Linux Forensics and Incident Handling training at EGI-TF 2013


It is a scenario that most system administrators recognize. Responsibility for a legacy system is thrust upon you, with little documentation or time for familiarization. Bad things happen, and you are expected to quickly bring the system back into service. You know how it goes.

In this course, the participants get full root access to a number of Linux systems, running more or less familiar services. Working in teams during an intense day of hands-on tournament style exercises, their task is to defend against and analyze realistic attacks of increasing sophistication, while keeping their systems up and running. The teams are scored on their performance, and the winning team will be celebrated the most l33t admins. There may even be prizes.

The teams will not be totally unprepared, though, as the course starts with a high speed, high density introduction into incident response and battlefield forensics, where the focus is on fully understanding what happened in an incident, so that the system can quickly be brought back into secure service.

This course draws on the lecturer's 15 years of expericence from IT security in complex environments to deliver an up-to-date, hands-on, and, above all, fun training.

What do previous participants say?

"I can warmly recommend the Incident Response and Forensics Game to all serious research sites, it really gives a boost to the skills and motivation of your system admins. And the game is fun too." Urpo Kaila, Head of Security, CSC - IT Center for Science/Security Officer, EUDAT.

"The feedback from our system administrators has been exceptional and the course was clearly excellent. From the comments received, you are obviously very knowledgeable on the subject of computer security and were able to communicate the information very clearly. The course was well structured and has been of great benefit to our community." Prof. D.I. Britton, GridPP Project Leader


This course targets experienced system administrators who are comfortable in running Linux systems.

To be able to fully participate, you should be able to confidently say "yes" to at least half of these items:

  • You know at least three ways to list all running processes
  • You can read and more-or-less understand scripts even when you don't really know the language they are written in
  • You know how to configure a local firewall
  • You can explain how the CGI interface in a web server works
  • You know what ARP, DHCP, PHP, BIND and ELF are.
  • You can explain the difference between exec() and fork()

Also, you are expected to bring your own laptop. Operating system is largely irrelevant, as long as you are able to use ssh (with OpenSSH keys) to log in to the game systems.


The training is now fully booked. You can still use the link below to register, in which case you will be put on a waiting list.
  • Abel Paz
  • Alejandro Lorca
  • Anders Wäänänen
  • Anjum Ashiq
  • Briongos Pablo
  • Bruce Becker
  • Bruno Rodriguez
  • Christian Soettrup
  • Eduardo Anglada
  • Jones Mike
  • Leif Nixon
  • Miguel Gila
  • Miguel Molowny
  • Oksana Shadura
  • Sven Gabriel
  • Tõnu Raitviir
  • Vanessa Hamar
  • Vincent Brillault
  • Virginia Martin-Rubio
  • Yann meunier
    • 11:00 AM 12:30 PM
      • 11:00 AM
        Welcome and intro 5m
      • 11:05 AM
        Introduction to Quick and Dirty Forensics 1h 25m
    • 12:30 PM 1:30 PM
      Lunch 1h
    • 1:30 PM 3:30 PM
      Hands-on training
      • 1:30 PM
        Introduction to the game environment 15m
      • 1:45 PM
        Hands-on training 1h 45m
    • 3:30 PM 4:00 PM
      Coffee break 30m
    • 4:00 PM 7:00 PM
      Hands-on training
      • 4:00 PM
        Hands-on training 2h 30m
      • 6:30 PM
        Wrap-up 30m