IT Forensics for System Administrators 2

(Timezone - Europe/Amsterdam)
Virtually Hosted

IT forensics have become a vital part in handling security incidents, with system administrators often left alone with detection of incidents, initiating an investigation and aiding investigators in the collection of required evidence. Furthermore, many administrators are not trained in their role of forensic investigation and do not receive the necessary guidance before they are thrown in at the deep end.

The first module showed system administrators the basic organisational steps to forensic incident handling and introduced methods and tools to collect the various forms of evidence data.

The upcoming second module will focus on the analysis part of the forensic process, using open-source to dissect obfuscated or encoded bits of information, search disk and memory images for indicators of compromise (IOCs), and create super-timelines.

This training programme consists of five live online sessions.  Please note that you only need to register once in order to attend all or selected training sessions from this programme.

The Zoom link will be sent to participants the week before the first event.


Registrants will be notified when session recordings become available. You are advised to register even if you cannot attend all sessions so that you can watch recordings.

GLAD (GÉANT Learning and Development)
    • 11:00 12:00
      IT Forensics for System Admins - CyberChef 1h

      Since its first release in 2017 CyberChef - described as "The Cyber Swiss Army Knife" - has quickly become one of the go-to tools for many IT security practitioners. CyberChef is a free, browser-based, open source tool, that supports hundreds of different "cyber operations" such as encoding, encrypting, compressing, converting, analysing data, etc. It is especially useful for malware analysts as well as forensic investigators. This webinar/live demo will demonstrate many of CyberChef's powerful capabilities as well as some of the less well known operations.

      Speaker: Mr Stefan Kelm (DFN-CERT)
    • 11:00 12:00
      IT Forensics - Memory Analysis Basics - First Steps 1h

      Having obtained an image of the memory of a compromised system, what to do with it? This part of the forensic process is called analysis, and this webinar will go through the first steps of analysing a memory image, looking into processes, network and temporary filesystems as well as some operating system specific artefacts, such as the Windows registry of the Linux Bash history.

      Speaker: Mr Klaus Möller (DFN-CERT)
    • 11:00 12:00
      IT Forensics - Advanced Memory Analysis - Dealing with Malicious Code 1h

      Malware that is other compressed and encrypted on disk is usually unpacked and in cleartext in memory. Likewise, rootkits that conceal adversary activities can be found with relative ease in the memory image of a compromised system. This webinar will show some techniques to obtain malware that works along common ways, such as DLL injection, malicious kernel modules, or system call table manipulation. Concluding the module, ways to extract suspicious code segments for further analysis are also shown.

      Speaker: Mr Klaus Möller (DFN-CERT)
    • 11:00 12:00
      IT Forensics - Persistent Storage Forensics I - Basics and First Steps 1h

      In this session, we will discuss the basic concepts of persistent storage forensics. Furthermore, some approaches with easy-to-use basic tools will be presented and demonstrated.

      Speaker: Mr Tobias Dussa (DFN-CERT)
    • 11:00 12:00
      IT Forensics - Persistent Storage Forensics II - Advanced Approaches 1h

      In this session, more advanced analysis methods and tools will be discussed. Furthermore, these methods and tools will be demonstrated in practice with select case samples.

      Speaker: Mr Tobias Dussa (DFN-CERT)