Linux Digital Forensics: a theoretical and practical approach

Presented at BSidesLV 2023, Aug. 9, 2023, 10:30 a.m. (Unknown duration).

As hardening and monitoring of Windows systems is becoming more mature in corporate environments, cybercriminals and APTs increasingly turn to Linux hosts to conduct their campaigns. Whether you are new to incident response (IR), or a tailored responder looking to improve your Linux forensics skills, this workshop aims to provide you with the necessary knowledge and tools to investigate compromised Linux systems. This workshop will cover the different steps of Linux IR, from data acquisition to TTPs analysis, while introducing Linux malware analysis fundamentals. Participants will be able to practice their newly acquired abilities on a hands-on exercise, which consists of a triage collection and a disk image from a compromised system. Inspired by several IR engagements of the CERT-W, this challenge will give insight on real-life attacks of Linux systems.

Presenters:

  • Thomas Diot as Thomas DIOT
    Thomas is a senior analyst at CERT-W, leading IR engagements on small to large perimeters. He also works on security audits, with a specialty in network pentests and Red Teams. While not busy hunting threat actors, Thomas enjoys building offensive and IR security tools as well as practicing his skills by playing in CTFs.
  • Maxime Meignan
    Maxime Meignan (@th3m4ks) is a security consultant at Wavestone, based in Paris, since the middle of the last decade. Loving to reverse engineer binaries in both professional and CTF contexts, Maxime has an IDA sticker on the back of his smartphone. And writes this uninteresting fact in his bio. He is currently interested in various fields of security, related to EDR software, Windows internals and Virtualisation Based Security.
  • Axel Roc
    Axel Roc is a security consultant at Wavestone, an independent French consulting firm. His work involves a mix of penetration testing and incident response with Wavestone CERT-W. Axel enjoys challenging and improving his skills by participating in CTFs with the Wavestone team.

Links:

Similar Presentations: