Understanding the interworks of Linux OS is a crucial step for forensic investigators these days, as many enterprises rely on Linux systems for servers, attack and defense machines, etc. This course will introduce participants to the Linux OS and guide them on how to perform forensic analysis on Linux systems. Participants will study the investigation process on Linux and learn about tools used for forensics purposes. They will be able to analyze the system, locate and capture data, make images of media, analyze filesystems, and more.

The course targets participants with basic knowledge in IT or networking, who wish to have a deeper understanding of cyber investigations and the forensic process. Primarily:

  • Law enforcement officers & intelligence corps
  • Incident responders
  • Computer investigators
  • IT/network administrators
  • IT security personnel
    • Basic knowledge in IT and networking
    • Participants should be familiar with the following concepts:
      • Computer components
      • Operating Systems
      • OSI model
    • CS001 provides a solid foundation of preliminary knowledge required for this course.

    40 Hours

    Cyber Security


    Certificate: No

    Price: contact us for more details

    Leave your details

    Course Outline


    • Getting to know Linux OS and its specifications for performing forensics analysis.
    • Mastering the key practices of investigating on Linux systems, including: collecting data through the network, analyzing data and carving files.
    • Understanding USB forensics.
    • Tracking unusual activity on the web to deduct information.
    • Learning to work with advanced tools for different forensics tasks.


    Course Outline

    Module 1: Introduction to Linux OS – 8 hours

    In this module, participants will become familiar with Linux OS, its structure, basic commands and primary differences from the more widely used Windows OS. Linux is known as a relatively flexile operating system, and is consequently more exposed to vulnerabilities which are the primary source of breaches. Students will get to know the points of exposure and how they can be manipulated by hackers. They will construct a lab environment to be used throughout the course to perform investigations.

    • The Linux foundation
    • System architecture
    • Package management
    • Text editors
    • Local security principles
      • Linux services
      • Services configurations
      • Local port scanning
    • Bash scripting
      • Command-line operators
      • Grep
      • Awk
      • Sed
    • Delving deeper into Linux file system
      • Superblocks
      • Directory entries
      • Linux main processes
      • Inodes
      • Undeleting files
      • Unallocated data
    • Permissions
      • Managing users on Linux
      • User
      • Group
      • Other
      • Special permissions
    • Building your Linux lab
      • Configuring the system
      • Installing tools with APT


    Module 2: The Investigation Process on Linux – 20 hours

    During this module, participants will be absorbed in all processes of data collection from the hard-disk, from logs and from volatile memory, to enable them to complete the investigation process properly. They will also learn how to identify concealed or encrypted information, hiding behind supposedly “innocent” files.

    • Collecting data
      • Date and time
      • Network interfaces
      • Network connections
      • Routing tables
      • Programs associated with ports
      • Running processes
      • Mounted file systems
      • Loaded Kernel modules
    • Collecting data through the network
      • Using Netcat
      • Writing scripts for automation
    • Imaging the hard disk
      • Dcfldd
      • Guymager
      • Autopsy
    • Dumping memory
      • fmem
      • LiME
      • Kcore
    • Timeline analysis
      • System installed, upgraded, booted, etc.
      • Newly created files
      • Changed files
      • Accessed files
      • MFTParser
    • Analyzing data
      • bstrings
      • Volatility
      • Parsing tools
      • Carving data
        • Foremost
        • Scalpel
        • Bulk extractor
      • Steganography
        • Hiding with Cat
        • Steghide
        • Image steganography
        • Audio steganography

    Module 3: USB Forensics – 4 hours

    In this module, participants will inspect the structure of the USB and understand how it communicates with the system when plugged in. They will understand what a USB device contains, and acquire the knowledge to identify any malicious content stored on it.

    • USB basics
      • USB hardware characteristics
      • Different types of USB
      • USB connection process
    • USB descriptors
      • Device
      • Configuration
      • Interface
      • Endpoint
      • String
    • Investigating USB data flow
      • Using Wireshark
      • Host communication with the USB port
      • BBB/USBMS
    • Creating images
      • Reading sectors
      • Duplicating USBs with Vinculum


    Module 4: Internet Forensics – 4 hours

    In order to complete a full analysis or collect data during an investigation, forensics specialists should have control over network-based processes that occur on the system. During this module, students will acquire knowledge in monitoring the network from the user’s side, and learn to detect suspected data coming from outside intruders.

    • Using file signatures
      • MD5
      • SHA-1
      • File signatures automation
    • Web browsing
      • Collecting information
      • Parsing for links
      • Cookies
      • Search history
      • Browser cache
    • Tracing unusual activity
      • Wireshark
      • NetworkMiner
      • TCPDump


    Module 5: Using Advanced Tools – 4 hours

    During this module, participants will be exposed to various techniques of identifying and handling suspicious activity using open-source tools, that will help them in advanced stages of the investigation. The tools covered in this section are highly significant for investigators in the world of Linux and network forensics.

    • Bro
    • Bro-Cut
    • Deft
    • Xplico
    • SIFT
    • Security Onion