The SANS Digital Forensic Incident Response Summit in Austin ROCKED! Rob Lee and all the SANS folks put on an awesome show.
- Conducting APT investigations requires "outside of the box" thinkers and 508 framed that picture well with a cutting edge curriculum. For instance, you learn necessities that are not even in commercial products yet such as Volume Shadow Copies. How you going to mount these with Encase or FTK??
- I have experience teaching and know first hand how difficult it is to create labs. It was obvious that months if not years of effort where put into the new 508 lab. Also, having had real world experience conducting APT investigations, I can tell you that the labs are so real its scary! No joke, 2 weeks later and I am still playing with the lab images provided.
- Speaking of labs, almost every section in the course has a lab associated to it. So not only do you learn about concepts you get to apply them hands on. The labs aren't point and click like some other training providers, these actually require thinking! I was also told that the labs build on each other throughout other SANS courses. For example, the malware you recover in the SANS 508 lab is the same malware you analyze in the SANS 610 - Reverse Engineering class.
- Unlike other classes where I have always been the first one to finish and solve all the problems. I can honestly say I was challenged in 508 (Yes, Rob Lee, I was paying attention between conference calls :-)). For me, the memory analysis (Volatility and Redline) section was the biggest learning curve. Advanced topics like these can be eye openers to the fact there is always room to improve skills and keep learning at any level.
- I was most impressed by how all the section content (e.g. file systems, memory analysis, timeline analysis, etc) all came together. Every investigation starts the same way, or at least should, with a analysis plan. 508 did a great just explaining how and when to use the various tools/methods introduced from a tactical perspective.
- Oh yeah, how can I forget .. We also got a copy of F-Response tactical, a 64 GB thumb drive, and the book File System Forensic Analysis .. now that is awesome!!
Also, the SANS @ Night presentation by Paul Henry on setting up VMware ESXi on Mac Minis was really different and cool. I might have to go buy a few Mac minis now..
In my opinion, the networking and collaboration opportunities alone are worth attending for. By all means I have some good friends at home in Chicago, but there not geeks. Some time all I want to do is talk DFIR. On that note, I did nothing but talk geek to folks (too many to list) who I had never met in person before and old friends. In fact, I think David Kovar, Tom Yarrish and I collaborated a little too much... we could keep a team of programmers (or maybe just Steve Gibson) busy for the next year with all the great ideas we cooked up. Speaking of Steve Gibson, thanks for being a great local host in your home town, Austin.
|My Forensic4cast Award!|
I received positive feedback from a blog I posted a few months ago on Intellectual Property theft. So I decided to expand on this topic at Guidance Software's CEIC user conference. Ed Goings, Rick Lutkus, Dave Skidmore, and I organized a panel, titled "Investigating Intellectual Property theft", . This was turned out fantastic with our combined legal, corporate, and consulting perspectives. In fact I was shocked we had people standing at the back of the room at 8 AM in Las Vegas. In fact, I wasn't even sure if I would make it ;-) If you would like a copy of the presentation feel free to contact me.
Chad Tilburry, an AWESOME forensicator and SANS instructor, invited me to speak on his SANS DFIR Summit panel regarding "Building and Maintaining Digital Froensic Labs". I was excited to hear from people including Ken Johnson , who blogged about it, DFIR SUMMIT - Through the Eyes of a Summit Noob , that they found this presentation valuable.
|A slide from my SANS 360 talks|
Therefore I created a proof of concept front end for log2timeline data output. It allows for easy filtering and reviewing timeline data. It is coded in Python (cross-platform) with a SQLite database backend and WX GUI. An example of its use is to aggregate timeline data from multiple hosts into one timeline to see lateral movement.
Now that my speaking engagements, conferences, and training budget is all dried up. I will get back to saving the world one megabyte a day ( :-)