KUDO - POST MORTEM FORENSIC ANALYSIS WITH FLOSS TOOLS - 2.0 Brushing bits, data mining, seeking for evidence and Artifacts course: 2 hours Abstract: Currently computers are increasingly used for illicit activities, in this scenario, it is necessary to respond to incidents of security to use Computer Forensics best practices, even if a formal criminal investigation does not take place. This course is about post mortem forensics of media, especially hard disks. Several tests and evaluations can be done in each layer of abstraction, in order to recover data with quality to identify evidence. This evidence can be a block of data or even a file related to the security incident being investigated that will henceforth be treated as an artifact. It is true that to perform a forensic analysis demands methodology and also appropriate tools. About the Methodology Analysis in Five Layers that proposing a treatment in each layer of abstraction allowing the identification of each data that can be relevant in the analysis of incident and to meet the need of appropriate tools, the use of FOSS tools, is an interesting alternative, since the number of projects developed by this community, for computer forensic, is significant and of sufficient quality to allow the realization of all the forensic computational processes. Synopsis: This proposal is the Hands-on Post Mortem Forensic analysis with specifics Forensic FLOSS TOOLS. talk about the task of analysis of media such as HD, pendrive and other devices like digital cameras is very important for a Computer Forensic Expertise, where besides the possibility of identification of important information, cross-information raised during the Live and Forensic Network Forensic is also necessary. This Tutorial aims to give an overview of the whole process of a Post Mortem Analysis tools using FOSS (Free and Open Source Software). Keywords: forensic, postmortem, file carving, malware, linux, windows Prerequisites: It is strongly recommended that each participant already has knowledge of Security Systems and Operation System concepts, TCP/IP and Linux, prior to taking this tutorial. This talk gives a short introduction to digital forensics, and an overview of current freely available FOSS forensics tools. The main focus is on Linux/Unix based post-mortem disk forensic tools such as Sleuth kit, foremost, etc. Various forensic methods are explained using these tools including: Main topics will be: - Post Mortem Forensic process concepts; - Data mining and / or retrieval of - Advanced Investigative Strategy; metadata info; - - Linux Internal File Metadata; Evidence Acquisition/ Analysis/ Preservation; - File System Timeline Analysis for event - Computer Forensics Methodology reconstruction; - Live Forensic versus Post Mortem; - Super Timeline; - Kind of Image File; - Other kinds of Timeline info; - Tools for conversion of Images (E01, - Files Layer Raw, AFF); - Data mining and / or retrieval of - Five Layers Analysis concepts; slackspace info from files; - Physical Layer - Data mining and / or retrieval of file - Evidence Integrity; info; - Device info to Chain of Custody; - File Sorting - searching and filtering - Data Layer - - Data mining and / or retrieval of databases; partition info; - File Carving - Essential techniques and - Slackspace info from partition; tools; - File System Layer - Data mining and / or retrieval of files - File System Essentials; from unallocated areas; - Linux/Unix File System Examination; - Methodology and tools for Image - mounting for analysis; Disk layout and partition tables’ Hash Comparisons using NSRL analysis - Artifacts Identification; - Deleted partition recovery tools - - file system analysis and recovery of Artifacts Dynamic Analysis; unallocated blocks and deleted files - Automated GUI Based Forensic Toolkits - Metadata Layer - Concepts about carving techniques Introduction OS and application - Concepts about carving techniques for unstructured data files Who Should Attend? - Law enforcement officers, federal agents, or detectives who want to master computer forensics and expand their investigative skillset to include data breach investigations, intrusion cases, and tech-savvy cases students of computation with an interest in learning the methodology of a digital research and how to acquire, analyze and preserve evidence using forensic techniques; Security professionals that have Incident Response and Security. Incident response team members who are responding to complex security incidents/intrusions and need to utilize computer forensics to help solve their cases; Computer Security Professionals which aim to serve and / or create a CSIRT (Computer Security Incident Response Teams), since knowledge of Computer Forensics is fundamental in a CSIRT. Computer Forensic professionals who want to solidify and expand their understanding of file system forensic and incident response related topics; Information security professionals with some background in hacker exploits, penetration testing, and incident response; Information security managers who would like to master digital forensics in order to understand information security implications and potential litigation related issues or manage investigative teams; Anyone with a firm technical background who might be asked to investigate a data breach incident, intrusion case, or who investigates individuals that are considered technically savvy; CLASS REQUIREMENTS for Tutorial: Hardware Requirement: * A working laptop (no Netbooks) * Intel Core 2 Duo x86/x64 hardware (or superior) required * 4GB RAM required, at a minimum, 8GB preferred * Wireless network card * 40 GB free Hard disk space * Working USB port (should not be DLP disabled!) Minimum Software to install: * Linux / Windows / Mac OS X desktop operating systems * Virtual Box MANDATORY * Administrator / root access MANDATORY About the presenter: Sandro Melo is currently working at Bandtec College, and also with Advanced Training, Pentest, responds to Security Incidents and Computer Forensic and student/candidate in Doctor Program in TIDD/PUC-SP. He was born in the beautiful city of Rio de Janeiro, Brazil. He moved to Sao Paulo where he began his professional career in System Security. Since 1996 he have worked mainly with Linux/FreeBSD and FLOSS (Free/libre and Open Source Software), Network Administrator, he is often a guest professor at many universities all over Brazil. Project Fedora Linux Ambassador, LPI and BSDA PROCTOR. He takes great pride in everything he does, especially with his work in Forensics. He has years of hands-on experience with many of the core technologies and have written many books and articles on security and forensics. When not working or writing, he can be found experimenting with the latest Open Source solutions, installing new versions of the same Operation Systems like Unix, such as Linux, FreeBSD or Mac OS X.