Digital Forensics Tips

I attended the SANS SEC 503 ‘Intrusion Detection In-Depth’ course at SANS Network Security two months ago and just took the GCIA certification exam yesterday so I thought I’d post a few thoughts on the class and the exam. It’s not a full review but if you have questions feel free to ask and I’ll do my best to answer them. In the past people I respect greatly have told me that I should be able to look at raw tcpdump output and decipher what was going on. I thought this class would help me out quite a bit in this area and I was 100% correct. In fact late on the exam yesterday I caught myself smiling as I worked through a somewhat complicated problem which presented me with a bunch of hex and asked me what was going on. I assure you that I would not have been smiling if I had to answer that question two months ago. I may have very well been the only student in class who had never held a networking job so in addition to learning low level packet skills I picked up a lot of knowledge about ...

I recently finished the OnDemand version of the SANS 542 Web App Penetration Testing and Ethical Hacking course and passed the GIAC Web Application Penetration Tester (GWAPT) exam so I thought I would post a few quick thoughts on the course and exam. It’s more than a little redundant to say a SANS instructor did a great job but Kevin Johnson rocked. I was slightly biased coming in as I talked to him for about 90 seconds last year in Vegas and he was really friendly but even setting that massive amount of personal experience aside Kevin is both incredibly entertaining and a great teacher. I really want to take a class from him in person so I need to keep my eyes peeled for any 642 offerings out west. Mr. Johnson is very upfront about what the class is and isn’t. While there is a full day devoted to exploitation the class is not a collection of “Here’s exploit A, now here’s exploit B…” but rather an overall look at web app pen testing methodology and best practices as a whole. What this ...

June was a fairly busy month as I knocked out my GISP and CEH. The GISP required no extra study on my part as I had just finished my CISSP exam and it’s basically an open book CISSP. The GISP questions were more technical than the CISSP versions which honestly made the test easier. Well, that and the open books 🙂 The CEH is fairly straightforward with a lot of tool specific questions, port related questions and scenarios which test your basic network security knowledge. The CEH was a nice one to get out of the way and the GWAPT should be the next one on my list. I just finished going through the SANS SEC 542 course in the On-Demand format and will now start spending some time with the course exercises and creating my index. If anyone has any specific questions on my GISP or CEH prep please feel free to ask. On another note I recently encountered a Rand McNally GPS unit which no commercial forensic tool I had access to was able to parse. I wrote a small python script which parsed the d...

I’m back from my self-imposed month of silence and am happy to report that I passed my CISSP exam. I allowed for a hair over three weeks from my CISSP boot camp to my test date which seemed very aggressive but doable. What I didn’t count on was an unforeseen incident causing me to miss a week of study time. 4-5 days before my exam I was seriously considering postponing my test but the next available date for the local testing center was over a month away and I didn’t want this test hanging over my head for another month. Thankfully I was able to pass my test with no extensions. Here is a quick overview of how I studied for the exam. Step 1: Bootcamp I choose the SANS 414 course for my CISSP bootcamp. I can’t say how it compares to any other CISSP prep course since I haven’t taken any others but I can say that I enjoyed the class and I passed the test. It’s redundant to say that a SANS instructor did a great job but Eric Conrad and Eric Cole are two of the greatest instructors I’ve eve...

I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others. I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable. A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index. Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS...

I’m a few days late in posting this but last Monday I passed my GCIH exam with a 94. SANS advisory board here I come!!! I watched the course in the On Demand format taught by Ed Skoudis and attended the live training taught by John Strand. It was very time consuming but well worth it to get the material from two world class instructors with different points of view. The key to my high score was taking some great advice from a SANS teaching assistant & mentor named Neal Bridges who encouraged me to make a detailed (mine ended up around 30 pages) index and was kind enough to show me his GSEC index so I had an idea on how to format mine. I’ll write up a blog post soon where I’ll discuss my index and show a few samples.