Capture The Flag Forensics

Welcome    Why?    Training    Games    ChangeBlog    External Resources    Submit Content


Creator:     Jim Irving

License:    Creative Commons: Attribution, Share-Alike


Lab requirements:

-Linux machine with access to the internet (must be ok for capturing data from!)

-Windows machine with Netwitness Investigator Free installed and registered

-SANS SIFT 2.0 virtual machine

Class Textbook: None

Recommended class duration: 1 day

Creator Available to Teach In-Person Classes: Yes

Author comments:

This class deals with preparing students to participate in a CTF, specifically focusing on host based and network based forensic capabilities.  The material details the preparation of a virtual machine to be used for the CTF and the configuration of several tools.  Additionally, there are several exercises meant to familiarize students with the tools described.


-Using Netwitness Investigator Free to analyze a PCAP file.

-Using Snort to write packet filters.

-Using PTK to carve files from, and create file modification timelines of disk images.

-Using various disk imaging tools to create forensic images of disks and physical memory.

-Analyzing physical memory images with Volatility.


Revision History:

06-14-2011 - Initial class content upload

If you have used and modified this material, we would appreciate it if you submit your modified version for publishing here, so that all versions can benefit from your changes.