Forensics 558 Course Content

摘要

On the first morning, we'll investigate a rogue system administrator. His colleagues suspect he may be abusing his privileges. There doesn't seem to be any web surfing activity at all associated with his computers. What could he be up to? To solve the case, we embark together on an extensive analysis of DHCP logs, wireless traffic captures, tcpdump using BPF filters, Wireshark,and the DNS protocol. Along the way, we'll learn about DNS tunneling using iodine, methods of passive evidence acquisition, network taps, hubs, switches, and port mirroring. We'll also use tools, such as ngrep, tcpxtract, and hex editors, to extract the data we need. Underlying all of our forensic procedures is a solid forensic methodology, which includes verification, acquisition, timeline creation, evidence recovery,and reconstruction.