Quickie review of the SANS 508 course

I just finished the SANS FOR508: Advanced Computer Forensic Analysis and Incident Response course OnDemand version and I wanted to write up a quick review on the class.

The 2012 & 2013 version of the 508 course bears little resemblance to the version I took back in 2008. There is still a day on in depth filesystem analysis and a section on The Sleuth Kit tools but that is where the similarities end. In 2008 memory analysis consisted of “dump the RAM and run strings on it to see if you find anything interesting.” By contrast the current version of the course has an entire day on memory analysis using Volatility and Redline. There are some amazing people making some amazing advances in this industry.

In addition to the normal books that come with the class the students get a workbook to utilize with the practical exercises. The workbook not only possesses questions that the student should answer but also provides walkthroughs if a student needs a helping hand. Those walkthroughs can prove invaluable when a student is practicing their skills back home after the class is complete. The workbook is a great idea and a nice touch.

Day one is all filesystem talk all the time. If looking at hex makes you seasick than take a Dramamine before class 🙂 . Rob Lee tells a story of an organization’s forensic examiners having stacks of hard drives on their desks. When Rob asked what they were he was told those were the drives that they were unable to acquire data from. Rob said that while some of them were indeed shot, he was able to fix several of them by making manual hex modifications to the drive.

While corrupt master file tables aren’t a daily occurrence for most people knowledge is never a bad thing and when the time comes to do something like that it won’t be the first time you’ve seen it. Rob is very honest about his goal for 508 to turn students into the “go to people” in their respective organizations.

Day two is the memory analysis day. The main tools used are Mandiant’s Redline and the Volatility framework. I was aware of the capabilities of memory analysis and had dabbled with it a tiny bit but this was an excellent overview of the process from start to finish including hands on experience with both tools and a good explanation of the pros and cons of each.

While one day won’t give you the depth of knowledge I imagine one would get from the 526 course you will be comfortable with what memory can provide and how to obtain and analyze it.

Day three is timeline day. Those of you who have taken the 408 or read a review of the 408 will know that in that course students start a timeline on day one of the course and add entries to it throughout the week. As a result of this the student becomes familiar with each of the artifacts, what they can demonstrate and how the fit together. Day three of 508 assumes you understand what artifacts like MRU are and jumps straight into how to automatically generate these timelines. Rob jokes that when returning students see how to automate timelines they want to throw stuff at him for making them do them manually in the 408.

One ‘downside’ of the automated timeline approach is that is pulls A LOT of data so the course spends time showing techniques to analyze and reduce the data. Rob includes a handy dandy excel spreadsheet which automatically color coordinates your timeline by the type of user activity it references.

You will finish the day comfortable with generating timelines but your comfort level in analyzing them will be largely dependent on the knowledge you brought into the course from the 408 or relevant experience.

Day four starts off by taking a quick look at obtaining information from the Restore Points in Windows XP and the Volume Shadow in newer versions of Windows. It was more of a “here’s what can be done” than a full day deep dive on the topic but its great information.

Day four then transitions to recovering data using The Sleuth Kit tools and some lesser known tools with some great capabilities. Some of these free tools really can rival and in some areas surpass what is available on the commercial market.

Day five is a two part day. The first part discusses finding malware. There is a little bit of overlap with the FOR610 Reverse Engineering Malware course in this section but it’s really unavoidable and doesn’t detract from either class in the slightest.

The focus of 508 is locating the malware while analyzing it is left to the 610. There’s also a section on investigating hackers. Like all SANS classes the combination of technical knowledge with actual war stories is tough to beat.

The second half of 508 is a legal day where they talk about what’s legal, what’s not legal and some of the challenges in dealing with cross-border investigations. Not surprisingly this section is very well done.

Like a lot of SANS courses day six is the capture the flag day. The 508 version is the Intrusion Forensic Challenge where you get to put the skills you picked up in the previous five days to the test. If you go to a live class you split up into teams and the team with the best presentation earns SANS lethal forensicator coins. I cannot speak about these coins because I want one so badly that I cannot be rational. When the time comes and I finally earn one I will likely squeal and shake my fists uncontrollably for ten seconds.

The 508 is a great course and the only decision most prospective students have to make is whether or not to take the 408 first or go straight into the 508. I’ve written about this topic and given my thoughts twice previously but either way you’ll attend a great course and have a great time.

I attend my first ever online sans class tomorrow (the 414 at Cybercon) so my next post will likely be some thoughts on that experience.

Comments

Post a Comment

Popular posts from this blog

SANS Index How To Guide with Pictures

Image
I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others. I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable. A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index. Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS
Read more

Introducing FaviconLocator: The Eazy Button to Searching by Favicon

Image
  Favicons (short for favorite icons) are the cute little pixelated images that appear next to the site name in web browser tabs, bookmarks, etc. In the image below we can see the iconic GitHub logo on their site and the KFC logo on a bucket of chicken on their site. Originally, favicons were designed to add a touch of professionalism and branding, but for anyone who is like me and has over a dozen tabs open at any time, favicons are the only thing displayed and how I navigate tabs. Most of us rely on favicons on a daily basis but many never think of them as a tool we can use in OSINT and CTI investigations. That’s what we’re doing to talk about here as well as introduce a new tool. In addition to branding and aiding in navigation between tabs, favicons can serve as unique identifiers for websites. These unique identifiers can help us: Trace the online presence of organizations and discover obscure digital assets Map the online infrastructure of potential threats Potentially de-ano
Read more

Automating Domain Squatting Detection with DNSTwist and Python

Image
  There’s a good chance that, at some point, you’ve received a spam email with a link that looked close to the name of a popular domain but was just a little off. Payapl.com instead of Paypal.com or similar. Domain squatting is a malicious activity where attackers register domain names similar to legitimate ones. Attackers may use these domains to deceive users into believing they are visiting a legitimate website, which can lead to phishing and other attacks. DNSTwist (available here: https://github.com/elceef/dnstwist ) is a popular tool that helps identify domain names that are similar to a given domain name. It generates a list of potential domain names by applying various fuzzing techniques to the given domain name and then checks if these domains are registered. Check out the list of Bank Of America copycat domains: DNSTwist is an amazing tool that should likely be a part of every organization's Cyber Threat Intelligence monitoring efforts, and I wanted to automate it
Read more