Dan & Wietse's Computer Forensics Analysis Class Schedule

Date: August 6th, 1999
Location: IBM T.J. Watson Research Center Auditorium, Yorktown.

08:30 Registration & coffee

09:00 Introduction (Dan)

A look ahead to the rest of the day, what the class will and won't cover, and a discussion of basic principles.

09:45 Basic UNIX file system (Wietse)

A first case, and a discussion of the limitations of computer forensics analysis.

10:30 Break & refreshments

11:00 Freezing the scene (Dan)

What one needs to be aware of when freezing a scene, what techniques to use, and what mistakes to avoid.

11:30 Time travel (Wietse)

Reconstructing the course of events from logfiles and other time-related information.

12:00 Reconstruction of actions (Dan)

Reconstructing user activity.

12:30 Lunch break (Yorktown cafetaria annex)

13:30 Processes (Wietse)

Figuring out the purpose of a running program without disturbing it.

14:00 Programs (Wietse)

Figuring out the purpose of a program file without actually running it.

14:30 Network (Dan)

Information left behind in the network in the wake of an incident.

15:00 Break & refreshments

15:30 Advanced UNIX file system (Wietse)

Collecting information about removed files, hiding information, and erasing traces.

16:00 Lazarus (Dan)

Presentation of a novel tool that makes sense out of thrashed files.

16:45 Best practices (Dan)

What you need at the very least in order to be prepared for an incident.

17:00 End of class