“IT Forensics for System Administrators” – new for 2021 – virtual learning with experts
Programme overview
IT forensics have become a vital part in handling security incidents, and while putting the evidence together is a job for specifically trained investigators, administrators will often be left alone with detection of incidents, initiating an investigation and aiding investigators in the collection of required evidence.
Unfortunately, many administrators are not trained in their role in a forensic investigation and didn’t receive the necessary guidance before they are thrown in at the deep end.
This module addresses these shortcomings with an introduction into the basic organisational steps of incident handling and forensics from the administrator’s perspective as well has how to ascertain that all incidents have been detected and uncovered. Methods and tools to collect the various forms of evidence data are explained so that administrators are enabled to fulfil their role in a forensic investigations.
Eligibility
The training is open to all GÉANT members and their member organisations and wider CERT community.
Who will benefit from attending this training programme?
- System/network administrators at NRENs or NREN member organisations
- System administrators at computing centres or NOCs
- Management personnel tasked with security configuration and maintenance
- Broader categories of professionals with the interest in these subjects
Pre-requisites
Basic administration knowledge about operating systems and networking should be present.
The programme consists of 8 sessions (delivered by GÉANT WP8 Task 1)- see the schedule below.
All sessions have been recorded and added to the existing playlist; to access the playlist please click here.
| Session title | Date/time | Presenter |
| IT Forensics for System Admins – Organisation To access the session recording please click here. To view the copy of the presentation please click here. Duration – 1 hour and 30 minutes Dealing with the organisational aspects of incident handling and forensics may sound like dry paperwork far away from the technical details of day-to-day sysadmins tasks. However, organisational preparation can help tremendously in the course of an investigation. For example answering simple practical questions like “who’s in charge?” or “what are we looking for?”, even “why are we doing this?”. This module introduces the basic steps of incident handling and forensic investigations and introduces attendees to the principles of forensic investigations that should be adhered to for an investigation to succeed. | 23/11/2021 11:00am CET | Klaus Möller, DFN-CERT |
| Session 2 ” IT Forensics for System Admins – From Suspicion to Detection I” Duration – 1 hour To access the session recording please click here. To view the copy of the presentation please click here. (please note that the file contains copies of presentations for both part 1 and 2) So, you or someone in your organisation notices “unusual system behaviour” or “suspicious network traffic” but you are not sure what to do about it. The first step in incident response usually is to ascertain whether or not the activity observed really is an incident. While there is no formal process or definition for doing so, there is a large number of locations for possible indicators to look for that may eventually make an incident. Participants will learn what first steps to take after a compromise has been detected. | 30/11/2021 11:00am CET | Stefan Kelm, DFN-CERT |
| Session 3 “IT Forensics for system Admins – From Suspicion to Detection II“ Duration – 1 hour To access the session recording please click here. To view the copy of the presentation please click here.(please note that the file contains copies of presentations for both part 1 and 2) | 02/12/2021 11:00am CET | Stefan Kelm, DFN-CERT |
| Session 4 “IT Forensics for System Admins – Memory Acquisition I“ Duration – 1 hour To access the session recording click here. To view the copy of the presentation please click here. Whatever malware is doing on a computer, the code to carry out its activity has to be in the random access memory (RAM). And not only this, lots of other interesting stuff is present there too: IP-addresses of computers it has communicated with, data from attacks against other systems or even exfiltrated data. By getting information directly from the storage, compromised operating system components can be bypassed. No wonder that investigating transient memory has become a hot topic in IT forensics over the last decade. Before memory contents can be scrutinized, they will have to be acquired from the computer. This webinar covers the basic principles and techniques behind memory acquisition on Linux, Windows and MacOS operating system. | 09/12/21 11:00am CET | Klaus Möller, DFN-CERT and Stefan Kelm, DFN-CERT |
| Session 5 “IT Forensics for System Admins – Memory Acquisition II“ To access the session recording please click here. To view the copy of the presentation please click here. Whatever malware is doing on a computer, the code to carry out its activity has to be in the random access memory (RAM). No wonder that investigating transient memory has become a hot topic in IT forensics over the last decade. The previous webinar covered the basic, agnostic technique of acquiring memory through the use of kernel drivers and copying tools. However, it required access to the operating system with root or administrator privileges. This webinar covers advanced techniques that will relinquish some of these preconditions and are in some cases be better suited for doing the job of memory acquisition. | 14/12/21 11:00am CET | Klaus Möller, DFN-CERT and Stefan Kelm, DFN-CERT |
| Session 6 “IT Forensics for System Admins – Persistent Storage Acquisition I“ Duration 1 hour To access the session recording please click here To view the copy of the presentation please click here If any data on a computer shall outlast a power switch or a reboot, it has to be written to persistent storage. Even cloud storage is only persistent storage on another computer. Investigating the contents of harddisks, SSDs, and transportable media has been a standard operating procedure of IT forensics since the ’90s and remains to be so. Before storage contents can be scrutinised, they will have to be acquired from the suspect computer. This webinar covers the basic principles and techniques behind persistent storage acquisition on Linux, Windows and MacOS operating systems. | 18/01/22 11:00am CET | Tobias Dussa, DFN-CERT |
| Session 7 “Forensics for Admins – Persistent Storage Acquisition II“ Duration 1 hour To access the session recording please click here To view the copy of the presentation please click here If any data on a computer shall outlast a power switch or a reboot, it has to be written to persistent storage. Investigating the contents of harddisks, SSDs, and transportable media is a standard operating procedure of IT forensics. The previous webinar covered the basic, agnostic technique of acquiring persistent storage with raw device access and standard copying tools. However, it required access to the operating system with root or administrator privileges. This webinar covers advanced techniques that will do away with some of this preconditions and might be better suited for the job in some situations. | 20/01/22 11:00am CET | Tobias Dussa, DFN-CERT |
| Session 8 “IT Forensics for System Admins – Acquisition of Other Evidence“ Duration 1 hour To access the session recording please click here To view the copy of the presentation please click here Are there more indicators of compromise than the contents of RAM and harddisks? Yes, of course. And it may be vital stuff that it either lost on the suspect systems due to adversary activity or wasn’t there to begin with. One example is represented by crucial log messages that are now only present on a central loghost. Another example would be network traffic information from switches, firewalls or network IDS that may corroborate leads that would otherwise be vague or circumstantial. This webinar introduces some of the more common forms of indicators not present on local systems and how or where to obtain it. | 27/01/22 11:00am CET | Klaus Möller, DFN-CERT and Tobias Dussa, DFN-CERT |
Meet the experts
The training programme is delivered by a team of experts in the field:
Klaus Möller, DFN-CERT – Klaus has been working with DFN-CERT since 1999 as an incident responder, advisory writer, and security consultant. He has developed and carried out numerous trainings in network security.
Stefan Kelm, DFN-CERT – Stefan has been working in the field of computer security all his professional life, starting back in the early 1990s. He currently is involved in forensics, malware analysis, threat intelligence, and log file analysis.
Tobias (Toby) Dussa, DFN-CERT – Toby has been involved with IT security during his whole entire career. After fifteen years at KIT, managing KIT-CERT and taking on IT security issues of all kinds, he has joined DFN-CERT in 2020.
The DFN-CERT is the security provider for the German National Research and Education Network, DFN
Look forward to seeing you at the next round of training events. We will be in touch as soon as details are finalised.
In the meantime we wish you to stay safe and well.
If you have any queries about this or any other training programme please get in touch with glad@geant.org
