Abstract

A full-spectrum dive into anti-forensics across Windows and Linux (with a tad of MacOS, if time permits), centered on real incidents and modern attacker behavior.

The course walks through classic log wiping, deeper filesystem tricks, PowerShell, timestomping, sandbox artifacts, memory-only execution, endpoint solution blind spots, and advanced Linux log manipulation.

Each technique is paired with detection logic, weaknesses in attacker tradecraft, and practical forensic recovery paths. The material emphasizes hands-on analysis, including MFT/MSRUM/USN artifacts, ETW traces, VHDX extraction, /proc-based investigation, and highlights new research and tooling that shape current offensive and defensive strategies.

Youtube Video

No slides and or video material publicly available.