Chapter 1: First Steps

Phil shows you how to boot a physical USB drive in a virtual box. This allows you to set up a response drive without tying up a machine for hours while you download packages.

Chapter 2: Determining if there was an Incident

Phil shows you what it looks like when you run the initial scan script from Chapter 02. Virtual machine tips and mounting known-good binaries are also covered.

Chapter 3: Live Analysis

Phil shows you how to build the Linux Memory Extractor (LiME) which is used for dumping RAM. Building LiME for a subject with the same and different kernel version from the forensics workstation are both covered.

Chapter 4: Creating Images

Phil shows you how to make an image from a physical hard drive that has been removed from a subject system. Software write blocking with udev rules and hardware recommendations are covered in this video.

Chapter 5: Mounting Images

Phil shows you how to mount GUID Partition Table (GPT) based partitions automatically with Python. GPT partitions are reviewed as he walks you through this Python script.

-8 col-sm-8">

Chapter 6: Analyzing Mounted Images

Phil shows you how to import metadata into MySQL. This allows you to quickly create timelines and perform other tasks that are either slow or not easily doable using standard pre-packaged tools.

Chapter 7: Extended Filesystems

Phil shows you how to find files that have been added to system directories by an attacker regardless of any changes to timestamps. A shell script is used to automate this process.

Chapter 8: Memory Analysis

Phil shows you how to create a Volatility profile. This process is automated with shell scripting.

Chapter 9: Dealing with more Advanced Attackers

Phil shows you how to create a timeline using the metadata that has been imported into MySQL. The more advanced attack is covered in this video.

Chapter 10: Malware

Phil shows you how to use readelf to examine unknown binaries. One of the Xing Yi Quan rootkit binaries is used as an example in this video.