Computer Forensics Analysis Class Handouts

On August 6th, 1999, Dan Farmer and Wietse Venema (IBM T.J. Watson Research Center) presented a full-day free class on UNIX computer forensics analysis, sponsored by IBM. The class was attended by an audience of over 200 and was given at the IBM T.J. Watson Research Center near Yorktown Heights (NY).

At the end of the class, official gold Internet Detective badges were handed out to attendees, courtesy of Earthlink Network.

TCT

Class Transparencies

cat file.ps | ghostview -landscape -

This material amounts to 215 pages, so you can save a tree by printing double sided - or, better yet, print out the six-to-a-page version created by Dave Dittrich which compacts them by a considerable amount, and remains very easy to read.

A gzip'd tar file containing all the ps files, six to a page - recommended!
A gzip'd tar file containing all the ps & pdf files
Gzip'd tar file containing all the pdf files
Gzip'd tar file containing all the ps files

Individual Files and Summaries

• Introduction (intro.ps), (intro.pdf)

  Dan gives a look ahead to the rest of the day, what the class will and won't cover, and discusses basic principles.

• Basic UNIX file system (basic-files.ps), (basic-files.pdf)

  Wietse presents a first case, and discusses limitations of computer forensics analysis, the triangle of trust, and the reverse Turing test.

• Freezing the scene (freezing.ps), (freezing.pdf)

  Dan explains what one needs to be aware of when capturing information after an intrusion, what techniques to use, and what mistakes to avoid. Central elements are the Heisenberg principle of computer forensics and the order of volatility.

• Time travel (time-travel.ps), (time-travel.pdf)

  Wietse reconstructs the course of events from logfiles and from other time-related information. This section is illustrated with a short post-mortem intrusion analysis that Wietse wrote up a couple years ago - PS version, PDF version.

• Reconstruction of actions (command-reconstruction.ps), (command-reconstruction.pdf)

  Dan has the floor. This section is illustrated with two hand-outs: what the intruder sees ( PS version, PDF version) and what file system time stamps ( PS version, PDF version) the intruder leaves behind.

• Processes (processes.ps), (processes.pdf)

  Wietse figures out the purpose of an unknown program that runs on the system, without disturbing it, and without giving it a chance to inflict damage to the system it runs on.

• Decompilation (programs.ps), (programs.pdf)

  In the middle of the graveyard shift, Wietse figures out the purpose of a program file without actually running it. In this session, Tsutomu Shimumura said: "adb is your friend". Dan replied: "no, adb is your friend!"

• Networks (networks.ps), (networks.pdf)

  Dan discusses what information is left behind in the network in the wake of an incident. It is impossible to erase all traces, but then it can be hard to get that data from providers, telco's, etc.

• Advanced UNIX file system (advanced-files.ps), (advanced-files.pdf)

  Wietse goes into the gory details of collecting information about removed files, discusses how to hide information in and in-between files and file systems, and how to erase traces from UNIX file systems.

• Lazarus (lazarus.ps), (lazarus.pdf)

  Dan presents of a novel tool that makes sense out of thrashed files, how it works, why it works, and what its limitations are.

• Conclusion (conclusion.ps), (conclusion.pdf)
  

  Dan ends the day with a summary of best practices: what you need at the very least in order to be prepared for an incident.