“IT Forensics for System Administrators” – new for 2021 – virtual learning with experts

Programme overview

IT forensics have become a vital part in handling security incidents, and while putting the evidence together is a job for specifically trained investigators, administrators will often be left alone with detection of incidents, initiating an investigation and aiding investigators in the collection of required evidence.
Unfortunately, many administrators are not trained in their role in a forensic investigation and didn’t receive the necessary guidance before they are thrown in at the deep end.

This module addresses these shortcomings with an introduction into the basic organisational steps of incident handling and forensics from the administrator’s perspective as well has how to ascertain that all incidents have been detected and uncovered. Methods and tools to collect the various forms of evidence data are explained so that administrators are enabled to fulfil their role in a forensic investigations.

Eligibility

The training is open to all GÉANT members and their member organisations and wider CERT community.

Who will benefit from attending this training programme?

  • System/network administrators at NRENs or NREN member organisations
  • System administrators at computing centres or NOCs
  • Management personnel tasked with security configuration and maintenance
  • Broader categories of professionals with the interest in these subjects

Pre-requisites

Basic administration knowledge about operating systems and networking should be present.

The programme consists of 8 sessions (delivered by GÉANT WP8 Task 1)- see the schedule below.

To register to attend all or selected sessions in this module please click here.

All sessions are recorded and will be added to the existing playlist; to access the playlist please click here.

Session titleDate/timePresenter
IT Forensics for System Admins – Organisation


Duration – 1 hour and 30 minutes

Dealing with the organisational aspects of incident handling and forensics may sound like dry paperwork far away from the technical details of day-to-day sysadmins tasks. However, organisational preparation can help tremendously in the course of an investigation. For example answering simple practical questions like “who’s in charge?” or “what are we looking for?”, even “why are we doing this?”.
This module introduces the basic steps of incident handling and forensic investigations and introduces attendees to the principles of forensic investigations that should be adhered to for an investigation to succeed.
23/11/2021 11:00am CETKlaus Möller, DFN-CERT
Session 2 ” IT Forensics for System Admins – From Suspicion to Detection I

Duration – 1 hour

So, you or someone in your organisation notices “unusual system behaviour” or “suspicious network traffic” but you are not sure what to do about it. The first step in incident response usually is to ascertain whether or not the activity observed really is an incident. While there is no formal process or definition for doing so, there is a large number of locations for possible indicators to look for that may eventually make an incident. Participants will learn what first steps to take after a compromise has been detected.
30/11/2021
11:00am CET
Stefan Kelm, DFN-CERT
Session 3 “IT Forensics for system Admins – From Suspicion to Detection II

Duration – 1 hour


02/12/2021 11:00am CETStefan Kelm, DFN-CERT
Session 4 IT Forensics for System Admins – Memory Acquisition I

Duration – 1 hour

Whatever malware is doing on a computer, the code to carry out its activity has to be in the random access memory (RAM). And not only this, lots of other interesting stuff is present there too: IP-addresses of computers it has communicated with, data from attacks against other systems or even exfiltrated data. By getting information directly from the storage, compromised operating system components can be bypassed. No wonder that investigating transient memory has become a hot topic in IT forensics over the last decade.

Before memory contents can be scrutinized, they will have to be acquired from the computer. This webinar covers the basic principles and techniques behind memory acquisition on Linux, Windows and MacOS operating system.
09/12/21
11:00am CET
Klaus Möller, DFN-CERT and
Stefan Kelm, DFN-CERT
Session 5IT Forensics for System Admins – Memory Acquisition II

Whatever malware is doing on a computer, the code to carry out its activity has to be in the random access memory (RAM).  No wonder that investigating transient memory has become a hot topic in IT forensics over the last decade.

The previous webinar covered the basic, agnostic technique of acquiring memory through the use of kernel drivers and copying tools.

However, it  required access to the operating system with root or administrator privileges. This webinar covers advanced techniques that will relinquish some of these preconditions and are in some cases be better suited for doing the job of memory acquisition.
14/12/21
11:00am CET
Klaus Möller, DFN-CERT and
Stefan Kelm, DFN-CERT
Session 6 IT Forensics for System Admins – Persistent Storage Acquisition I

Duration 1 hour

If any data on a computer shall outlast a power switch or a reboot, it has to be written to persistent storage. Even cloud storage is only persistent storage on another computer. Investigating the contents of harddisks, SSDs, and transportable media has been a standard operating procedure of IT forensics since the ’90s and remains to be so.

Before storage contents can be scrutinised, they will have to be acquired from the suspect computer. This webinar covers the basic principles and techniques behind persistent storage acquisition on Linux, Windows and MacOS operating systems.
18/01/22
11:00am CET
Tobias Dussa,
DFN-CERT
Session 7 “Forensics for Admins – Persistent Storage Acquisition II

Duration 1 hour

If any data on a computer shall outlast a power switch or a reboot, it has to be written to persistent storage.  Investigating the contents of harddisks, SSDs, and transportable media is a standard operating procedure of IT forensics.

The previous webinar covered the basic, agnostic technique of acquiring persistent storage with raw device access and standard copying tools. However, it required access to the operating system with root or administrator privileges. This webinar covers advanced techniques that will do away with some of this preconditions and might be better suited for the job in some situations.
20/01/22
11:00am CET
Tobias Dussa,
DFN-CERT
Session 8 “IT Forensics for System Admins – Acquisition of Other Evidence

Duration 1 hour

Are there more indicators of compromise than the contents of RAM and harddisks? Yes, of course. And it may be vital stuff that it either lost on the suspect systems due to adversary activity or wasn’t there to begin with. One example is represented by crucial log messages that are now only present on a central loghost. Another example would be network traffic information from switches, firewalls or network IDS that may corroborate leads that would otherwise be vague or circumstantial.

This webinar introduces some of the more common forms of indicators not present on local systems and how or where to obtain it.
27/01/22
11:00am CET
Klaus Möller, DFN-CERT and
Tobias Dussa,
DFN-CERT

Meet the experts

The training programme is delivered by a team of experts in the field:

Klaus Möller, DFN-CERT – Klaus has been working with DFN-CERT since 1999 as an incident responder, advisory writer, and security consultant. He has developed and carried out numerous trainings in  network security.

Stefan Kelm, DFN-CERT – Stefan has been working in the field of computer security all his professional life, starting back in the early 1990s. He currently is involved in forensics, malware analysis, threat intelligence, and log file analysis.

Tobias (Toby) Dussa, DFN-CERT – Toby has been involved with IT security during his whole entire career.  After fifteen years at KIT, managing KIT-CERT and taking on IT security issues of all kinds, he has joined DFN-CERT in 2020.

The DFN-CERT is the security provider for the German National Research and Education Network, DFN

If you have any queries about the programme and/or registration please get in touch with glad@geant.org

Look forward to seeing you soon!