Digital Forensics Investigations and Hunting with the Tsurugi Linux Team - Giovanni Rattaro & Marco Giorgi - DCTLV2026
Name of Training: Digital Forensics Investigations and Hunting with the Tsurugi Linux team
Trainer(s): Giovanni Rattaro & Marco Giorgi
Dates: August 10-11, 2026
Time: 8:00 am to 5:00 pm
Venue: Las Vegas Convention Center
Cost: $2,250 (USD)
Short Summary:
Learn digital forensics and threat hunting directly from the founders and core developers of the Tsurugi Linux project. This two-day hands-on training guides participants through real-world investigations using Tsurugi and other open-source/free tools, covering acquisition, analysis, timeline reconstruction and reporting.
Course Description:
Delivered directly by the Tsurugi Linux founders and core developers, this intermediate-to-advanced training provides a complete, hands-on journey through digital forensics, incident response and threat hunting.
While Tsurugi Linux is the central investigation platform, the course also incorporates external tools and frameworks not pre-installed in the distribution, ensuring flexibility and adaptability in any forensic environment. Participants will gain in-depth experience with Windows internals, EDR/XDR/NDR validation, artifact correlation, memory + network analysis and an optional computer vision module (for face recognition) based on machine learning leveraging K-Nearest Neighbors (KNN) model.
The training culminates with a CTF-style challenge, simulating a full investigation under time pressure where the students will be guided and will learn playing during this workshop.
Course Outline:
Day 1 - Forensic Foundations & Analysis
- Training Introduction and presentations
- What to expect from this training
- The challenge (explain and work on many different topics in a limited amount of time)
- How the training has been structured
- Distribution of USB devices with custom Tsurugi Linux VM (special DEF CON edition) for the training with pre-installed tools + exercises and ISO to install it at work/home!
- Setup the lab for the training
- What is the Tsurugi Linux open source project and how it will be used during the training
- Tsurugi Linux Lab
- Tsurugi Acquire
- Bento
- Differences between free tools and paid software
- The “6 phases”
- Identification
- Acquisition
- Chain of custody
- Preservation
- Analysis
- Documentation - Acquisition topologies and forensic standards
- RAW
- AFF
- EWF - Forensic acquisition
- The hidden disk areas
- Write blockers (hardware/software) and dirty file systems
- Forensic acquisition hard drive/pendrive - Forensic images integrity and Hashing
- Filesystem mounting techniques
- Unencrypted FS
- Encrypted FS with Bitlocker - Data recovery / File carving
- Fuzzy hashing
- Metadata Analysis
- Windows internals for forensics (artifacts and analysis):
- File system (NTFS)
- Windows Registry
- Identify used USB devices
- Jumplist
- Prefetch
- Recent files
- Event Logs EVT/EVTX
- File system (NTFS)
Day 2
- MAC times
- Find and rebuild the past activities with the forensic timeline/supertimeline
- Basic of Mobile phone forensics
- Computer Vision investigations
- Emails analysis
- Incident Response & Reporting
- Best practices
- Standards
- Tools - Play and Learn: Final Workshop in CTF (Capture The Flag) mode
- Memory dump analysis
- Image disk (mounting and analysis)
- PCAP analysis
- Data recovery
- Decryption activities
- (...) - Optional Proficiency Exam
- Exclusive access to dev iso, pre-releases, with the possibility to help the project and the worldwide community...
Difficulty Level:
Intermediate to Advanced
Intermediate Definition - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.
Advanced Definition - The student is expected to have significant practical experience with the tools and technologies that the training will focus on.
Suggested Prerequisites:
- Basic to intermediate experience with Windows and Linux/UNIX environments
- Familiarity with TCP/IP and networking concepts
- Exposure to security operations, DFIR or SOC workflows
- Comfortable with command-line operations and open-source forensic tools
- Optional pre-work: Review of basic Windows forensic artifacts and system logging concepts
What Students Should Bring:
- Laptop with Intel/AMD CPU, minimum 16 GB RAM and 320 GB free storage
- Virtualization software installed (VirtualBox or VMware)
- Windows Operating System with Administrator rights (installed or virtualized)
- USB Type-A port (unrestricted)
- Administrator rights
What the Trainer Will Provide:
- Usb device with custom Tsurugi Linux DEF CON edition for the training + different exercises
- Training materials: documentation and reference sheets
- Access to post-training mailing list for updates and pre-release content
Trainer(s) Bio:
Giovanni Rattaro (primary trainer) is a seasoned cybersecurity expert, currently serving as Senior Customer Success Manager at Vectra AI. He also holds the distinction of being an old Italian Backtrack Linux ambassador, having founded and led the Tsurugi Linux project as its core developer. In his free time, Giovanni teached cyber-security and Digital Forensics Incident Response (DFIR) courses for 14 years.
As a sought-after speaker, he has shared his expertise many times at numerous international security conferences around the world like Black Hat (US, Europe, Asia, MEA / in total 10 times), DEF CON, FIRST Cyber Threat Intelligence Summit, AvTokyo, BOTCONF, CoRI&IN, HackInBo, DFIR212, BarbHACK, BRUCON, SANS DFIR Summit and others more specialized but covered by NDA.
His interests extend beyond cybersecurity to include cyber-threat intelligence investigations, Open-Source Intelligence (OSINT) and the art of interpersonal communication, with a special focus on non-verbal cues.
Marco Giorgi is a Senior Digital Forensics and Incident Response Leader at Tinexta Cyber, where he leads complex investigations into cyber
incidents, digital evidence acquisition and threat attribution. With extensive hands-on experience across digital, mobile and memory forensics, Marco specializes in uncovering traces left behind by advanced threat actors and turning raw data into actionable intelligence.
A passionate cyber investigator and open-source advocate, Marco is a co-founder and core team member of the Tsurugi Linux project, a widely recognized DFIR distribution used by professionals worldwide. His contributions focus on tool integration, forensic workflows and ensuring reliability and transparency in investigative environments.
Marco’s interests span malware analysis, threat hunting and deep/dark web intelligence, where he continuously researches new techniques for digital traceability and evidence validation. Known for his pragmatic and hands-on teaching style, Marco combines technical depth with real-world case studies to bridge the gap between theory and field operations.
He regularly collaborates with law enforcement, CERTs and private sector security teams, contributing to improving cyber resilience and investigative methodologies across Europe.
He has shared his expertise as speaker at numerous international security conferences around the world like Black Hat (US, Europe, Asia, MEA / in total 10 times), DEF CON, FIRST Cyber Threat Intelligence Summit, HackInBo, BRUCON, SANS DFIR Summit.
Proficiency Exam Option:
This course has the option for a proficiency certificate add-on.
Those who purchase this option will have an opportunity to take a proficiency evaluation at the end of the training. This exam is designed as a hands-on practical scenario with multiple levels of complexity, where students are assessed not only on their technical results but also on their investigative methodology and overall approach.
The evaluation is integrated with the final workshop/CTF challenge and scoring is based on:
- Investigation strategy & methodology: how effectively you apply forensic processes
- Technical accuracy: the quality of evidence acquisition, analysis and reporting
- Complementary knowledge: short questions covering the key topics addressed throughout the course
A score of 70% or higher is required to earn the official Proficiency Certificate, demonstrating your ability to conduct forensic investigations with confidence and professionalism.
Please reach out to training@defcon.org for any questions related to the proficiency exam and certificate option.
Registration Terms and Conditions:
Trainings are refundable before July 11, 2026, minus a non-refundable processing fee of $250.
Between July 11, 2026 and August 5, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.
All trainings are non-refundable after August 5, 2026.
Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.
If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).
Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.
DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.
By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.
Several breaks will be included throughout the day. Please note that food is not included.
All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.