Linux Forensics
A practical course exploring the world of Linux-based systems.
40 Hours
Blue Team
40 Hours
Blue Team


According to Alexa Traffic Rank, 96.5% of the most popular websites and 92% of the machines in Amazon’s Cloud use Linux-based operating systems. If your organization has servers and services exposed to the Internet and/or running on Cloud infrastructure, the chances are they are running Linux. When enterprise servers come under attack, incident response and investigation teams must respond quickly and effectively. Their ability to react relies on their understanding of the Linux landscape. Skilled professionals can detect the nature of the incident, the severity of the infection, and the extent of the damage before collecting valuable information.

The course covers the following topics:


It’s important to improve the accordion’s behaviour

Digital forensics in rapid-changing space
  • Post-mortem (forensics) vs. real time (incident response)
  • What is host forensics?
  • The order of volatility and evidence types
  • The methodology of running an investigation
  • Open source: Yes we can!
  • Building your own examination platform
Disk and filesystem analysis
  • Media analysis concepts
  • The Sleuth Toolkit
  • Partitioning and disk layouts
  • Special containers
  • Hashing
  • File carving
  • Forensic RAW Imaging with dd
  • Converting virtual storage to RAW images
Generating filesystem timelines
  • Filesystem MACB timestamps
  • Generating body files from images and mounted media
  • Timeline generation and analysis with fls and autopsy
  • Indexing modifications, access, and creation with Linux shell
  • Timeline generation and analysis
Linux filesystem artifacts
  • Linux file systems (ext2, ext3)
  • Linux boot process and services
  • Linux system organization and artifacts
  • User accounts
  • Home directories
  • Bash history
  • System logs
  • Cron jobs
Server- and service-related artifacts
  • Linux syslog (Debian) and /var/log/messages (red-hat)
  • Linux auth.log (Debian) and /var/log/secure (red-hat)
  • Parsing bash history and adding timestamps to bash history
  • Other logs: /var/log/boot.log, /var/log/dmesg, /var/log/kern.log
  • Cron logs
  • Package managers log (apt, yum etc.)
  • Web server logs: Parsing and configuring apache/nginx logs
  • Database logs (example: mysqld.log and mysql.log)
  • Bonus: Customizing iptables to log every connection
Super timeline all the things
  • Super timelines: What and why
  • Getting started with Plaso
  • Creating timelines
  • Using collection filters
  • Event filters
  • Analysis plugins
  • Analyzing Plaso output with Elasticsearch and Kibana
Linux memory forensics
  • Linux memory acquisition
  • Generating Linux profiles for volatility
  • Processes and process memory
  • Networking artifacts
  • Kernel memory artifacts
  • Filesystem in memory
  • Userland rootkits
  • Kernel-mode rootkits
  • Parsing “free-memory” with volatility strings
The Linux forensic challenge
  • Linux Web server Breach CTF
  • Multi-step “targeted” attack
  • Challenge walkthrough and investigative conclusions
  • Workshop summary
Don't touch this tab

About CYBERPRO was founded in cooperation with international information security and instruction authorities who bring to Israel world-leading cyber training technologies and a learning experience of the highest standard available today.

The partners include the IITC group which has been training graduates for the high tech industry for over 20 years, and was selected as the training center for the Cisco Company in Israel.

CYBERPRO’s advanced, sought-after training courses in the areas of infrastructures, information security and cyber are world famous. These training courses were developed by some of the best cyber experts in the world, for international security organizations that emphasize the high training capabilities, the professional learning methods and the unique training and practice technologies. Our connection with international groups allows our students to be exposed to unique employment opportunities in Israel and abroad.

The training and learning tracks are all based much hands-on practice and preparation for the industry and profession requirements, so they include technological labs and practice sessions using one of the most advanced simulators in the world.

    • Analysts
    • Security researchers
    • Forensics researchers
    • IT specialists
    • Incident response teams
    • Advanced knowledge of Linux operating systems
    • Familiarity with TCP/IP protocols
    • Familiarity with cyberwarfare methods is advantageous
    • Prior experience working with Linux and bash is advantageous
    • Perform disk level forensics investigations
    • Perform filesystem forensics investigations
    • Perform service level forensics investigations
    • Perform Memory forensics investigations
    • Perform well managed forensic investigations on Linux based systems