A practical approach to network forensic, system forensic, memory forensic and data mining

Computer security incidents happen every day in small or large private or public organizations but also computer equipments used by citizen world wide. In case of incident, victims want to know what exactly happen to their systems, information to understand the impact on their organization or/and on their life. Security researchers need to analyse such compromised systems to better understand techniques, tactics and motivation of the attackers/adversaries.

The aim of the course is to provide a basic ground of all the techniques used in computer forensic and offer a toolbox to the student for their future activities in the computer security field.

The course includes a project to support or perform computer forensic to turn the theory into a practical session. The course requires a high involvement from the participants. The course will be based on various datasets provided to the student at each session. The datasets include network packet capture of a black-hole network until Today (which will be the core dataset for the sessions), a subset of potentially leaked information, a series of malware samples and threat-intel raw information.

With the respective datasets, student will learn the various techniques and tools used to process, analyze, review, classify and use them and finally benefit from those. The core objective is learn techniques that will support day-to-day activities of analysts or incident responders.

During the sessions, different programming techniques will be approach in order to support the analysis process of the datasets:

During the period of the course, there will be a specific project to realize. The project is fully integrated into the course sessions that means some topics covered will help to enhance or complete your work.

Project definition should be known for the 2017-02-05.

A project can be:

Project will be released under a free software license and using one of the following programming language: Python, Perl, Ruby, Go, Lua, Bash or Zsh. As the development of the project will be done on an operational system, the project along with its tools might evolve following the feedback received from the attackers themselves. The project can be an improvement to an existing free software security project including extensions, documentation, improvements or even bug fixes to computer forensic software. If you don’t have any ideas, I’m sure we can find something in a world surrounded by information security issues, insecure technologies and potential innovative technical solutions (also sometime insecure).

A project can be also an analysis of specific evidences collected in the field (e.g. malware discovered, malicious website, hard-disks found in a recycling center) where you explain what you did as a forensic investigator.

You must also create a GitHub account where all your project including its documentation will be available (publicly) and release under a free software license.

The major part of the work during the classes is a mixture of practical exercises, real-life experiments and sometime a kind of theory. The main requirement is that your workstation is an operational Unix-based system (e.g. a recent GNU/Linux distribution like Ubuntu 16.xx or a BSD flavor like OpenBSD or FreeBSD) with system administrator privileges.

Courses will be given in French with the technical support being in English. Your project will be in English as your code and documentation will be available to the Internet community at large.

The evaluation will be mainly based on your project. The evaluation is not an objective and the objective is to have fun while learning all together.

You may find that the subject very broad or even too complex. The objective is that you keep a focus on a specific aspect of computer forensic (network, system, malware analysis, data mining) to be used for your project. If you have any issue with the course (including the way I teach it), don’t hesitate to talk about as early as possible.