IT Forensics for System Administrators

Name: IT Forensics for System Administrators
Start: 2021-11-23T11:00:00+01:00
End: 2022-01-27T12:30:00+01:00
Location: No location set

Starts 23 Nov 2021, 11:00

Ends 27 Jan 2022, 12:30

(Timezone - Europe/Amsterdam)

(Online)

Online

Description

IT forensics have become a vital part in handling security incidents, and while putting the evidence together is a job for specifically trained investigators, administrators will often be left alone with detection of incidents, initiating an investigation and aiding investigators in the collection of required evidence.
Unfortunately, many administrators are not trained in their role in a forensic investigation and didn't receive the necessary guidance before they are thrown in at the deep end.

This module addresses these shortcomings with an introduction into the basic organisational steps of incident handling and forensics from the administrator's perspective as well has how to ascertain that all incidents have been detected and uncovered. Methods and tools to collect the various forms of evidence data are explained so that administrators are enabled to fulfil their role in a forensic investigations.

This training programme consists of 8 live online sessions. Please note that you need to register only once -this will allow you to attend all or selected training sessions.

Once registration is complete we shall forward you (closer to the date) a calendar invitation with the link to join an online session.

The registration is now closed. If you still would like to register please email glad@geant.org

All sessions will be recorded, so we advise to complete registration even if you may not be able to attend all sessions - we shall notify you when sessions recordings will become available.

For any enquiries please contact glad@geant.org

We wish you to safe and well in the New Year.

Thank you.

GLAD (GÉANT Learning and Development)

glad@geant.org

Tuesday, 23 November
- 11:00 → 12:30
  
  IT Forensics for System Admins - Organisation 1h 30m
  
  Dealing with the organisational aspects of incident handling and forensics may sound like dry paperwork far away from the technical details of day-to-day sysadmins tasks. However, organisational preparation can help tremendously in the course of an investigation. For example answering simple practical questions like "who's in charge?" or "what are we looking for?", even "why are we doing this?".
  
  This module introduces the basic steps of incident handling and forensic investigations and introduces attendees to the principles of forensic investigations that should be adhered to for an investigation to succeed.
  
  Speaker: Mr Klaus Möller (DFN-CERT)
Tuesday, 30 November
- 11:00 → 12:00
  
  IT Forensics for System Admins - From Suspicion to Detection I 1h
  
  So you or someone in your organisation notices "unusual system behaviour" or "suspicious network traffic" but you are not sure what to do about it? The first step in incident response usually is to ascertain whether or not the activity observed really is an incident. While there is no formal process or definition for doing so, there's a large number of locations for possible indicators to look for that may eventually make an incident. Participants will learn what the first steps to take after a compromise has been detected.
  
  Speaker: Mr Stefan Kelm (DFN-CERT)
Thursday, 2 December
- 11:00 → 12:00
  
  IT Forensics for system Admins - From Suspicion to Detection II 1h
  
  Speaker: Mr Stefan Kelm Kelm (DFN-CERT)
Thursday, 9 December
- 11:00 → 12:00
  
  IT Forensics for System Admins - Memory Acquisition I 1h
  
  Whatever malware is doing on a computer, the code to carry out its activity has to be in the random access memory (RAM). And not only this, lots of other interesting stuff is present there too: IP-addresses of computers it has communicated with, data from attacks against other systems or even exfiltrated data. By getting information directly from the storage, compromised operating system components can be bypassed. No wonder that investigating transient memory has become a hot topic in IT forensics over the last decade.
  
  But before memory contents can be scrutinized, they will have to be acquired from the computer. This webinar covers the basic principles and techniques behind memory acquisition on Linux, Windows and MacOS operating systems.
  
  Speakers: Mr Klaus Möller (DFN-CERT), Mr Stefan Kelm (DFN-CERT)
Tuesday, 14 December
- 11:00 → 12:00
  
  IT Forensics for System Admins - Memory Acquisition II 1h
  
  Whatever malware is doing on a computer, the code to carry out its activity has to be in the random access memory (RAM). No wonder that investigating transient memory has become a hot topic in IT forensics over the last decade.
  
  The previous webinar covered the basic, agnostic technique of acquiring memory through the use of kernel drivers and copying tools. However, it required access to the operating system with root or administrator privileges. This webinar covers advanced techniques that will relinquish some of these preconditions and are in some cases be better suited for doing the job of memory acquisition.
  
  Speakers: Mr Klaus Möller (DFN-CERT), Mr Stefan Kelm (DFN-CERT)
Tuesday, 18 January
- 11:00 → 12:00
  
  IT Forensics for System Admins - Persistent Storage Acquisition I 1h
  
  If any data on a computer shall outlast a power switch or a reboot, it has to be written to persistent storage. Even cloud storage is only persistent storage on another computer. Investigating the contents of harddisks, SSDs, and transportable media has been a standard operating procedure of IT forensics since the '90s and remains to be so.
  
  But before storage contents can be scrutinised, they will have to be acquired from the suspect computer. This webinar covers the basic principles and techniques behind persistent storage acquisition on Linux, Windows and MacOS operating systems.
  
  Speaker: Mr Tobias Dussa (DFN-CERT)
Thursday, 20 January
- 11:00 → 12:00
  
  Forensics for Admins - Persistent Storage Acquisition II 1h
  
  If any data on a computer shall outlast a power switch or a reboot, it has to be written to persistent storage. Investigating the contents of harddisks, SSDs, and transportable media is a standard operating procedure of IT forensics.
  
  The previous webinar covered the basic, agnostic technique of acquiring persistent storage with raw device access and standard copying tools. However, it required access to the operating system with root or administrator privileges. This webinar covers advanced techniques that will do away with some of this preconditions and might be better suited for the job in some situations.
  
  Speaker: Mr Tobias Dussa (DFN-CERT)
Thursday, 27 January
- 11:00 → 12:30
  
  IT Forensics for System Admins - Acquisition of Other Evidence 1h 30m
  
  Are there more indicators of compromise than the contents of RAM and harddisks? Yes, of course. And it may be vital stuff that it either lost on the suspect systems due to adversary activity or wasn't there to begin with. One example is represented by crucial log messages that are now only present on a central loghost. Another example would be network traffic information from switches, firewalls or network IDS that may corroborate leads that would otherwise be vague or circumstantial.
  
  This webinar introduces some of the more common forms of indicators not present on local systems and how or where to obtain it.
  
  Speakers: Mr Klaus Möller ( DFN-CERT), Mr Tobias Dussa (DFN-CERT)