{"id":1853,"date":"2019-06-10T21:00:34","date_gmt":"2019-06-10T19:00:34","guid":{"rendered":"https:\/\/archive.brucon.org\/2019\/?page_id=1853"},"modified":"2021-11-12T09:10:29","modified_gmt":"2021-11-12T07:10:29","slug":"live-forensics-training","status":"publish","type":"page","link":"https:\/\/archive.brucon.org\/2019\/brucon-2019-training\/live-forensics-training\/","title":{"rendered":"Live Forensics Training"},"content":{"rendered":"

[vc_row][vc_column][vc_column_text]UNFORTUNATELY THIS TRAINING HAS BEEN CANCELLED. WE APOLOGISE FOR ANY INCONVENIENCE\u00a0<\/strong><\/p>\n

Course Description<\/h2>\n

The live forensic training will teach how to acquire and analyse data of a running machine (Windows, Linux and macOS) that would be lost upon shutdown. The training mainly focuses on memory (RAM), but also considers other data sources that have to be safeguarded carefully, such as active browser sessions and temporarily unlocked encryption. The training will teach you how to find evidence of malicious user activity as well as advanced malware in memory.<\/p>\n

The theory of the training will be put into practise by analysing memory images of a Windows, Linux and Mac computer that were involved in a scenario that was specifically created for this training. The scenario involves a hacking, criminal user activity, anti-forensic techniques and more. By analysing the artefacts and correlating the findings, you will unravel the complete story. All detailed course material (theory and step-by-step exercise solutions) will be yours to keep after the training. This will serve as excellent reference material during your investigations.[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n

Course contents<\/h2>\n

Scouting<\/strong><\/p>\n

Learn how to identify the state of a live system and discover possible anti-forensic techniques in order to counter them. The theory is followed by scouting a hacker\u2019s Linux machine.<\/p>\n

Memory internals<\/strong><\/p>\n

Introduction to how the RAM is utilised by the OS and hardware.<\/p>\n

Memory acquisition<\/strong><\/p>\n

Learn how to acquire the memory of a Windows, Linux, Mac and Virtual Machine system.<\/p>\n

Memory analysis Windows<\/strong><\/p>\n

Learn how to find user activity and (hidden) malware on a Windows machine with Volatility. The theory is followed by the analysis of memory of three machines: (i) a machine infected with basic malware, (ii) a machine infected with advanced malware and (iii) a machine that is victim of a hacking in the fictional scenario.<\/p>\n

Memory analysis Linux<\/strong><\/p>\n

Learn how to create a Linux Volatility profile and analyse Linux memory in order to find malware and malicious user activity. The theory is followed by the analysis of a Kali Linux machine of a hacker in the fictional scenario.<\/p>\n

Memory analysis of Mac<\/strong><\/p>\n

Learn how to find user activity and (hidden) malware on a macOS machine with Volatility. The theory is followed by analysis of a macOS machine that was utilised for criminal activity and at the same time victim of cyber-espionage.<\/p>\n

Carving from memory<\/strong><\/p>\n

Learn how to carve files and other forensically relevant artefacts from memory.<\/p>\n

Defeating encryption<\/strong><\/p>\n

Learn how to defeat TrueCrypt containers and macOS Keychains using memory analysis.<\/p>\n

Target Audience<\/strong><\/h3>\n