dates above don't suit or if there are no available dates currently listed, but you are interested in the class, kindly fill in your details below to be added to our Register of Interest.


    A member of our training team will contact you with alternative arrangements.


    Linux Forensics

    By Hal Pomeranz

    Linux is everywhere– running in the cloud, on cell phones, and in embedded devices that make up the “Internet of Things”. Often neglected by their owners, vulnerable Linux systems are low-hanging fruit for attackers wishing to create powerful botnets or mine cryptocurrencies. Ransomware type attacks may target Linux-based database systems and other important infrastructure.

    As attacks against Linux become more and more common, there is an increasing demand for skilled Linux investigators. But even experienced forensics professionals may lack sufficient background to properly conduct Linux investigations. Linux is its own particular religion and requires dedicated study and practice to become comfortable.

    This four-day, hands-on course is a quick start into the world of Linux forensics. Learn how to use memory forensics to rapidly triage systems and spot attacker malware and rootkits. Learn where the most critical on-disk artifacts live and how they can help further an investigation. Rapidly process Linux logs and build a clearer picture of what happened on the system.



    • High speed Internet access
    • A BitTorrent client for downloading course materials (e.g., Transmission
    • A computer with at least 150GB of free space and capable of running a 64-bit VMware virtual machine using 4GB of RAM

    Day One – Memory Forensics

    MOD 1: Memory Forensics – Acquisition
    • Why memory forensics?
    • Acquisition tools and scenarios
    • Building memory analysis profiles
    • Automation

    LAB: Memory Capture and Volatility Profile Creation

    MOD 2: Memory Forensics – Analysis
    • Kernel messages
    • Processes
    • Networking
    • Command history
    • File system
    LAB: What’s In Memory?
    MOD 3: Memory Forensics – Case Study
    • Spotting the rootkit module in memory
    • Looking for hooks
    • Using indicators of compromise
    LAB: Rootkit Investigation
    MOD 4: Memory Forensics – Case Study
    • Spotting the rootkit module in memory
    • Looking for hooks
    • Using indicators of compromise
    LAB: Rootkit Investigation

    Day Two – Linux Live Capture


    MOD 1: Live Capture with UAC
    • Memory forensics is great but…
    • Configuring and running UAC
    • Deployment options

    LAB: Collecting data with UAC


    MOD 2: Live Analysis and Triage – File System
    • Standard directory layout, ownerships, and permissions
    • Spotting malicious executables
    • Deeper dives with /proc

    LAB: Too much evil!

    MOD 3:Live Analysis and Triage – Processes
    • The process hierarchy
    • Typical process ownership
    • Suspicious process anti-patterns

    LAB: Even more evil!

    MOD 4: Live Analysis and Triage – Users and Groups
    • Superuser, application users, and regular users
    • Processes and users anti-patterns
    • User back doors

    LAB: Find the back door(s)


    Day Three – Linux Disk Analysis


    MOD 1 :Disk Acquisition and Access
    • Acquisition scenarios and tools
    • Complex disk geometries
    • Setup and teardown walk-throughs

    LAB: Disk Image Mounting Challenge


    MOD 2 : Rapid Disk Triage
    • Critical system directories
    • System profiling
    • Common back doors
    • Persistent malware
    • Finding recently modified files

    LAB: Disk Triage


    MOD 3: Timeline Analysis
    • Why timeline analysis?
    • Unix timestamps
    • Generating timeline

    LAB: Timeline Analysis

    MOD 4 : Linux Log Basics
    • User access (wtmp, btmp, lastlog)
    • Understanding where logs live via syslog.conf
    • Linux Syslog log format
    • Which logs are most useful?

    LAB: Using Logs to Enhance Timeline Analysis


    MOD 5: Digging Deeper Into Logs
    • Web server logs
    • Kernel logging with auditd
    • Searching kernel audit logs
    • Keystroke logging

    LAB: Web Server Compromise Logs


    Day Four – Digging Deeper


    MOD 1: User Artifacts:
    • bash_history
    • SSH artifacts, inbound and outbound
    • Editing history
    • Recently opened file history
    • Web history

    LAB: Post-Exploitation Activity


    MOD 2 :EXT File System Analysis:
    • Key data structures and layout
    • Tools for examining EXT
    • Reverse-engineering EXT case study

    LAB: Recover Deleted Exploit


    MOD 3 : XFS File System Analysis:
    • Key data structures and layout
    • Tools for examining XFS
    • Data recovery methods

    LAB: XFS file system walkthrough


    MOD 4: Web Compromise – Case Study
    • Spotting patterns of activity
    • Separating multiple actors
    • Matching logs to system activity
    • Pivoting to find further information

    LAB: Choose your own adventure(s)