2011 Tutorials


June 13, 2011


Tutorial: Time line creation and analysis using Log2Timeline


Instructor: Mark Hallman (slides)
Schedule: 8:30am-noon, with two 15-minute breaks (registration from 8:00am; lunch provided at noon)
Cost: $100

This workshop will cover the hands-on creation of system activity timelines using open source tools. The workshop will use tools including The Sleuth Kit, log2timeline, timescanner, and standard Linux utilities. The timelines will be analyzed to find events, such as system clock manipulation and theft of intellectual property by copying to a USB thumb drive or web-based email.


What to Bring

This workshop will include a pre-configured Live-CD or Thumb drive with Linux and tools installed. Sample data will be provided. Participants must bring their own laptop as the class as it will be very hands-on. The instructor will provide disk images so that students get to try out the tools and commands. Optionally, if you are able to install VMware (either a paid or free version) on your laptop ahead of time, that will make the tutorial go more smoothly.

Making It Rain: Browser Forensics Hands-On


Instructor: Cory Altheide
Schedule: 1-4:30pm, with two 15 minute breaks (registration from 11:30am; lunch provided at noon)
Cost: $100

It can be argued that nothing demonstrates the concept of evidence dynamics better than Internet artifacts. On a modern end-user computer system, the bulk of the user’s interaction with the system will likely be related to Internet communication of some sort. Every click of a link, every bookmark, and every search query can leave telltale traces on the user’s system. In this workshop, participants will use open source tools to explore and analyze the artifacts generated by four major browsers – Microsoft’s Internet Explorer, Mozilla’s Firefox, Google’s Chrome, and Apple’s Safari.


What to Bring

Participants must bring their own laptop with VirtualBox installed and 20 GB of free hard drive space. A virtual machine with the required tools and data will be provided.

Tutorial Cancellation Policy

Registration for digital forensics tutorials may be cancelled up to 3 business days in advance (by end of day June 8, 2011) of the class date for a full refund. No refund can be given for no-shows, or class registrations cancelled less than 2 business days prior to a class date.