Computer Forensics Analysis Class Handouts


On August 6th, 1999, Dan Farmer and Wietse Venema (IBM T.J. Watson Research Center) presented a full-day free class on UNIX computer forensics analysis, sponsored by IBM. The class was attended by an audience of over 200 and was given at the IBM T.J. Watson Research Center near Yorktown Heights (NY).

At the end of the class, official gold Internet Detective badges were handed out to attendees, courtesy of Earthlink Network.


TCT

The Coroner's Toolkit (TCT), described in the class, is available for downloading here.


Class Transparencies

All slides used in presenting the class are below, in postscript and PDF form (the latter require AcroRead 4.0 from adobe to read; thanks to Simson Garfinkle for creating them.) The PS files were created with MS Power Point (e.g. those done by Dan) require a PostScript level 3 printer: old printers and old GHOSTVIEW versions have problems. The files created with XFIG (e.g. those created by Wietse) are actually a concatenation of many little files. They will not display properly if your viewer expects embedded pagination information. In order to view, try, for example:

cat file.ps | ghostview -landscape -

This material amounts to 215 pages, so you can save a tree by printing double sided - or, better yet, print out the six-to-a-page version created by Dave Dittrich which compacts them by a considerable amount, and remains very easy to read.

A gzip'd tar file containing all the ps files, six to a page - recommended!
A gzip'd tar file containing all the ps & pdf files
Gzip'd tar file containing all the pdf files
Gzip'd tar file containing all the ps files


Individual Files and Summaries