Online Training Summer Special: Get a 12.9" iPad Pro, Surface Pro, or $350 Off with OnDemand or vLive

RSA Conference 2013

San Francisco, CA | Sun, Feb 24 - Mon, Feb 25, 2013
This event is over,
but there are more training opportunities.

Lethal Digital Forensics

Sun, February 24 - Mon, February 25, 2013

  • 12 CPEs

Over the past two years, we have seen a dramatic increase in sophisticated attacks against nearly every type of organization. Economic espionage in the form of cyber-attacks, also known as the Advanced Persistent Threat (APT), has proven difficult to suppress. Attackers from Eastern Europe and Russia continue to steal credit card and financial data resulting in millions of dollars of losses. Hackivist groups attacking government and Fortune 500 companies are becoming bolder and more frequent.

Sophisticated hackers can advance rapidly through your network using advances in spear phishing, web application attacks, and custom malware. Incident Responders and Digital Forensic Investigators must master a variety of operating systems, investigative techniques, incident response tactics, and even legal issues in order to combat challenging intrusion cases across the enterprise.

Attackers will use anti-forensic techniques to hide their tracks. They use rootkits, file wiping, timestamp adjustments, privacy cleaners, and complex malware to hide in plain sight and avoid detection by standard host-based security measures. Every action that adversaries make leaves a trace; you merely need to know where to look.

Our adversaries are good and getting better. Are we learning how to counter them? Yes we are. Learn how.

Lethal Digital Forensic Techniques and Memory Analysis will give you the tools and techniques necessary to master advanced incident response, investigate data breach intrusions, find tech-savvy rogue employees, counter the Advanced Persistent Threat, and conduct complex digital forensic cases.

This course uses the popular SIFT Workstation to teach investigators how to investigate sophisticated crimes. SIFT contains hundreds of free and open source tools, easily matching any modern forensic tool suite. It demonstrates that advanced investigations and incident response can be accomplished using frequently updated, cutting-edge open source tools.


Course Syllabus


Timeline analysis will change the way you approach digital forensics... forever.

Learn advanced analysis techniques uncovered via timeline analysis directly from the analysts that pioneered timeline analysis tradecraft. Temporal data is located everywhere on a computer system. Filesystem modified/access/creation/change times, log files, network data, registry data, and, Internet history files all contain time data that can be correlated into critical analysis to successfully solve cases. Pioneered by Rob Lee in 2001, timeline analysis has become a critical investigative technique to solve complex cases. New timeline analysis frameworks provide the means to conduct simultaneous examinations of a multitude of time-based artifacts. Analysis that once took days now takes hours.

Over the past 3 years, a renaissance has occurred in tool development for timeline analysis. SANS has spearheaded research and development by sponsoring some of the newly created tools such as log2timeline. As a result of recent developments, many professionals now turn to timeline analysis as one of their core tools and capabilities. This section will step you through the two primary methods of creating and analyzing timelines created during advanced cases. Exercises will not only show each analyst how to create a timeline, but introduce key methods to use them effectively in their cases.

CPE/CMU Credits: 6


Timeline analysis overview

  • Timeline benefits
  • Prerequisite knowledge
  • The Pivot Point
  • Timeline context clues
  • Timeline analysis process

Filesystem timeline creation and analysis

  • MACB meaning by file system (NTFS vs. FAT)
  • Rules of Windows timestamps for $STDINFO and $Filename
  • Windows time rules (file copy vs. file move)
  • File system timeline creation using Sleuthkit and fls
  • Bodyfile analysis and filtering using the mactime tool

Super timeline creation and analysis

  • Super timeline artifact rules
  • Program execution, file knowledge, file opening, file deletion
  • Timeline creation with log2timeline
  • log2timeline input modules
  • log2timeline output modules
  • Filtering the super timeline using l2t_process
  • Targeted super timeline creation
  • Automated super timeline creation
  • Super timeline analysis


Memory forensics has come a long way in just a few years. It can be extraordinarily effective at finding evidence of worms, rootkits, and advanced malware. While traditionally the sole domain of Windows internals experts, recent tools now make memory analysis feasible for anyone. Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field. This section will introduce some of the newest free tools available and give you a solid foundation in adding core and advanced memory forensic skills to your security armory.


place holder

CPE/CMU Credits: 6


Memory acquisition

  • Acquisition of system memory for both Windows 32/64 bit systems
  • Hibernation and pagefile examination

Memory analysis

  • Memory analysis techniques with Redline
  • Identify rogue processes
  • Analyze process DLLs and handles
  • Review network artifacts
  • Look for evidence of code injection
  • Check for signs of a Rootkit
  • Acquire suspicious processes and drivers
  • Live memory forensics
  • Advanced memory analysis with volatility
  • Memory registry examinations
  • Memory Timelining
  • Memory event log parsing