{"product_id":"digital-forensics-investigations-and-hunting-with-the-tsurugi-linux-team-giovanni-rattaro-marco-giorgi-dctlv2026","title":"Digital Forensics Investigations and Hunting with the Tsurugi Linux Team - Giovanni Rattaro \u0026 Marco Giorgi - DCTLV2026","description":"\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eName of Training\u003c\/strong\u003e\u003cspan\u003e\u003cstrong\u003e:\u003c\/strong\u003e Digital Forensics Investigations and Hunting with the Tsurugi Linux team\u003cbr\u003e\u003c\/span\u003e\u003cstrong\u003eTrainer(s)\u003c\/strong\u003e\u003cspan\u003e\u003cstrong\u003e:\u003c\/strong\u003e Giovanni Rattaro \u0026amp; Marco Giorgi\u003cbr\u003e\u003c\/span\u003e\u003cstrong\u003eDates\u003c\/strong\u003e\u003cspan\u003e\u003cstrong\u003e:\u003c\/strong\u003e \u003cmeta charset=\"utf-8\"\u003eAugust 10-11, 2026\u003cbr\u003e\u003c\/span\u003e\u003cspan\u003e\u003cstrong\u003eTime:\u003c\/strong\u003e 8\u003c\/span\u003e\u003cspan\u003e:00 am to 5:00 pm \u003cbr\u003e\u003c\/span\u003e\u003cstrong\u003eVenue\u003c\/strong\u003e\u003cspan\u003e\u003cstrong\u003e:\u003c\/strong\u003e \u003cmeta charset=\"utf-8\"\u003eLas Vegas Convention Center\u003cbr\u003e\u003c\/span\u003e\u003cstrong\u003eCost\u003c\/strong\u003e\u003cspan\u003e\u003cstrong\u003e: \u003c\/strong\u003e$2,250 (USD)\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eShort Summary:\u003c\/strong\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003eLearn digital forensics and threat hunting directly from the founders and core developers of the Tsurugi Linux project. This two-day hands-on training guides participants through real-world investigations using Tsurugi and other open-source\/free tools, covering acquisition, analysis, timeline reconstruction and reporting.\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eCourse Description: \u003c\/strong\u003e\u003c\/p\u003e\n\u003cp\u003eDelivered directly by the Tsurugi Linux founders and core developers, this intermediate-to-advanced training provides a complete, hands-on journey through digital forensics, incident response and threat hunting.\u003c\/p\u003e\n\u003cp\u003eWhile Tsurugi Linux is the central investigation platform, the course also incorporates external tools and frameworks not pre-installed in the distribution, ensuring flexibility and adaptability in any forensic environment. Participants will gain in-depth experience with Windows internals, EDR\/XDR\/NDR validation, artifact correlation, memory + network analysis and an optional computer vision module (for face recognition) based on machine learning leveraging K-Nearest Neighbors (KNN) model.\u003c\/p\u003e\n\u003cp\u003eThe training culminates with a CTF-style challenge, simulating a full investigation under time pressure where the students will be guided and will learn playing during this workshop.\u003cbr\u003e\u003c\/p\u003e\n\u003cp\u003e\u003cspan\u003e\u003cstrong\u003eCourse Outline: \u003c\/strong\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp\u003e\u003cstrong\u003eDay 1 - Forensic Foundations \u0026amp; Analysis\u003c\/strong\u003e\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eTraining Introduction and presentations\u003c\/li\u003e\n\u003cli\u003eWhat to expect from this training\u003c\/li\u003e\n\u003cli\u003eThe challenge (explain and work on many different topics in a limited amount of time)\u003c\/li\u003e\n\u003cli\u003eHow the training has been structured\u003c\/li\u003e\n\u003cli\u003eDistribution of USB devices with custom Tsurugi Linux VM (special DEF CON edition) for the training with pre-installed tools + exercises and ISO to install it at work\/home!\u003c\/li\u003e\n\u003cli\u003eSetup the lab for the training\u003c\/li\u003e\n\u003cli\u003eWhat is the Tsurugi Linux open source project and how it will be used during the training\n\u003cul\u003e\n\u003cli\u003eTsurugi Linux Lab\u003c\/li\u003e\n\u003cli\u003eTsurugi Acquire\u003c\/li\u003e\n\u003cli\u003eBento\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003cli\u003eDifferences between free tools and paid software\u003c\/li\u003e\n\u003cli\u003eThe “6 phases”\u003cbr\u003e- Identification\u003cbr\u003e- Acquisition\u003cbr\u003e- Chain of custody\u003cbr\u003e- Preservation\u003cbr\u003e- Analysis\u003cbr\u003e- Documentation\u003c\/li\u003e\n\u003cli\u003eAcquisition topologies and forensic standards\u003cbr\u003e- RAW\u003cbr\u003e- AFF\u003cbr\u003e- EWF\u003c\/li\u003e\n\u003cli\u003eForensic acquisition\u003cbr\u003e- The hidden disk areas\u003cbr\u003e- Write blockers (hardware\/software) and dirty file systems\u003cbr\u003e- Forensic acquisition hard drive\/pendrive\u003c\/li\u003e\n\u003cli\u003eForensic images integrity and Hashing\u003c\/li\u003e\n\u003cli\u003eFilesystem mounting techniques\u003cbr\u003e- Unencrypted FS\u003cbr\u003e- Encrypted FS with Bitlocker\u003c\/li\u003e\n\u003cli\u003eData recovery \/ File carving\u003c\/li\u003e\n\u003cli\u003eFuzzy hashing\u003c\/li\u003e\n\u003cli\u003eMetadata Analysis\u003c\/li\u003e\n\u003cli\u003eWindows internals for forensics (artifacts and analysis):\n\u003cul\u003e\n\u003cli\u003eFile system (NTFS)\u003cbr\u003e\n\u003c\/li\u003e\n\u003cli\u003eWindows Registry\u003c\/li\u003e\n\u003cli\u003eIdentify used USB devices\u003c\/li\u003e\n\u003cli\u003eJumplist\u003c\/li\u003e\n\u003cli\u003ePrefetch\u003c\/li\u003e\n\u003cli\u003eRecent files\u003c\/li\u003e\n\u003cli\u003eEvent Logs EVT\/EVTX\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e\u003cstrong\u003eDay 2\u003c\/strong\u003e\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eMAC times\u003c\/li\u003e\n\u003cli\u003eFind and rebuild the past activities with the forensic timeline\/supertimeline\u003c\/li\u003e\n\u003cli\u003eBasic of Mobile phone forensics\u003c\/li\u003e\n\u003cli\u003eComputer Vision investigations\u003c\/li\u003e\n\u003cli\u003eEmails analysis\u003c\/li\u003e\n\u003cli\u003eIncident Response \u0026amp; Reporting\u003cbr\u003e- Best practices\u003cbr\u003e- Standards\u003cbr\u003e- Tools\u003c\/li\u003e\n\u003cli\u003ePlay and Learn: Final Workshop in CTF (Capture The Flag) mode\u003cbr\u003e- Memory dump analysis\u003cbr\u003e- Image disk (mounting and analysis)\u003cbr\u003e- PCAP analysis\u003cbr\u003e- Data recovery\u003cbr\u003e- Decryption activities\u003cbr\u003e- (...)\u003c\/li\u003e\n\u003cli\u003eOptional Proficiency Exam\u003c\/li\u003e\n\u003cli\u003eExclusive access to dev iso, pre-releases, with the possibility to help the project and the worldwide community...\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eDifficulty Level:\u003c\/strong\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003eIntermediate to Advanced\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eIntermediate Definition - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eAdvanced Definition - The student is expected to have significant practical experience with the tools and technologies that the training will focus on.\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eSuggested Prerequisites:\u003c\/strong\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e- Basic to intermediate experience with Windows and Linux\/UNIX environments\u003cbr\u003e- Familiarity with TCP\/IP and networking concepts\u003cbr\u003e- Exposure to security operations, DFIR or SOC workflows\u003cbr\u003e- Comfortable with command-line operations and open-source forensic tools\u003cbr\u003e- Optional pre-work: Review of basic Windows forensic artifacts and system logging concepts\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eWhat Students Should Bring: \u003c\/strong\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e- Laptop with Intel\/AMD CPU, minimum 16 GB RAM and 320 GB free storage\u003cbr\u003e- Virtualization software installed (VirtualBox or VMware)\u003cbr\u003e- Windows Operating System with Administrator rights (installed or virtualized)\u003cbr\u003e- USB Type-A port (unrestricted)\u003cbr\u003e- Administrator rights\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eWhat the Trainer Will Provide:\u003c\/strong\u003e\u003c\/p\u003e\n\u003cp\u003e- Usb device with custom Tsurugi Linux DEF CON edition for the training + different exercises\u003cbr\u003e- Training materials: documentation and reference sheets\u003cbr\u003e- Access to post-training mailing list for updates and pre-release content\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eTrainer(s) Bio:\u003c\/strong\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eGiovanni Rattaro \u003c\/strong\u003e(primary trainer) is a seasoned cybersecurity expert, currently serving as Senior Customer Success Manager at Vectra AI. He also holds the distinction of being an old Italian Backtrack Linux ambassador, having founded and led the Tsurugi Linux project as its core developer. In his free time, Giovanni teached cyber-security and Digital Forensics Incident Response (DFIR) courses for 14 years.\u003c\/p\u003e\n\u003cp\u003eAs a sought-after speaker, he has shared his expertise many times at numerous international security conferences around the world like Black Hat (US, Europe, Asia, MEA \/ in total 10 times), DEF CON, FIRST Cyber Threat Intelligence Summit, AvTokyo, BOTCONF, CoRI\u0026amp;IN, HackInBo, DFIR212, BarbHACK, BRUCON, SANS DFIR Summit and others more specialized but covered by NDA.\u003c\/p\u003e\n\u003cp\u003eHis interests extend beyond cybersecurity to include cyber-threat intelligence investigations, Open-Source Intelligence (OSINT) and the art of interpersonal communication, with a special focus on non-verbal cues.\u003c\/p\u003e\n\u003cp\u003e\u003cstrong\u003eMarco Giorgi\u003c\/strong\u003e is a Senior Digital Forensics and Incident Response Leader at Tinexta Cyber, where he leads complex investigations into cyber\u003cbr\u003eincidents, digital evidence acquisition and threat attribution. With extensive hands-on experience across digital, mobile and memory forensics, Marco specializes in uncovering traces left behind by advanced threat actors and turning raw data into actionable intelligence.\u003c\/p\u003e\n\u003cp\u003eA passionate cyber investigator and open-source advocate, Marco is a co-founder and core team member of the Tsurugi Linux project, a widely recognized DFIR distribution used by professionals worldwide. His contributions focus on tool integration, forensic workflows and ensuring reliability and transparency in investigative environments.\u003c\/p\u003e\n\u003cp\u003eMarco’s interests span malware analysis, threat hunting and deep\/dark web intelligence, where he continuously researches new techniques for digital traceability and evidence validation. Known for his pragmatic and hands-on teaching style, Marco combines technical depth with real-world case studies to bridge the gap between theory and field operations.\u003c\/p\u003e\n\u003cp\u003eHe regularly collaborates with law enforcement, CERTs and private sector security teams, contributing to improving cyber resilience and investigative methodologies across Europe.\u003c\/p\u003e\n\u003cp\u003eHe has shared his expertise as speaker at numerous international security conferences around the world like Black Hat (US, Europe, Asia, MEA \/ in total 10 times), DEF CON, FIRST Cyber Threat Intelligence Summit, HackInBo, BRUCON, SANS DFIR Summit.\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eProficiency Exam Option:\u003c\/strong\u003e\u003c\/p\u003e\n\u003cp\u003eThis course has the option for a proficiency certificate add-on.\u003c\/p\u003e\n\u003cp\u003eThose who purchase this option will have an opportunity to take a proficiency evaluation at the end of the training. This exam is designed as a hands-on practical scenario with multiple levels of complexity, where students are assessed not only on their technical results but also on their investigative methodology and overall approach.\u003c\/p\u003e\n\u003cp\u003eThe evaluation is integrated with the final workshop\/CTF challenge and scoring is based on:\u003cbr\u003e- Investigation strategy \u0026amp; methodology: how effectively you apply forensic processes\u003cbr\u003e- Technical accuracy: the quality of evidence acquisition, analysis and reporting\u003cbr\u003e- Complementary knowledge: short questions covering the key topics addressed throughout the course\u003c\/p\u003e\n\u003cp\u003eA score of 70% or higher is required to earn the official Proficiency Certificate, demonstrating your ability to conduct forensic investigations with confidence and professionalism.\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003ePlease reach out to training@defcon.org for any questions related to the proficiency exam and certificate option.\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eRegistration Terms and Conditions: \u003c\/strong\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eTrainings are refundable before July 11, 2026, minus a non-refundable processing fee of $250.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eBetween July 11, 2026 and August 5, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eAll trainings are non-refundable after August 5, 2026.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eTraining tickets may be transferred to another student. Please email us at training@defcon.org for specifics.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eIf a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eFailure to attend the training without prior written notification will be considered a no-show. No refund will be given.\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eDEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eBy purchasing this ticket you agree to abide by the \u003c\/span\u003e\u003ca href=\"https:\/\/defcon.org\/html\/links\/dc-code-of-conduct.html\"\u003e\u003cspan\u003eDEF CON Training Code of Conduct\u003c\/span\u003e\u003c\/a\u003e\u003cspan\u003e and the registration terms and conditions listed above.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eSeveral breaks will be included throughout the day. Please note that food is not included.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eAll courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.\u003c\/span\u003e\u003c\/p\u003e","brand":"Las Vegas 2026","offers":[{"title":"Course only - Aug 10-11","offer_id":47691803295962,"sku":null,"price":2250.0,"currency_code":"USD","in_stock":true},{"title":"Course + Proficiency Exam - Aug 10-11","offer_id":47691803328730,"sku":null,"price":2550.0,"currency_code":"USD","in_stock":true}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/0629\/2088\/4442\/files\/Image-1.jpg?v=1752774846","url":"https:\/\/training.defcon.org\/products\/digital-forensics-investigations-and-hunting-with-the-tsurugi-linux-team-giovanni-rattaro-marco-giorgi-dctlv2026","provider":"defcontrainings","version":"1.0","type":"link"}