This course is designed to help forensic examiners gain an understanding of Linux based operating systems and artifacts, allowing them to conduct digital forensic investigations with confidence, bridging the gap between graphical tools and the raw power of the Linux command line.
Through theoretical and hands-on instruction, participants will move past the basic command line navigation and gain a deep understanding of how Linux works, Linux filesystems, device handling, and how to analyze artifacts and logs. The curriculum extends into advanced topics including customizing the shell for efficiency, automating tasks via scripting, and how to break LUKS encryption from RAM.
The training concludes with a comprehensive, real-world simulation. Students will be tasked with an end-to-end investigation, starting from a compromised server and tracing the digital evidence through the network to identify the attacker’s workstation.
This course assumes some experience doing Windows investigations but little or no experience using and/or analyzing Linux. The only prerequisite for the class is a willingness to type commands. By the end of the course, attendees will understand there is another world—a vast, open-source landscape where the mouse is optional, and the power lies in the prompt.
