The first week we looked for evidence of hacking of the WidgetCo server image. The attackers IP led to a students dormitory of the student Dmitri and his computers image was acquired. The main focus this week was user artifacts. We had lecture on the first day, and a short walk-trough on Thunderbird the 2nd. We worked in groups playing prosecutor and the other defense with a final presentation the 4th day.

• Home directory - Bash history and a lot of plain text configuration files
  
• Web browsing (Firefox, chrome, epiphany, konqueror, opera, links, many many more). We focused on Firefox: Visit log (+visit count), downloads, cache, cookies, submitted forms. Usage of SQLite.
  
• E-mail - mbox vs maildir formats. We looked at thunderbird. Import profile to watch it (be careful, not when connected to Internet)
  
• Chat logs: Pidgin.
  
• SWAP: search for strings, find patterns of different programs.