Capture The Flag Forensics
Creator: Jim Irving
License: Creative Commons: Attribution, Share-Alike
(http://creativecommons.org/licenses/by-sa/3.0/)
Lab requirements:
-Linux machine with access to the internet (must be ok for capturing data from!)
-Windows machine with Netwitness Investigator Free installed and registered
-SANS SIFT 2.0 virtual machine
Class Textbook: None
Recommended class duration: 1 day
Creator Available to Teach In-Person Classes: Yes
Author comments:
This class deals with preparing students to participate in a CTF, specifically focusing on host based and network based forensic capabilities. The material details the preparation of a virtual machine to be used for the CTF and the configuration of several tools. Additionally, there are several exercises meant to familiarize students with the tools described.
Labs:
-Using Netwitness Investigator Free to analyze a PCAP file.
-Using Snort to write packet filters.
-Using PTK to carve files from, and create file modification timelines of disk images.
-Using various disk imaging tools to create forensic images of disks and physical memory.
-Analyzing physical memory images with Volatility.
Revision History:
06-14-2011 - Initial class content upload
If you have used and modified this material, we would appreciate it if you submit your modified version for publishing here, so that all versions can benefit from your changes.
