The course aims to deepen the knowledge of the Ubuntu OS and reconstruct users’ activities by collecting of forensic artifacts produced during the work sessions in the Linux environment, such as recent documents, form history, web searches, bookmarks and downloads. We will focus not only on the analysis of Ubuntu systems, but also on the use of the Ubuntu OS as a forensic analysis tool. In fact, after an introduction to the Linux environment and the bash shell commands, the student will learn how to configure an Ubuntu workstation, optimizing it for the forensic analysis of Linux systems.
Consideration will be given to the main Linux forensics tools freely available, such as the Sleuth Kit, Bulk Extractor, Exiftool. Particular attention will be given to the most useful Linux commands in the forensic field such as dd, mount, grep, find. Finally, we will address the issue of encryption and decryption of the file system through the use of the popular and powerful tools eCryptfs and John the Ripper.
Why take this course now?
No matter what stage of your career you're at, the skills learned here will serve you well in the future. At the end of the course, you will be able to make a fully valid and thorough forensic expertise in a Linux environment through the use of only freeware tools. The very practical approach can be used both for understanding the principles behind Ubuntu OS and learning how to create scripts using the bash shell to solve custom tasks.
Who is this course for?
- The course is aimed at a potentially large audience that goes from the average Linux user to the computer forensics expert who wants to investigate the mechanisms in an environment other than Windows.
- The approach of the course, based on the use of free tools and manual analysis, allows not only to understand how an Ubuntu system works, but also to understand what are the mechanisms underlying the forensic analysis and the operation of SQLite databases, the latter used to organize data in a variety of areas ranging from web and mail browsers to mobile forensics.
- In particular, the principles underlying the Firefox analysis can be applied to the analysis of different web browsers regardless of the operating system.
What will you learn?
- Linux Forensics concepts
- The structure of the Ubuntu operating system
- The bash shell
- Knowing the most useful commands for computer forensics
- Firefox forensics
- Thunderbird Forensics
- How to encrypt and decrypt the file system of a Linux Workstation
What skills will you gain?
- Extracting useful information from the Ubuntu OS
- How to setup an Ubuntu workstation optimized for forensics analysis
- Choosing the right command according to the objective
- Create custom bash scripts to solve forensic tasks
- Encrypt and decrypt folders with eCryptfs
- Parsing Ubuntu Artifacts
What tools will you use?
- Sleuth Kit,
- Bulk Extractor,
- John the Ripper.
COURSE IS SELF-PACED, AVAILABLE ON DEMAND
DURATION: 18 hours
CPE POINTS: On completion you get a certificate granting you 18 CPE points.
- Accessible even after you finish the course
- No preset deadlines
- Materials are video, labs, and text
- All videos captioned
What should you know before you join?
Basics of Digital Forensics:
- Basic concepts of Computer Forensics (mounting, hashing, metadata)
- Basic concepts of IT security (encryption, decryption, cracking)
What will you need?
- A workstation running Ubuntu
Your instructor: Luca Cadonici
Member of the Italian National Observatory for Computer Forensics (ONIF), International Information Systems Forensics Association (IISFA), Luca Cadonici graduated from the University of Pisa in 2010, moving closer to Computer Security and obtaining the European Qualification as an Expert in Service Management and Network Security - liv.4 EQF (European Qualification Framework). During his career, he has obtained several Computer Security and Computer forensics certifications (among others: CDFE, OSFCE, eNDP, eJPT, CompTIA Linux +, ITIL v3) and worked at the Intesa Sanpaolo Development and Security Office taking care of the activities related to the ISO27001 and PCI-DSS standards.
He’s the author of articles and courses for “eForensics Magazine” and “Il Giornale dell’Ingegnere” - official magazine of the CNI – Italian National Council of Engineers.
He’s the owner of the Digital Forensics laboratory Nova Era and works as a forensic consultant for prosecutors, law enforcement agencies and law firms.
Module 1: Ubuntu and Ubuntu Forensics
In this first module we’ll see how to get the most from Ubuntu in computer forensics. We’ll cover a selection of the most useful commands and the use of the popular collection of tools known as The Sleuth Kit for forensic images analysis.
Module 1 covered topics:
- Basic Linux commands
- Setting up an Ubuntu forensics workstation
- Useful commands in forensic activities
- Working on Ubuntu forensic images
- The Sleuth Kit
- Identify file extension and metadata
- File correlation
Module 1 exercises:
- Create files and metadata report
- Reconstruct a route using the GPS coordinates of the metadata
Module 2: Relevant data
In this section we will see how to collect data useful for reconstructing user activities and related to the configuration and use of the machine.
Module 2 covered topics:
- Collecting volatile data
- User information
- Workstation information
- Network information
- Boot Sequence Analysis
- Scheduled tasks
- Recent files
- An introduction to Nautilus
Module 2 exercises:
- Tracking a user’s activities
- Thumbnails Analysis
Module 3: Firefox and Thunderbird Forensics
In this section we will analyze the principles that underlie the analysis of the most used web browsers and mail clients in the Ubuntu environment: Firefox and Thunderbird.
Module 3 covered topics:
- The SQL query language
- Web browsing artifacts
- Mailbox analysis
- Collecting an account's password
Module 3 exercises:
- Firefox forensics
- Thunderbird forensics
Module 4: eCryptfs – Encrypting File System
In the final part of the course we show how to encrypt folders with the package of disk encryption eCryptfs and how to mount an encrypted folder. The popular cracking tool John the Ripper will be used to attempt the decryption of a previously encrypted folder.
Module 4 covered topics:
- An introduction to eCryptfs
- eCryptfs on Ubuntu
- How to encrypt folders and files
- How to mount an encrypted drive
- John the Ripper
Module 4 exercises:
- "Encrypt a folder with eCryptfs"
- Mounting an Encrypted File System"
The final exam will be a multiple-choice test.
If you have questions, feel free to contact our course coordinator Marta at [email protected]