From:"Dennis Portney" <>
Subject: 7/7 - Linux Data Forensics - Chicago July 26th, 27th 28th 2004 - Course Syllabus and Curriculum Vitae enclosed
Date: Tue, 6 Jul 2004 18:38:51 -0500

I thought this course may be of interest to you or one of the users in your Linux Users Group. If you could pass this course syllabus onto those you think may have an interest in attending this course, it would be very much appreciated.  


Enclosed is the syllabus and attached is the curriculum vitae for Andy Rosen, the foremost expert on Linux Data Forensics in the world. If you would like to speak with him, I can arrange this and please do not hesitate to request this, he has made it known that he is available to speak with anyone interested in speaking with him and has an interest in attending this course.


Please let me know if you have any questions.

Kind regards,



Andrew Rosen , considered by many to be the foremost expert on Linux Data Forensics in the world and who recently served as the lead forensic investigator on the Enron case, will be partnering with Security Forensics, Inc. to teach an intensive, Linux Data Forensics course (level II of III): Chicago, IL - July 26th , 27th &  28th 2004


Andy created Expert Witness and Expert Witness for Windows (now sold under the name Encase, by Guidance Software). He founded ASR Data and developed SMART for Linux, a revolutionary concept, captured in a simplistic, forensic application. Andy has traveled extensively, speaking, training and testifying on the procedures, processes and theories of forensic data acquisition (please review attached curriculum vitae).


Please Note: Linux Data Forensics is OS independent

There will be a maximum headcount of 20-students in the course


- Level II -  Linux Data Forensics: 3-Day Course: Chicago, IL: July 26th, 27th & 28th 2004


The student will start with learning the workings of a Linux Operating System, then proceeding to hands - on instruction, building a Linux OS and understanding the File System Hierarchy and the Virtual File System layers in Linux. The student then rapidly ascends to learning an array of open source tools they can use for forensic data acquisition. This will teach the student how to use and build a more complete Open Source forensic toolkit for performing audits and investigations. With these tools, the student will learn how to perform the practice of mounting images, processing evidence, and hands-on investigation protocol while preserving the forensic process. This course will teach the student a strong conceptual understanding of Linux and the practice of Linux Data Forensics. Students will walkway confident, knowing they are well prepared for an advanced level course. Linux Data Forensic is platform independent and can collect forensic data and perform analysis on all Windows, Linux, Macintosh and UNIX systems, and on many file systems and storage-devices (please review the included course Syllabus, below).


To learn more about the course and instructions on registering please go to:


 Day 1 - Level II - Linux Data Forensics

 Ø    Preliminaries

§ Welcome

§ Introductions ASR Data / Security Forensics’

§ Course Overview

§ Defining the terms that will be used in the course

§ The history of digital forensics

§ Next Generation and where the market is taking Digital Forensics

§ The holistic approach to Digital Forensics

§ Q and A


 Ø    Understanding Linux

§ Who is Linas Torvalds?

§ Why use Linux Forensics?

§ Linux Forensics and platform independence 

§ The Future of the Linux OS and Linux Forensics


 Ø    Linux and Data Forensics

§   Everything is a File

§   Filesystem Types Supported

§   Loopback Device

§   Redirection and Chaining

§   Monitoring and Logging


 Ø    Building and Installing a Linux OS

§ Hands on Installation

§ Procedures and Practices when installing the Linux OS

§ Kernel, Hardware, shell and available applications

§ Review of contemporary distributions

§ Selecting a distribution

§ Linux Components

§ Host device partitioning

§ Choosing a volume format

§ Selecting a bootloader (GRUB v. LILO)

§ Selecting the initial runlevel

§ Choosing a Desktop Environment


 Ø    Linux OS Environment

§ Hardware Abstractions

§ Virtual Terminals

§ Filesystem Hierarchy Standard (FHS)

§ Navigating Directories

§ Processes

§ Location of Key Files


 Ø    General Administration

§ Users and Groups

§ File Permissions

§ Timestamps

§ Log Files and Locations

§ Processes and Monitoring

§ Running as Root


 Ø    Assessing Devices

§ Device Nomenclature and Recognition

§ Help in Identifying Devices

§ Troubleshooting Device Issues


 Ø    Linux Filesystems

§ Virtual Filesystems (VFS) explained in detail

§ Procfs explained

§ Ext2 explained

§ Journalled filesystems (ext3, reiserfs, xfs, etc.)


 Ø    Building a Custom Kernel

§ Getting the required packages

§ Installing v. Upgrading

§ Patching the Kernel

§ Choosing options specific for Data Forensics

§ Building Modules

§ Troubleshooting errors


Day 2 - Review Day One

 Ø    Acquisition and Linux

§ Attaching Devices

§ Device Recognition

§ Compressing Image files

§ Chucking Image Files


 Ø    System Tools for Data Forensics

§ System tools that can be used in processing Data Forensics

§ Recursively Hashing

§ dd, md5sum, sha1, mount, fdisk, grep, find, file, stat, etc.

§ Installing programs

§ Red Hat Package Manager (RPM), tarballs, and compression

§ How to decompress and install programs

§ Overview of tools to assist in Data Forensics capture – Autopsy, TASK, Ide, TCT, TCTutils, SMART, partrimage –


 Ø    Mounting Image Files

§ Loopback device in detail

§ Mounting Logical Partitions

§ Dealing with Physical Images

§ Carving Partitions from Physical Images


 Ø    Processing Evidence

§ ‘file’, ‘find’               

§ ‘grep’, grepmail’, ‘zipgrep’

§ ‘hexdump’, ‘hexedit’, ‘ghex2’, ‘xxd’

§ ‘GQview’, ‘gThumb’, ‘flphoto’


 Ø    Basic Shell Scripting for Forensics

§ Requirements

§ Examples


 Ø    Preserving your forensic process

§ Logging Footsteps

§ Identifying Users

§ Capturing Process and Network Information

§ Dumping Memory


Day 3 - Review of Day 2

 Ø    Legal / Procedural Issues

§ Articulate Findings

§ Documenting and reporting tips

§ Articulating Methodology

§ Defending the methodology

§ Presenting and Supporting Opinions

§ Production v. Discovery

§ Responding to Challenges

§ Tips for Testifying Experts

§ Depositions and Cross Examinations


 Ø    Advanced Data Forensics and Scenarios Defined

§ Postmortem Analysis

§ Steps needed to preserve evidentiary integrity

§ Deeper understanding of disk- based files with a 3rd party digital capture

§ Network Files Systems

§ Enterprise Servers

§ Current and Future Challenges


 Ø    SMART for Linux

§ SMART Architecture

§ SMART Features

§ SMART and Linux

§ Installing and Running

§ Creating Users

§ Storage Devices

§ Device Information and Options

§ SMART Preferences

§ Cases and SMART

§ Creating a new case in SMART

§ Archiving a Case – Wiping Destination Media, Filesystems,  Segmentation, Compression, Authenticity

§ SMART Data Viewer – Active, Deleted, Slack and Unallocated

§ SMART Logging


 Ø    SMART Servers

§ SMART Processes

§ Server Technology

§ Configured Smart Server


 Ø    SMART Client

§ Requirements

§ Remote Client Software

§ Client to Server Communication

§ Configure SMART Client

§ Communication Technologies

§ Remote Administration Software

§ Securing the Data Transmission

 Ø    Importing Images, Authenticating Images and Creating Hashsets in SMART

§ Adding mixed images to a new case

§ Authenticating images

§ “Unencasing” an Encase Image

§ Importing a Ghost Image

§ Importing a dd image

§ Listing all files

§ Creating Hashsets – exporting and logging Raw Data

§ Recovering Deleted Files

§ Creating Key Word Dictionary

§ Composing Search Terms

§ Carving files and Data

§ Interpreting Forensic Data

§ Thumbnails of all Graphics

§ Generating a Report

§ Building a Report

§ Customizing a Report – Things to Include



§ Architecture and Overview

§ Configuring the X – Server

§ Conducting a “knock and talk”

§ Analysis

§ Included Utilities

§ Methodology


 Ø    SMART and RAID

§ Linux and RAID


§ Working with RAID

§ Initializing RAID

§ Acquiring RAID


 Ø    Class Participation - Practical

§ Sample Evidence Files, supplied to all Students to work on their analytical skill set. The Students will document their Step – by – Step process, extracting and presenting evidence including recovery of deleted files, interpretation of file system Meta – data in unallocated space, recognizing various data and file formats and self-paced investigation. Graded by your peers.


 Ø    Final Summary of the course / Q & A – 

 Ø    An Introduction of what to expect from Part 2 - The Advanced Course

 *To learn more about the course and instructions on registering please go to:




Dennis Y. Portney

Security Forensics, Inc.



Security Forensics, Inc. - Investigative Forensic Analysis, Performance Measurement, Corporate e-Mail Monitoring and Electronic Messaging Audits, Incident Response, Forensics Training, Data-Flow Visibility, Evidentiary Discovery, Litigation-Support, Regulatory Compliance and Acceptable Usage Policies.



*NOTE:This message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this in error, please notify us immediately and delete it from your computer. Thank you.