Capture The Flag Forensics

Welcome    Why?    Training    Games    ChangeBlog    External Resources    Submit Content

 

Creator:     Jim Irving


License:    Creative Commons: Attribution, Share-Alike

(http://creativecommons.org/licenses/by-sa/3.0/)


Lab requirements:

-Linux machine with access to the internet (must be ok for capturing data from!)

-Windows machine with Netwitness Investigator Free installed and registered

-SANS SIFT 2.0 virtual machine


Class Textbook: None


Recommended class duration: 1 day


Creator Available to Teach In-Person Classes: Yes


Author comments:

This class deals with preparing students to participate in a CTF, specifically focusing on host based and network based forensic capabilities.  The material details the preparation of a virtual machine to be used for the CTF and the configuration of several tools.  Additionally, there are several exercises meant to familiarize students with the tools described.

Labs:

-Using Netwitness Investigator Free to analyze a PCAP file.

-Using Snort to write packet filters.

-Using PTK to carve files from, and create file modification timelines of disk images.

-Using various disk imaging tools to create forensic images of disks and physical memory.

-Analyzing physical memory images with Volatility.





CTFForensics.pptx



Revision History:


06-14-2011 - Initial class content upload


If you have used and modified this material, we would appreciate it if you submit your modified version for publishing here, so that all versions can benefit from your changes.