Digital Forensic - Training Materials

Introduction

An introduction to file-system post-mortem forensic analysis. This page links to the materials used during forensic trainings including slides and links to the disk images.

Training Materials: Edition May 2020

• Slide Deck: Digital Forensics 1.0.1 - Introduction: Post-mortem Digital Forensics
• Slide Deck: Digital Forensics 1.0.2 - Introduction: File System Forensics and Data Recovery
• Slide Deck: Digital Forensics 1.0.3 - Introduction: Windows-, Memory- and File Forensics
• Disk Image: Exercises SHA1:0dff633fded030dd7ac58c871a928afe93d260e9
• Commands: Command Line Cheat Sheet v0.1

AUSCERT2024

• Slides: As We Are Many - The spooky USB stick
• Materials: All files incl. disk images SHA1:2f9667a83abec81066d40d425397c0c0a0ae0b63

Follow the instructions on the sildes and the provided training materials to create your own spooky USB stick. Take care, as some of the parameters likely vary sligthly on you own computer. Take care using dd with root rights. We are not responible if you wipe your own disk by accident.

Forensics Challenge ZIP

• Slides: Incident Response and Forensics

Use low level tools like ‘xxd’ and ‘dd’ to recover data out of broken ZIP archives.

cyberday.lu 2023

The Master File Table - MFT is one of the most important meta data structures on a NTFS file system. It keeps track of all files and directories stored on the file system

Each file meta data is stored in at least one 1024 byte table-entry inside this table. While most common file require only ca. 450 bytes off meta data, there is some unused space left.

One feature of NTFS is, to store data from small files inside this free space inside the MFT entry, if it fits in. This is called resident data. And when the file grow over time and the plain data require more space than available there, the data are ‘outsourced’ into dedicated clusters.

For forensics it could be interesting to analyze what happens with the older version of the data from such kind of files. Is there still content of the old version of this data kept inside the MFT? If yes, it is possible to recover old data from the original version of the file, when it was still small.

This slides contain in a first part all the summary of the test. The second part you will find all the commands to reproduce the exercise, for self study.

• Slides: Resident Data on NTFS File Systems - Behavior of resident data in space and time

The training materials contains an empty disk image and the text files to repruduce exercise.

• Training materials: 7z file SHA1:1461c8c77e5f092581a083df6a12ad019cd6405d

If you find any error or possible improvement, please notify.

cyberday.lu 2022

• Slides: Recovering data from a wiped disk - A manual approach
• USB device: Disk image SHA1:2a70cb8c9fe22efb6041af8be34f3cb237640c74

With the image of the wiped disk, you should be able to replay the exercise.

cyberday.lu 2020

• Slides: Curiosities in Computer Forensics
• My name is Legion - Polyglot Boot Record: Disk image SHA1:fcdcc68d1e6ca5ea9e8c59715dabd96ce4d08cf2
• Lost in Hyperspace - EBR Loop: Disk image before manipulation SHA1:e549d373352037e871fd15bed0393f7b6b5bd85e

To replay an exercise, download and flash the related USB disk image over your own USB stick. Please take care: Do not accidentally overwrite your internal drive. We advice to use tools like ‘dd’ with root rights only on virtual machines or test PC’s but not on production machines. We are not responsible if you destroy your computers disk.

cyberday.lu 2019

• Slides: Incident Response and Forensics
• USB device: Disk image SHA1:90dc3a44b25e138bc50bbdf358d13c53f8aa953f

Download and dump the image of the USB device over your own USB stick to replay the exercises. Please take care to not accidentally overwrite your internal drive. We advice to use tools like ‘dd’ with root rights only on virtual machines or test PC’s but not on production machines. We are not responsible if you destroy your computers disk.

Updates

• 15th June 2018 - New training in Luxembourg
• 16th April 2018 - Initial release of slides version 1.0
• 29th August 2018 - Slides updated: Digital Forensics 1.0.1 and 1.0.2
• 20th December 2018 - Slides updated: Digital Forensics 1.0.1: Winter 2018/2019 edition
• 20th March 2019 - Slides updated: Digital Forensics 1.0.1: Edition May 2019
• 21st March 2019 - Disk Image updated
• 22nd May 2019 - Slides updated, Command Line Cheat Sheet v0.1 added
• October 2019 - cyberday.lu 2019 slides added
• November 2019 - 1.0.1 slides updates, Forensics Challenge ZIP added
• May 2020 - Complete revamp of the training materials increase from 185 too 298 slides
• October 2020 - cyberday.lu 2020 materials added
• October 2022 - cyberday.lu 2022 materials added
• November 2023 - cyberday.lu 2023 materials added
• August 2024 - AUSCERT24 presentation added