 
  Digital Forensics Investigations with the Tsurugi Linux Team - Giovanni & Marco - DCTAC2025
Name of Training: Digital Forensics Investigations with the Tsurugi Linux Team
Trainer(s): Giovanni Rattaro and Marco Giorgi
Dates: November 3-4, 2025
Time: 8:00 am to 5:00 pm
Venue: Exhibition World Bahrain
Cost: $2,200
Course Description:
As cyber threats grow in scale and complexity, the ability to rapidly detect, investigate, and respond to incidents is essential for security professionals. This two-day intensive training is designed to equip participants with the core skills of Digital Forensics and Incident Response (DFIR), focusing primarily on Windows-based systems and leveraging the power of Tsurugi Linux and others available free tools.
Delivered through a fast-paced mix of theory, hands-on labs, and real-world scenarios, this course provides a deep dive into each phase of a forensic investigation—from evidence acquisition to analysis, timeline reconstruction, reporting, and response.
Topics covered include:
- Understanding the Tsurugi Linux project, including Tsurugi Acquire and Bento
- Acquisition formats (RAW, AFF, EWF) and forensic standards
- Hidden disk areas, hashing, write blockers and image integrity
- Mounting encrypted and unencrypted file systems (BitLocker included)
- Windows artifact analysis: NTFS, Registry, USB history, Jumplists, Prefetch, Event Logs,
- and more
- Memory acquisition and triage
- Network traffic analysis (PCAP)
- Email and metadata analysis
- File carving and data recovery
- Mobile device forensics basics
- Introduction to computer vision techniques in investigations
- Timeline and supertimeline creation
- Incident handling and response best practices
- Final Capture the Flag (CTF) challenge to apply what learned
Whether you're part of a SOC, a forensic team, or responsible for handling security incidents, this training will give you the hands-on expertise and confidence to approach forensic cases with the right methodology, tools, and mindset.
Course Outline:
- Training Introduction
- Who we are
- What to expect from this training
- The challenge (explain and work on many different topics in a limited amount of
- time)
- How the training has been structured
 
- What is the Tsurugi Linux open source project?
- Tsurugi Linux Lab
- Tsurugi Acquire
- Bento
 
- Differences between free tools and paid software
- Distribution of USB gadgets with custom Tsurugi Linux edition for the training
- VM with pre-installed tools + exercises and ISO to install it at work/home!
 
- The “6 phases”
- Identification
 
- Acquisition
 
- Chain of custody
 
- Preservation
 
- Analysis
 
- Documentation
 
- Identification
- Acquisition topologies and forensic standards
 - RAW
 
- AFF
 
- EWF
 
 
- RAW
- Forensic acquisition
 - The hidden disk areas
 - Host Protected Area (HPA)
 
- Device Configuration Overlay (DCO)
 
- Host Protected Area (HPA)
- Write blockers (hardware/software) and dirty file systems
- Forensic acquisition hard drive/pendrive (FTK Imager / Tsurugi Linux)
- Tools
 
- The hidden disk areas
- Forensic images integrity and Hashing
- Filesystem mounting (using FTK and CLI on Tsurugi Linux)
 - Unencrypted FS
 
- Encrypted FS with Bitlocker
 
- Unencrypted FS
- Main Windows artifacts and analysis:
 - File system (NTFS)
 
- Windows Registry
 
- Used USB devices
 
- Jumplist
 
- Prefetch
 
- Recent files
- Event Logs EVT/EVTX
- Memory acquisition and analysis-
- PCAP analysis
 
- File system (NTFS)
- Autopsy
- Emails analysis
- Metadata Analysis
Day 2
- Find and rebuild the past activities with the forensic timeline/supertimeline
- Data recovery / File carving
- Basic of Mobile phone forensics
- Computer Vision investigations
- Incident response: incident handling
- Reporting
- Best practices
 
- Standards
 
- Tools
 
- Best practices
- Final Workshop in CTF (Capture The Flag) mode
- Training Mailing List (to get access to dev iso and pre-release, etc etc)
Difficulty Level:
Intermediate
Suggested Prerequisites:
Students must have basic familiarity with the Windows OS and with the Linux/UNIX command-line, TCP/IP, and networking concepts and terminology, as well as a willingness to quickly start learning and using new tools.
WHAT STUDENTS SHOULD BRING
- Notebook with Intel/AMD CPU with at least 16GB RAM and 320 GB HDD of free space
- Virtualization software installed: VirtualBOX or VMware
- Windows Operating System with Administrator rights (Installed or in VM)
- USB type-A port (no restrictions should be present)
What Students Should Bring:
USB (type-A) containing a custom Virtual Machine ISO and lab data
Trainer(s) Bio:
Giovanni is a seasoned cybersecurity expert, currently serving as Senior Customer Success Manager at Vectra AI. He also holds the distinction of being an old Italian Backtrack Linux ambassador, having founded and led the Tsurugi Linux project as its core developer. In his free time, Giovanni teached Digital Forensics Incident Response (DFIR) courses. As a sought-after speaker, he has shared his expertise at numerous international security conferences. His interests extend beyond cybersecurity to include cyber-threat intelligence investigations, Open-Source Intelligence (OSINT), and the art of interpersonal communication – with a special focus on non-verbal cues.
Marco is a Digital Forensics Leader and Incident Response Senior Analyst at Tinexta Cyber. Digital forensics expert with interests in mobile forensics, malware analysis, security and deep/dark web. Co-founder and core team member of Tsurugi Linux project.
Proficiency Exam Option:
This course has the option for a proficiency certificate add-on.
Those who purchase this option will have an opportunity to take a proficiency evaluation at the end of the training. This exam is designed as a hands-on practical scenario with multiple levels of complexity, where students are assessed not only on their technical results but also on their investigative methodology and overall approach.
The evaluation is integrated with the final Capture the Flag (CTF) challenge and scoring is based on:
- Investigation strategy & methodology - how effectively you apply forensic processes
- Technical accuracy - the quality of evidence acquisition, analysis and reporting
 
- Complementary knowledge - short questions covering the key topics addressed throughout the course
A score of 70% or higher is required to earn the official Proficiency Certificate, demonstrating your ability to conduct forensic investigations with confidence and professionalism.
Please reach out to training@defcon.org for any questions related to the proficiency exam and certificate option.
Registration Terms and Conditions:
Trainings are refundable before October 2, 2025, minus a non-refundable processing fee of $250.
Trainings are non-refundable after October 2, 2025.
Training tickets may be transferred. Please email us at training@defcon.org for specifics.
If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).
Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.
By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.
Several breaks will be included throughout the day. Please note that food is not included.
All courses come with a certificate of completion, contingent upon attendance at all course sessions.
