Incident Response and Forensics in a Linux Environment

It is a scenario that most system administrators recognize. Responsibility for a legacy system is thrust upon you, with little documentation or time for familiarization. Bad things happen, and you are expected to quickly bring the system back into service. You know how it goes.

In this course, the participants get full root access to a number of Linux systems, running more or less familiar services. Working in teams during two intense days of hands-on tournament style exercises, their task is to defend against and analyze realistic attacks of increasing sophistication, while keeping their systems up and running. The teams are scored on their performance, and the winning team will be celebrated the most l33t admins. There may even be prizes.

The teams will not be totally unprepared, though, as the course starts with a high speed, high density introduction into incident response and battlefield forensics, where the focus is on fully understanding what happened in an incident, so that the system can quickly be brought back into secure service.

This course draws on the lecturer's 15 years of expericence from IT security in complex environments to deliver an up-to-date, hands-on, and, above all, fun training.

What do previous participants say?

"I can warmly recommend the Incident Response and Forensics Game from Nixon Security to all serious research sites, it really gives a boost to the skills and motivation of your system admins. And the game is fun too." Urpo Kaila, Head of Security, CSC - IT Center for Science/Security Officer, EUDAT.

"The feedback from our system administrators has been exceptional and the course was clearly excellent. From the comments received, you are obviously very knowledgeable on the subject of computer security and were able to communicate the information very clearly. The course was well structured and has been of great benefit to our community." Prof. D.I. Britton, GridPP Project Leader


This course targets experienced system administrators who are comfortable in running Linux systems.

To be able to fully participate, you should be able to confidently say "yes" to at least half of these items:

  • You know at least three ways to list all running processes
  • You can read and more-or-less understand scripts even when you don't really know the language they are written in
  • You know how to configure a local firewall
  • You can explain how the CGI interface in a web server works
  • You know what ARP, DHCP, PHP, BIND and ELF are.
  • You can explain the difference between exec() and fork()

Also, you are expected to be able to use OpenSSH keys.


Please contact for more information about hosting a training event for your organization. We offer competitive pricing, with special rates for academia.