At the end of the class, official gold Internet Detective badges were handed out to attendees, courtesy of Earthlink.
cat file.ps | ghostview -landscape -
This material amounts to 215 pages, so you can save a tree by printing double sided.
Dan gives a look ahead to the rest of the day, what the class will and won't cover, and discusses basic principles.
Wietse presents a first case, and discusses limitations of computer forensic analysis, the triangle of trust, and the reverse Turing test.
Dan explains what one needs to be aware of when capturing information after an intrusion, what techniques to use, and what mistakes to avoid. Central elements are the Heisenberg principle of computer forensics and the order of volatility.
Wietse reconstructs the course of events from logfiles and from other time-related information. This section is illustrated with a short post-mortem intrusion analysis that Wietse wrote up a couple years ago.
Wietse figures out the purpose of an unknown program that runs on the system, without disturbing it, and without giving it a chance to inflict damage to the system it runs on.
In the middle of the graveyard shift, Wietse figures out the purpose of a program file without actually running it. In this session, Tsutomu Shimumura said: "adb is your friend". Dan replied: "adb is your friend".
Dan discusses what information is left behind in the network in the wake of an incident. It is impossible to erase all traces, but then it can be hard to get that data from providers, telco's, etc.
Wietse goes into the gory details of collecting information about removed files, discusses how to hide information in and in-between files and file systems, and how to erase traces from UNIX file systems.
Dan presents of a novel tool that makes sense out of thrashed files, how it works, why it works, and what its limitations are.
Dan ends the day with a summary of best practices: what you need at the very least in order to be prepared for an incident.