BEGIN:VCALENDAR VERSION:2.0 PRODID:-//CERN//INDICO//EN BEGIN:VEVENT SUMMARY:IT Forensics for System Admins - Memory Acquisition I DTSTART:20211209T100000Z DTEND:20211209T110000Z DTSTAMP:20260505T054200Z UID:indico-contribution-907@events.geant.org DESCRIPTION:Speakers: Stefan Kelm (DFN-CERT)\, Klaus Möller (DFN-CERT)\n \nWhatever malware is doing on a computer\, the code to carry out its acti vity has to be in the random access memory (RAM). And not only this\, lots of other interesting stuff is present there too: IP-addresses of computer s it has communicated with\, data from attacks against other systems or ev en exfiltrated data. By getting information directly from the storage\, co mpromised operating system components can be bypassed. No wonder that inve stigating transient memory has become a hot topic in IT forensics over the last decade.\n\nBut before memory contents can be scrutinized\, they will have to be acquired from the computer. This webinar covers the basic prin ciples and techniques behind memory acquisition on Linux\, Windows and Mac OS operating systems.\n\nhttps://events.geant.org/event/1073/contributions /907/ URL:https://events.geant.org/event/1073/contributions/907/ END:VEVENT BEGIN:VEVENT SUMMARY:IT Forensics for System Admins - From Suspicion to Detection I DTSTART:20211130T100000Z DTEND:20211130T110000Z DTSTAMP:20260505T054200Z UID:indico-contribution-905@events.geant.org DESCRIPTION:Speakers: Stefan Kelm (DFN-CERT)\n\nSo you or someone in your organisation notices "unusual system behaviour" or "suspicious network tra ffic" but you are not sure what to do about it? The first step in incident response usually is to ascertain whether or not the activity observed rea lly is an incident. While there is no formal process or definition for doi ng so\, there's a large number of locations for possible indicators to loo k for that may eventually make an incident. Participants will learn what t he first steps to take after a compromise has been detected.\n\nhttps://ev ents.geant.org/event/1073/contributions/905/ URL:https://events.geant.org/event/1073/contributions/905/ END:VEVENT BEGIN:VEVENT SUMMARY:IT Forensics for system Admins - From Suspicion to Detection II DTSTART:20211202T100000Z DTEND:20211202T110000Z DTSTAMP:20260505T054200Z UID:indico-contribution-906@events.geant.org DESCRIPTION:Speakers: Stefan Kelm Kelm (DFN-CERT)\n\nhttps://events.geant. org/event/1073/contributions/906/ URL:https://events.geant.org/event/1073/contributions/906/ END:VEVENT BEGIN:VEVENT SUMMARY:IT Forensics for System Admins - Memory Acquisition II DTSTART:20211214T100000Z DTEND:20211214T110000Z DTSTAMP:20260505T054200Z UID:indico-contribution-908@events.geant.org DESCRIPTION:Speakers: Klaus Möller (DFN-CERT)\, Stefan Kelm (DFN-CERT)\ n\nWhatever malware is doing on a computer\, the code to carry out its act ivity has to be in the random access memory (RAM). No wonder that investi gating transient memory has become a hot topic in IT forensics over the la st decade.\n\nThe previous webinar covered the basic\, agnostic technique of acquiring memory through the use of kernel drivers and copying tools. H owever\, it required access to the operating system with root or administ rator privileges. This webinar covers advanced techniques that will relinq uish some of these preconditions and are in some cases be better suited fo r doing the job of memory acquisition.\n\nhttps://events.geant.org/event/1 073/contributions/908/ URL:https://events.geant.org/event/1073/contributions/908/ END:VEVENT BEGIN:VEVENT SUMMARY:IT Forensics for System Admins - Persistent Storage Acquisition I DTSTART:20220118T100000Z DTEND:20220118T110000Z DTSTAMP:20260505T054200Z UID:indico-contribution-909@events.geant.org DESCRIPTION:Speakers: Tobias Dussa (DFN-CERT)\n\nIf any data on a compute r shall outlast a power switch or a reboot\, it has to be written to persi stent storage. Even cloud storage is only persistent storage on another co mputer. Investigating the contents of harddisks\, SSDs\, and transportable media has been a standard operating procedure of IT forensics since the ' 90s and remains to be so.\n\nBut before storage contents can be scrutinise d\, they will have to be acquired from the suspect computer. This webinar covers the basic principles and techniques behind persistent storage acqui sition on Linux\, Windows and MacOS operating systems.\n\nhttps://events.g eant.org/event/1073/contributions/909/ URL:https://events.geant.org/event/1073/contributions/909/ END:VEVENT BEGIN:VEVENT SUMMARY:Forensics for Admins - Persistent Storage Acquisition II DTSTART:20220120T100000Z DTEND:20220120T110000Z DTSTAMP:20260505T054200Z UID:indico-contribution-910@events.geant.org DESCRIPTION:Speakers: Tobias Dussa (DFN-CERT)\n\nIf any data on a compute r shall outlast a power switch or a reboot\, it has to be written to persi stent storage. Investigating the contents of harddisks\, SSDs\, and trans portable media is a standard operating procedure of IT forensics.\n\nThe p revious webinar covered the basic\, agnostic technique of acquiring persis tent storage with raw device access and standard copying tools. However\, it required access to the operating system with root or administrator priv ileges. This webinar covers advanced techniques that will do away with som e of this preconditions and might be better suited for the job in some sit uations.\n\nhttps://events.geant.org/event/1073/contributions/910/ URL:https://events.geant.org/event/1073/contributions/910/ END:VEVENT BEGIN:VEVENT SUMMARY:IT Forensics for System Admins - Acquisition of Other Evidence DTSTART:20220127T100000Z DTEND:20220127T113000Z DTSTAMP:20260505T054200Z UID:indico-contribution-911@events.geant.org DESCRIPTION:Speakers: Klaus Möller ( DFN-CERT)\, Tobias Dussa (DFN-CER T)\n\nAre there more indicators of compromise than the contents of RAM and harddisks? Yes\, of course. And it may be vital stuff that it either lost on the suspect systems due to adversary activity or wasn't there to begin with. One example is represented by crucial log messages that are now onl y present on a central loghost. Another example would be network traffic i nformation from switches\, firewalls or network IDS that may corroborate l eads that would otherwise be vague or circumstantial.\n\nThis webinar intr oduces some of the more common forms of indicators not present on local sy stems and how or where to obtain it.\n\nhttps://events.geant.org/event/107 3/contributions/911/ URL:https://events.geant.org/event/1073/contributions/911/ END:VEVENT BEGIN:VEVENT SUMMARY:IT Forensics for System Admins - Organisation DTSTART:20211123T100000Z DTEND:20211123T113000Z DTSTAMP:20260505T054200Z UID:indico-contribution-904@events.geant.org DESCRIPTION:Speakers: Klaus Möller (DFN-CERT)\n\nDealing with the organi sational aspects of incident handling and forensics may sound like dry pap erwork far away from the technical details of day-to-day sysadmins tasks. However\, organisational preparation can help tremendously in the course o f an investigation. For example answering simple practical questions like "who's in charge?" or "what are we looking for?"\, even "why are we doing this?".\n\nThis module introduces the basic steps of incident handling and forensic investigations and introduces attendees to the principles of for ensic investigations that should be adhered to for an investigation to suc ceed.\n\nhttps://events.geant.org/event/1073/contributions/904/ URL:https://events.geant.org/event/1073/contributions/904/ END:VEVENT END:VCALENDAR