Dan & Wietse's Computer Forensics Analysis Class Schedule
Date: August 6th, 1999
Location: IBM T.J. Watson Research Center Auditorium, Yorktown.
- 08:30 Registration & coffee
- 09:00 Introduction (Dan)
- A look ahead to the rest of the day, what the class will and
won't cover, and a discussion of basic principles.
- 09:45 Basic UNIX file system (Wietse)
- A first case, and a discussion of the limitations of computer
forensics analysis.
- 10:30 Break & refreshments
- 11:00 Freezing the scene (Dan)
- What one needs to be aware of when freezing a scene, what
techniques to use, and what mistakes to avoid.
- 11:30 Time travel (Wietse)
- Reconstructing the course of events from logfiles and
other time-related information.
- 12:00 Reconstruction of actions (Dan)
- Reconstructing user activity.
- 12:30 Lunch break (Yorktown cafetaria annex)
- 13:30 Processes (Wietse)
- Figuring out the purpose of a running program without disturbing it.
- 14:00 Programs (Wietse)
- Figuring out the purpose of a program file without actually running it.
- 14:30 Network (Dan)
- Information left behind in the network in the wake of an incident.
- 15:00 Break & refreshments
- 15:30 Advanced UNIX file system (Wietse)
- Collecting information about removed files, hiding information,
and erasing traces.
- 16:00 Lazarus (Dan)
- Presentation of a novel tool that makes sense out of
thrashed files.
- 16:45 Best practices (Dan)
- What you need at the very least in order to be prepared
for an incident.
- 17:00 End of class