Skip to main content
    CONTACT

    This site is protected by hCaptcha and the hCaptcha Privacy Policy and Terms of Service apply.
    Giovanni & Marco - Digital Forensics Investigations with the Tsurugi Linux Team DCTAC2025
    Giovanni & Marco - Digital Forensics Investigations with the Tsurugi Linux Team DCTAC2025
    Giovanni & Marco - Digital Forensics Investigations with the Tsurugi Linux Team DCTAC2025
    Giovanni & Marco - Digital Forensics Investigations with the Tsurugi Linux Team DCTAC2025

    Giovanni & Marco - Digital Forensics Investigations with the Tsurugi Linux Team DCTAC2025

    Bahrain 2025

    Name of Training: Digital Forensics Investigations with the Tsurugi Linux Team
    Trainer(s): Giovanni Rattaro and Marco Giorgi
    DatesNovember 3-4, 2025
    Time: 8:00 am to 5:00 pm
    Venue: TBD
    Cost: $2,000

    Course Description: 

    As cyber threats grow in scale and complexity, the ability to rapidly detect, investigate, and respond to incidents is essential for security professionals. This two-day intensive training is designed to equip participants with the core skills of Digital Forensics and Incident Response (DFIR), focusing primarily on Windows-based systems and leveraging the power of Tsurugi Linux and others available free tools.

    Delivered through a fast-paced mix of theory, hands-on labs, and real-world scenarios, this course provides a deep dive into each phase of a forensic investigation—from evidence acquisition to analysis, timeline reconstruction, reporting, and response.

    Topics covered include:

    • Understanding the Tsurugi Linux project, including Tsurugi Acquire and Bento
    • Acquisition formats (RAW, AFF, EWF) and forensic standards
    • Hidden disk areas, hashing, write blockers and image integrity
    • Mounting encrypted and unencrypted file systems (BitLocker included)
    • Windows artifact analysis: NTFS, Registry, USB history, Jumplists, Prefetch, Event Logs,
    • and more
    • Memory acquisition and triage
    • Network traffic analysis (PCAP)
    • Email and metadata analysis
    • File carving and data recovery
    • Mobile device forensics basics
    • Introduction to computer vision techniques in investigations
    • Timeline and supertimeline creation
    • Incident handling and response best practices
    • Final Capture the Flag (CTF) challenge to apply what learned

    Whether you're part of a SOC, a forensic team, or responsible for handling security incidents, this training will give you the hands-on expertise and confidence to approach forensic cases with the right methodology, tools, and mindset.

    Course Outline: 

    • Training Introduction
      • Who we are
      • What to expect from this training
      • The challenge (explain and work on many different topics in a limited amount of
      • time)
      • How the training has been structured
    • What is the Tsurugi Linux open source project?
      • Tsurugi Linux Lab
      • Tsurugi Acquire
      • Bento
    • Differences between free tools and paid software
    • Distribution of USB gadgets with custom Tsurugi Linux edition for the training
      • VM with pre-installed tools + exercises and ISO to install it at work/home!
    • The “6 phases”
      • Identification
      • Acquisition
      • Chain of custody
      • Preservation
      • Analysis
      • Documentation
    • Acquisition topologies and forensic standards
      • RAW
      • AFF
      • EWF
    • Forensic acquisition
      • The hidden disk areas
        • Host Protected Area (HPA)
        • Device Configuration Overlay (DCO)
      • Write blockers (hardware/software) and dirty file systems
      • Forensic acquisition hard drive/pendrive (FTK Imager / Tsurugi Linux)
      • Tools
    • Forensic images integrity and Hashing
    • Filesystem mounting (using FTK and CLI on Tsurugi Linux)
      • Unencrypted FS
      • Encrypted FS with Bitlocker
    • Main Windows artifacts and analysis:
      • File system (NTFS)
      • Windows Registry
      • Used USB devices
      • Jumplist
      • Prefetch
      • Recent files
      • Event Logs EVT/EVTX
      • Memory acquisition and analysis-
      • PCAP analysis
    • Autopsy
    • Emails analysis
    • Metadata Analysis

    Day 2

    • Find and rebuild the past activities with the forensic timeline/supertimeline
    • Data recovery / File carving
    • Basic of Mobile phone forensics
    • Computer Vision investigations
    • Incident response: incident handling
    • Reporting
      • Best practices
      • Standards
      • Tools
    • Final Workshop in CTF (Capture The Flag) mode
    • Training Mailing List (to get access to dev iso and pre-release, etc etc)

    Difficulty Level:

    Intermediate

    Suggested Prerequisites:

    Students must have basic familiarity with the Windows OS and with the Linux/UNIX command-line, TCP/IP, and networking concepts and terminology, as well as a willingness to quickly start learning and using new tools.

    WHAT STUDENTS SHOULD BRING

    • Notebook with Intel/AMD CPU with at least 16GB RAM and 320 GB HDD of free space
    • Virtualization software installed: VirtualBOX or VMware
    • Windows Operating System with Administrator rights (Installed or in VM)
    • USB type-A port (no restrictions should be present)

    What Students Should Bring: 

    USB (type-A) containing a custom Virtual Machine ISO and lab data

    Trainer(s) Bio:

    Giovanni is a seasoned cybersecurity expert, currently serving as Senior Customer Success Manager at Vectra AI. He also holds the distinction of being an old Italian Backtrack Linux ambassador, having founded and led the Tsurugi Linux project as its core developer. In his free time, Giovanni teached Digital Forensics Incident Response (DFIR) courses. As a sought-after speaker, he has shared his expertise at numerous international security conferences. His interests extend beyond cybersecurity to include cyber-threat intelligence investigations, Open-Source Intelligence (OSINT), and the art of interpersonal communication – with a special focus on non-verbal cues.

    Marco is a Digital Forensics Leader and Incident Response Senior Analyst at Tinexta Cyber. Digital forensics expert with interests in mobile forensics, malware analysis, security and deep/dark web. Co-founder and core team member of Tsurugi Linux project

    Registration Terms and Conditions: 

    Trainings are refundable before October 2, 2025, minus a non-refundable processing fee of $250.

    Trainings are non-refundable after October 2, 2025.

    Training tickets may be transferred. Please email us at training@defcon.org for specifics.

    If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

    Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.

    By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

    Several breaks will be included throughout the day. Please note that food is not included.

    All courses come with a certificate of completion, contingent upon attendance at all course sessions.

    $2,000.00