BACK TO SPEAKERS
Michael Hamm
CIRCL.LU
Michael Hamm has worked for more than 10 years as Ingenieur-Security in the field of classical Computer and Network Security (Firewall, VPN, AntiVirus) at the research center “Henry Tudor” in Luxembourg.

Since 2010, Michael has worked as an operator and analyst at CIRCL – Computer Incident Response Center Luxembourg where he is working on forensic examinations and incident response.

TUTORIAL (2-day sequence): Post-mortem Forensic Analysis
Technical Level (3 being the highest score): 2*

1.0.1

Forensic Analysis is based on the assumption that every action leaves a trace behind, even in IT systems. Finding and understanding this traces are a key tool to discover and analyze computer security incidents.

This practical oriented introduction will cover bits and bytes and how to get get information out of them. Cloning disks in a forensically sound manner an analyzing them beyond partition borders.

What is the purpose of a file system and how does it do its job. How does FAT and NTFS basically works and how you can use file attributes to create a timeline. And how to recover data from outside the file system (deleted data).

The course comes with many hands on exercises and live demonstration.

1.0.2

Forensic Analysis is based on the assumption that every action leaves a trace behind, even in IT systems. Finding and understanding this traces are a key tool to discover and analyze computer security incidents.

This practical oriented introduction will focus on Windows oriented systems. We will look into Event Logs, Prefetch Files and the Windows Registry along with the file system time line. The goal is to to analyze

It will quickly cover the web browser history and LNK files and gives an introduction into memory analysis.

The course comes with many hands on exercises and live demonstration.

Lessons learned in a Forensics Lab
Technical Level (3 being the highest score): 1*

Michael will present some live lessons he learned in a forensics lab at CIRCL. He will modify data on a 'Read Only' mounted USB stick and store persistent data in the HPA of a SATA disk. After seeing how to hide data in a NTFS file system you maybe like to review your corporate data ex-filtration policies.

*NB. The ratings for these sessions is based on the presenter's personal opinion on the subject matter and is only provided as a general guidance*

Presentation slides can be found HERE

Presentation video can be found HERE