IT-Forensics for System Administrators – Part 2

IT forensics have become a vital part in handling security incidents, with system administrators often left alone with detection of incidents, initiating an investigation and aiding investigators in the collection of required evidence. Furthermore, many administrators are not trained in their role of forensic investigation and do not receive the necessary guidance before they are thrown in at the deep end.

The first module showed system administrators the basic organisational steps to forensic incident handling and introduced methods and tools to collect the various forms of evidence data.

The upcoming second module will focus on the analysis part of the forensic process, using open-source to dissect obfuscated or encoded bits of information, search disk and memory images for indicators of compromise (IOCs), and create super-timelines.


The training is open to all GÉANT members and their member organisations and wider CERT community.

Who will benefit from attending this training programme?

  • System/network administrators at NRENs or NREN member organisations
  • System administrators at computing centres or NOCs
  • Management personnel tasked with security configuration and maintenance
  • Broader categories of professionals with the interest in these subjects


Basic administration knowledge about operating systems and networking should be present.

Session 1: CyberChef

Date: Wednesday 27th of April, 11 am CEST
Speaker: Stefan Kelm

Since its first release in 2017 CyberChef – described as “The Cyber Swiss Army Knife” – has quickly become one of the go-to tools for many IT security practitioners. CyberChef is a free, browser-based, open-source tool, that supports hundreds of different “cyber operations” such as encoding, encrypting, compressing, converting, analysing data, etc. It is especially useful for malware analysts as well as forensic investigators. This webinar/live demo will demonstrate many of CyberChef’s powerful capabilities as well as some of the less well-known operations.

Session 2: Memory Analysis Basics – First Steps

Date: Wednesday 04th of May, 11 am CEST
Speaker: Klaus Möller

Having obtained an image of the memory of a compromised system, what to do with it? This part of the forensic process is called analysis, and this webinar will go through the first steps of analysing a memory image, looking into processes, network and temporary filesystems as well as some operating system specific artefacts, such as the Windows registry of the Linux Bash history.

Session 3: Advanced Memory Analysis – Dealing with Malicious Code

Date: Thursday 12th of May, 11 am CEST
Speaker: Klaus Möller

Malware that is other compressed and encrypted on disk is usually unpacked and in cleartext in memory. Likewise, rootkits that conceal adversary activities can be found with relative ease in the memory image of a compromised system. This webinar will show some techniques to obtain malware that works along common ways, such as DLL injection, malicious kernel modules, or system call table manipulation. Concluding the module, ways to extract suspicious code segments for further analysis are also shown.

Session 4: Persistent Storage Forensics I – Basics and First Steps

Date: Wednesday 25th of May, 11 am CEST
Speaker: Tobias Dussa

In this session, we will discuss the basic concepts of persistent storage forensics. Furthermore, some approaches with easy-to-use basic tools will be presented and demonstrated.

Session 5: Persistent Storage Forensics II – Advanced Approaches

Date: Monday 30th of May, 11 am CEST
Speaker: Tobias Dussa

In this session, more advanced analysis methods and tools will be discussed. Furthermore, these methods and tools will be demonstrated in practice with select case samples.

Meet the experts

The training programme is delivered by a team of experts in the field:

Klaus Möller, DFN-CERT – Klaus has been working with DFN-CERT since 1999 as an incident responder, advisory writer, and security consultant. He has developed and carried out numerous trainings in  network security.

Stefan Kelm, DFN-CERT – Stefan has been working in the field of computer security all his professional life, starting back in the early 1990s. He currently is involved in forensics, malware analysis, threat intelligence, and log file analysis.

Tobias (Toby) Dussa, DFN-CERT – Toby has been involved with IT security during his whole entire career.  After fifteen years at KIT, managing KIT-CERT and taking on IT security issues of all kinds, he has joined DFN-CERT in 2020.

The DFN-CERT is the security provider for the German National Research and Education Network, DFN

To register click here

Slides and recordings

Slides and recordings available here