Saturday, July 7, 2012

SANS DFIR Summit, Forensic4cast award, my presentations, now back to work!

The SANS Digital Forensic Incident Response Summit in Austin ROCKED! Rob Lee and all the SANS folks put on an awesome show.

SANS 508

For me it started with the new SANS 508 class. If you haven't seen the advertisements, check out "The APT is already in your network. Time to go hunting -- Learn how in the new training course SANS FOR508". All I can say is it's true.. Here's a few reasons why:

  • Conducting APT investigations requires "outside of the box" thinkers and 508 framed that picture well with a cutting edge curriculum. For instance, you learn necessities that are not even in commercial products yet such as Volume Shadow Copies. How you going to mount these with Encase or FTK??
  • I have experience teaching and know first hand how difficult it is to create labs. It was obvious that months if not years of effort where put into the new 508 lab. Also, having had real world experience conducting APT investigations, I can tell you that the labs are so real its scary! No joke, 2 weeks later and I am still playing with the lab images provided.
  • Speaking of labs, almost every section in the course has a lab associated to it. So not only do you learn about concepts you get to apply them hands on. The labs aren't point and click like some other training providers, these actually require thinking! I was also told that the labs build on each other throughout other SANS courses. For example, the malware you recover in the SANS 508 lab is the same malware you analyze in the SANS 610 - Reverse Engineering class.
  • Unlike other classes where I have always been the first one to finish and solve all the problems. I can honestly say I was challenged in 508 (Yes, Rob Lee, I was paying attention between conference calls :-)). For me, the memory analysis (Volatility and Redline) section was the biggest learning curve. Advanced topics like these can be eye openers to the fact there is always room to improve skills and keep learning at any level. 
  •  I was most impressed by how all the section content (e.g. file systems, memory analysis, timeline analysis, etc) all came together. Every investigation starts the same way, or at least should, with a analysis plan. 508 did a great just explaining how and when to use the various tools/methods introduced from a tactical perspective.
  •  Oh yeah, how can I forget .. We also got a copy of F-Response tactical, a 64 GB thumb drive, and the book File System Forensic Analysis .. now that is awesome!! 
Overall SANS 508 was an awesome class. I have to give a shout out to Alissa Torres who taught part of the memory analysis section and did a GREAT job. She also gave one of the best presentations at the summit, "Reasons Not to "Stay in Your Lane" as a Digital Forensics Examiner".

Also, the SANS @ Night presentation by Paul Henry on setting up VMware ESXi on Mac Minis was really different and cool. I might have to go buy a few Mac minis now..


Now on to the summit part.. Having been to a lot of industry conferences, if you are a person who enjoys hard core DFIR and don't want to be annoyed by eDiscovery nuisances, the SANS DFIR summit is the premier place to learn, network and collaborate.

In my opinion, the networking and collaboration opportunities alone are worth attending for. By all means I have some good friends at home in Chicago, but there not geeks. Some time all I want to do is talk DFIR. On that note, I did nothing but talk geek to folks (too many to list) who I had never met in person before and old friends. In fact, I think David Kovar, Tom Yarrish and I collaborated a little too much... we could keep a team of programmers (or maybe just Steve Gibson) busy for the next year with all the great ideas we cooked up. Speaking of Steve Gibson, thanks for being a great local host in your home town, Austin.

Stemming from a conversation with David Kovar and Rob Lee's panel, if I could give one suggestion for next year, it be great to have some round table discussions on various topics. For instance, bring representatives from Guidance, Access Data, Internet Evidence Finder, etc in a room with the community and discuss how we can standardize things such as timeline outputs, evidence file formats, etc.. in open forum. Alternatively, perhaps have small break-off round table discussions (focus groups) with experts leading it.. so you could have like Kristen lead a break off on log2timeline, and have a bunch of fans or interested users talk openly open thoughts, wish list items, challenges, etc.

Oh yeah, if you havent seen the Closing Remarks for the SANS DFIR Summit. This is a MUST WATCH!!!

Forensic4cast Award

My Forensic4cast Award!
I am happy to announce that I won a forensic4cast award last week -- for writing "best forensic article of the year". For anyone that has not familiar, the article was titled Digital Forensics Sifting Cheating Timelines with log2timeline and had a accompanying reference guide that could be downloaded.

Thank you everyone who voted for me. It's great motivation to continuing to take initiative. What's next? Vote "davnads" for prezident!

Also thank you Lee Whitfield for putting this all together!

My DFIR presentations CEIC and SANS

I received positive feedback from a blog I posted a few months ago on Intellectual Property theft. So I decided to expand on this topic at Guidance Software's CEIC user conference. Ed Goings, Rick Lutkus, Dave Skidmore, and I organized a panel, titled "Investigating Intellectual Property theft", . This was turned out fantastic with our combined legal, corporate, and consulting perspectives. In fact I was shocked we had people standing at the back of the room at 8 AM in Las Vegas. In fact, I wasn't even sure if I would make it ;-) If you would like a copy of the presentation feel free to contact me.

Chad Tilburry, an AWESOME forensicator and SANS instructor, invited me to speak on his SANS DFIR Summit panel regarding "Building and Maintaining Digital Froensic Labs". I was excited to hear from people including Ken Johnson , who blogged about it, DFIR SUMMIT - Through the Eyes of a Summit Noob , that they found this presentation valuable.

I also gave a SANS 360 talk on the tool I have been developing. This was was recorded for viewing and my presentation can be found last (1:06:38 mark). Sorry the sound quality is not so great and the SANS laptop had technical difficulties (awk!) displaying the embedded video in  my presentation. The actual embedded movie can be downloaded as well (there is no sound). 

A slide from my SANS 360 talks
More to come on my tool soon -- In summary if you are not familiar with Kristinn Gudjonsson’s log2timeline, a framework for automatic creation of timeline data,  it's a "go to" tool for anything DFIR timeline analysis. If you have used the tool, you’ll also know that the amount of output for even just one computer can be a tremendous amount of data to review. Also there is no method specifically designed to review timeline data.  

Therefore I created a proof of concept front end for log2timeline data output.  It allows for easy filtering and reviewing timeline data. It is coded in Python (cross-platform) with a SQLite database backend and WX GUI. An example of its use is to aggregate timeline data from multiple hosts into one timeline to see lateral movement.

All SANS Summit presentations can be downloaded.

Now that my speaking engagements, conferences, and training budget is all dried up. I will get back to saving the world one megabyte a day ( :-)

No comments:

Post a Comment