BTL1 Certification – My Experience

Since a lot of people is contacting me to know more about the Security Blue Team‘s Blue Team Level 1 course, I decided to write a blog post about it.

I will talk about the course in general and the exam (but don’t celebrate too soon, I won’t spoil anything!).

Course Content

The course is divided into 6 sections:
• Security Fundamentals
• Phishing Analysis
• Threat Intelligence
• Digital Forensics
• Security Information and Event Management
• Incident Response

Obviously, you can find every kind of information on their website.

It’s great for beginners but I know there are a lot of professionals who attended it, probably because it starts from the basics to achieve something more in-depth. And also, it gives you a complete overview of the security field.

The material is all written, no videos (except for some practical parts) and you can browse through sections the way you want (i.e. you can start with the Digital Forensics module and then move on to Phishing Analysis) but to complete each domain you have to pass all quizzes with a minimum score of 70%.

Theory is always followed by practice. You will need a Kali Virtual Machine and if you don’t already have it, they will guide you step-by-step through the installation.

And don’t worry: you’re not left alone. They set up a Discord server for students, where you can ask for clarifications, help or just discuss about security topics. I highly suggest to join it because sometimes it can be essential.

The time needed to complete the course depends on many factors. Personally, it took me 3 months, with graduation and a 2 weeks pause in the middle.


The main advice is: DO NOT UNDERESTIMATE IT!

It’s not impossible but not easy either. So be sure to have fully understood everything, you can use your notes and they will give you all the necessary instructions to browse through the exam environment.

Take your time to do it, take notes and screenshots because they will be essential when writing the report, especially if you do it when the limited time for the lab is reached.

Said that, if you’re enrolled (or will be), enjoy it and good luck 🙂

Amazon Kindle and its Experimental Browser: the Start of a Forensic Analysis

This Christmas, I received a Kindle as gift.

As usual, I started exploring the device content and.. surprise! There’s an experimental browser and I wasn’t expecting it!

My enthusiasm lasted until I found out it’s not a new feature: it’s called experimental but it has been around for 10 years! I didn’t give up and decided to take a look by myself anyway.

SPOILER #1: it’s very simple.
SPOILER #2: I didn’t limit to the browser.

The Device

This model is a Kindle (10th Generation).
The model number, found in the back, is J9G29R.

Reading the “Device Info” section you can also retrieve:
• MAC Adress
• Serial Number
• Network Capability
• Firmware
• Space Available

It supports different document formats such as: AZW3, AZW, TXT, PDF, HTML, DOC, DOCX, JPEG, GIF, PNG.

The Web Browser

Your Kindle includes an experimental web browser that enables you to surf the web and view most Amazon web pages. The Experimental Web Browser supports JavaScript, SSL, and cookies, but does not support media plug-ins. You must have a Wi-Fi connection to access most websites.

Kindle User Guide – HTML

First: which kind of web browser are we talking about? It’s hard to find official information about it, but looks like it’s called experimental because they haven’t decided to perfect it yet.

According to Wikipedia, it uses NetFront (the same used for Wii U, PlayStation 3, Nintendo 3DS, and many others) based on WebKit.

To find out more, I tried to visit

and did a second check with user agent string:

At least we now know the version.

Acquisition and Analysis

I used FTK Imager ( to perform a physical acquisition of the Kindle Internal Storage USB Device [6GB USB] drive and Autopsy (4.17.0) to analyze it.

According to the only research I found about the Kindle, Kindle Forensics & Analysis, which is from 2011 so assuming partitioning hasn’t changed, this should be the “user file system”.

Once the image has been extracted and imported on Autopsy, this is what you see:

The most interesting folders are:
• /.active_content_sandbox
• /audible [that I won’t examine since I don’t have audiobooks yet]
• /documents
• /system

  • ./active_content_sandbox

It contains information about the web browser and the store.


First, I analyzed the file__0.localstorage located at /.active_content_sandobox/browser/resource/LocalStorage/ .

To take a better look at its content, I exported the file as CSV.

As you can see it’s made up of 4 rows, each containing a key and a value in JSON format.
I exported the JSONs to make them more readble with indentation. Let’s examine them one by one:


Each JSON object corresponds to a bookmark and is composed only by name and URL.


Regarding the settings, I found a correspondence with just 2 of them: JavaScript and Images. There is no trace of the orientation, not even in the general settings.


As the name suggests, this is the last URL visited by the user. In fact, it matches with my browser history:


Once again, each JSON object corresponds to a visited URL and this time there’s also a timestamp, a Unix timestamp.

Converting the timestamp with Epoch Converter, I noticed a discrepancy: my timezone is GMT+1 and the Kindle is synchronized with it, but in the history page the timestamp (in GMT) is not converted.

I did a quick test to validate it: I changed the Kindle’s time to send it back 6 hours (you have to do it manually) to set EST time and used the browser. When I opened the history, I found again the GMT time.


Located at /.active_content_sandbox/store/resource/LocalStorage there’s a file named [the name varies based on the user location] which refers to the Kindle’s store.

It’s very similar to the previous one but it’s more dense, even if I only made few searches and one purchase using the Kindle.

As I did before, I exported to CSV.

The first thing that you encounter is the user ID related to the Amazon account:

Then, there is an entry (both index and cache) for every single character written in the search bar, because of keyword suggestions:

Regarding the purchase, you can find the following information:
• date and time of the purchase
• price and currency
• book title
• transaction mode
• user’s first name

And you can do it by watching its index entry…

… and its cache entry

  • /documents

This is the folder that contains downloaded items (both stored in the Kindle Library and deleted).

One interesting thing that you can see here is when an ebook was downloaded (which may differ from the time of purchasing: once you buy the book you have to download it to put it in your library, and sometimes users don’t to it immediately) .

To do it, open the AssetDownloadMetadata.meta file contained in every item’s folder and look for the value of “Last-Downloaded“.
For example, this is the timestamp of the book I purchased and downloaded immediately:

I bought the book at 11:03:48 (GMT+1) and downloaded it at 11:03:59 (GMT+1).

  • /system

I found interesting 3 of its subfolders:
– documents/startactions/images
– documents/thumbnails
– documents/vocabulary

startactions/images and thumbnails

Contains all the preview images of the books shown on the homepage, that are the recommended books and the ones you’re reading or just finished.

“thumbnails” is very similar (in my case identical) but it contains only images of the books in the Library.


The table WORDS of the database vocab.db, stores all the words whose meaning the user searched for, with a timestamp.


I’m aware this is a limited analysis, and I’m sure this could be the start for something more in-depth. The information retrieved is however interesting:
• browser history and bookmarks;
• store searches;
• store purchases (price, title, date and time);
• use of the vocabulary (what and when);
• books read.

In its simplicity, I hope it arouse your curiosity.