Early thoughts on Cybercon

Anyone can look at my blog articles or my list of certifications and know that I’m a huge fan of SANS trainings. I’ve taken in person courses and OnDemand courses but what I had yet to take is a vlive or simulcast course. I’m currently on my lunch break from Day Three of the SANS 414 (CISSP prep) course at Cybercon and thought I would make a few observations about their online courses.

The cost savings are huge. Costs of hotel and travel can fluctuate wildly but free is always the best option. While I was able to keep the hotel and food costs of my Community course in Phoenix under $1,000 my week at Caesars last September for Network Security was probably closer to $2,000. At Caesars a sandwich wrap, bag of chips and soda for lunch was $20 which is far greater than what I pay my wife for similar fare.

The whole “attend class in your pajamas” thing does indeed rock.

Before the class I felt like “I won’t get to meet the instructor (Eric Conrad) face to face so it won’t feel as real”. There may be a tiny bit of that but the flip side of that coin is I have unparalleled access to the instructor to ask questions. Eric is teaching from an island off the coast of Maine while I’m in the middle of the desert yet somehow he does a remarkable job at creating an intimate feel.

Anytime I attend an in person SANS training and a fellow student expresses concern about passing the associated certification exam I always recommend that they acquire the OnDemand version of the course if at all possible. The MP3s are a great resource too but there is just something about being able to see the instructor explain a concept on a whiteboard that I prefer. With any online course SANS gives you access to all of the course materials for six months after the start of the course date. The ability to go back and listen to your instructor explain a concept again once a course is done and your reviewing your material and compiling your index is invaluable.

The software is awesome. I’ve used it to attend a few small webinars but never for a prolonged period of time. It’s easy to use, balances the whiteboard and the chat window and does an unreal job at handling any lag. If you hit a phase where you’re having minor connection issues for whatever reason and your session freezes for a few seconds when you hear the instructor again you’ll hear him at a sped up pace similar to hitting the 1.5 speed button on an iPod. This will continue until you’re caught up when the instructor will seamlessly go back to normal speed again. I wish all online video content was done like this.

Quickie review of the SANS 508 course

I just finished the SANS FOR508: Advanced Computer Forensic Analysis and Incident Response course OnDemand version and I wanted to write up a quick review on the class.

The 2012 & 2013 version of the 508 course bears little resemblance to the version I took back in 2008. There is still a day on in depth filesystem analysis and a section on The Sleuth Kit tools but that is where the similarities end. In 2008 memory analysis consisted of “dump the RAM and run strings on it to see if you find anything interesting.” By contrast the current version of the course has an entire day on memory analysis using Volatility and Redline. There are some amazing people making some amazing advances in this industry.

In addition to the normal books that come with the class the students get a workbook to utilize with the practical exercises. The workbook not only possesses questions that the student should answer but also provides walkthroughs if a student needs a helping hand. Those walkthroughs can prove invaluable when a student is practicing their skills back home after the class is complete. The workbook is a great idea and a nice touch.

Day one is all filesystem talk all the time. If looking at hex makes you seasick than take a Dramamine before class 🙂 . Rob Lee tells a story of an organization’s forensic examiners having stacks of hard drives on their desks. When Rob asked what they were he was told those were the drives that they were unable to acquire data from. Rob said that while some of them were indeed shot, he was able to fix several of them by making manual hex modifications to the drive.

While corrupt master file tables aren’t a daily occurrence for most people knowledge is never a bad thing and when the time comes to do something like that it won’t be the first time you’ve seen it. Rob is very honest about his goal for 508 to turn students into the “go to people” in their respective organizations.

Day two is the memory analysis day. The main tools used are Mandiant’s Redline and the Volatility framework. I was aware of the capabilities of memory analysis and had dabbled with it a tiny bit but this was an excellent overview of the process from start to finish including hands on experience with both tools and a good explanation of the pros and cons of each.

While one day won’t give you the depth of knowledge I imagine one would get from the 526 course you will be comfortable with what memory can provide and how to obtain and analyze it.

Day three is timeline day. Those of you who have taken the 408 or read a review of the 408 will know that in that course students start a timeline on day one of the course and add entries to it throughout the week. As a result of this the student becomes familiar with each of the artifacts, what they can demonstrate and how the fit together. Day three of 508 assumes you understand what artifacts like MRU are and jumps straight into how to automatically generate these timelines. Rob jokes that when returning students see how to automate timelines they want to throw stuff at him for making them do them manually in the 408.

One ‘downside’ of the automated timeline approach is that is pulls A LOT of data so the course spends time showing techniques to analyze and reduce the data. Rob includes a handy dandy excel spreadsheet which automatically color coordinates your timeline by the type of user activity it references.

You will finish the day comfortable with generating timelines but your comfort level in analyzing them will be largely dependent on the knowledge you brought into the course from the 408 or relevant experience.

Day four starts off by taking a quick look at obtaining information from the Restore Points in Windows XP and the Volume Shadow in newer versions of Windows. It was more of a “here’s what can be done” than a full day deep dive on the topic but its great information.

Day four then transitions to recovering data using The Sleuth Kit tools and some lesser known tools with some great capabilities. Some of these free tools really can rival and in some areas surpass what is available on the commercial market.

Day five is a two part day. The first part discusses finding malware. There is a little bit of overlap with the FOR610 Reverse Engineering Malware course in this section but it’s really unavoidable and doesn’t detract from either class in the slightest.

The focus of 508 is locating the malware while analyzing it is left to the 610. There’s also a section on investigating hackers. Like all SANS classes the combination of technical knowledge with actual war stories is tough to beat.

The second half of 508 is a legal day where they talk about what’s legal, what’s not legal and some of the challenges in dealing with cross-border investigations. Not surprisingly this section is very well done.

Like a lot of SANS courses day six is the capture the flag day. The 508 version is the Intrusion Forensic Challenge where you get to put the skills you picked up in the previous five days to the test. If you go to a live class you split up into teams and the team with the best presentation earns SANS lethal forensicator coins. I cannot speak about these coins because I want one so badly that I cannot be rational. When the time comes and I finally earn one I will likely squeal and shake my fists uncontrollably for ten seconds.

The 508 is a great course and the only decision most prospective students have to make is whether or not to take the 408 first or go straight into the 508. I’ve written about this topic and given my thoughts twice previously but either way you’ll attend a great course and have a great time.

I attend my first ever online sans class tomorrow (the 414 at Cybercon) so my next post will likely be some thoughts on that experience.

SANS 508 Compared to 408 Part Two plus a Side of 610

I’ve now had a chance to go through the OnDemand SANS FOR 508 Advanced Computer Forensic Analysis and Incident Response course and feel a little more comfortable comparing it to FOR 408 Computer Forensic Investigations – Windows In-Depth course. I’ve also recently been exposed to the FOR 610 Reverse-Engineering Malware: Malware Analysis Tools and Techniques course content so while this post won’t cover much of the 610 I will talk about how the three courses fit together.

SANS has done a remarkable job of designing the 408, 508 and 610 as courses that stand fine on their own but fit together like pieces of a puzzle. There is virtually no overlap between the 408 and 508 (maybe a very tiny bit in the file system section) and a very small amount of overlap between the 508 and 610 in the memory analysis using Volatility section.

The following hypothetical scenario is my attempt to classify the 408, 508 and 610 to help give others an idea of what each course covers.

You’re a security analyst working for El Paso Widgets LLC and have been asked to examine Bob’s computer for evidence of inappropriate behavior and intellectual property theft. NOW is when you want to have taken the 408. You’ll cover web history analysis, program execution analysis, file activity analysis etc. If I went down to the mall right now and asked 100 people what they thought computer forensics people did they would likely all describe scenarios that the 408 covers.

You find evidence that Bob accessed proprietary information and exfiltrated the data (using a USB drive) in violation of company policy. You also found evidence of inappropriate web browsing and deleted chat history where Bob discusses his actions. Thank you 408!!!! Bob’s employment is terminated and all is right with the world.

Flash forward six months and unbeknownst to you Bob has spent the last six months turning himself into a computer hacker. He knows enough about the company’s personnel, culture and lingo to craft a brilliant spear fishing attempt. He also knows what anti-virus software El Paso Widgets LLC uses and he knows how easy it is to tweak malware in order to keep it hidden from anti-virus. One email and one misguided click later Bob now has a foothold on El Paso Widgets LLC’s network and nobody has a clue.

Over the next four months El Paso Widgets LLC bids on ten contracts and loses every one of them because their competition always bids 2-3% under their sealed bid. This obviously has a huge impact on their business and management starts to suspect an insider threat is revealing sensitive data from their bidding process.

You are approached by management and asked to examine the network in excruciating detail looking for malware which is avoiding detection from anti-virus. NOW is when you want to have taken 508. You examine several memory dumps and on one system you find a process which is actively hiding itself from normal system monitoring utilities. You perform timeline analysis and determine that the system became infected four months earlier. 508 just made you look like a genius!! El Paso Widgets LLC has no idea why you’re working for them instead of some mega company making triple what they pay you. You go home, brag to your spouse about your insane skills and sleep like a baby.

Your hero status is short lived however as the next morning management asks you to examine the malware to find out what it does and how to defend against it. NOW is when you need 610. 610 will teach you how to analyze the malware’s behavior and code to figure out what it does and help you determine how to locate it and defend against it.

That is an honest assessment on how I see the three courses fitting together. The 508 is not a more advanced version of the 408, it’s a completely different course with completely different objectives.

In the first post on this topic there were some great comments where we discussed if someone would feel lost taking 508 if they didn’t take 408. As I said back then if you’ve been doing forensics on Windows boxes for a few years and know MRU, Prefetch, LNK files and the registry like the back of your hand than 508 may very well be the course for you. You would probably learn some great tips from the 408 course (and get a write blocker) but the course would likely be rounding out your knowledge rather than giving the true SANS ‘drinking from a fire hose’ experience.

If the above paragraph doesn’t apply to do but you still REALLY want to take 508 than go for it but here’s what may be in store for you.

Day one is a seriously in depth look at file systems. 408 would help you a bit in this section but when the hard core hex starts it will hurt no matter what.

Day two is the memory analysis day. Not having 408 wouldn’t hurt you too bad here but the instructor may talk about acquiring some things that you’re not familiar with.

Day three would probably be the day you would miss 408 the most. Throughout 408 you do a timeline by hand where you learn about each of the artifacts in great detail. In 508 you spend all day pouring over automated timelines looking for anomalies. It would be nice to have a firm grasp of what each of the artifacts means and what a normal looks like before you try to identify anomalies.

Day four and day five would have a similar downside of day two. You wouldn’t lose out on any of the “how” that 508 covers but you might not have the “why” understanding that a lot of your classmates possess.

Hopefully this post helps somebody make an informed decision on deciding between 408 and 508. My next post will likely be a short 508 review but if you have any questions about anything I talked about here ask away and I’ll do my best to answer.

GSEC passed and my 2012-2013 Security-Cert-A-Palooza

I passed the GSEC exam early last week and got my certificate in the mail today. It made me stop and think what a crazy eleven months it’s been.

Last May I was fortunate enough to attend a computer forensics course in Phoenix where we took the CHFI and CCFE tests at the end of the week. Those were my first two computer security certificates and I was hooked. I hadn’t seen my wife in a week and we met up at the Phoenix Comicon (yes my wife and I are that big of nerds) and my wife said that I was “glowing” and that she had never seen me so happy. I realized that I had spent the previous six days either in class or in my room studying yet I was unbelievably happy. It’s amazing how smooth things feel when you’re doing what you should be doing.

I had taken the SANS 508 course back in 2008 but never had a chance to put those skills to use but now that I had knocked the dust off my forensics skills I was anxious to put myself to the test and try my hand at the GCFA. I passed that last summer and felt fantastic. It was by far my greatest achievement in the field. The week after I took the Access Data ACE exam to round out my forensic skillset.

I decided to start filling in my many knowledge gaps by going through the certificate gauntlet. I knocked out my A+ first and while I was studying for the Net+ I got an opportunity to attend the SANS 504 course. The course was amazing and I studied for that thing like I had never studied before. I passed the test with a 94 and had a much better test experience than I had on the GCFA since I knew how to properly prepare.

I knocked out my Net+ real quick and then decided that I wanted to supplement my GCIH knowledge with some more hands on hacking knowledge so I signed up for the attack-secure.com “samurai skills” penetration testing course. In addition to some good videos the course came with 90 days of access to a student network of over two dozen boxes to try to hack. I learned a ton and a lot of the concepts from GCIH made a lot more sense when I was forced to put them to use. A great side benefit to this course was giving me a decent understanding of Linux command line usage.

When I got shell on the final box on the network and got access to the file that I needed to earn my “Attack Secure | Penetration Tester” cert I was very proud. I know the cert is very much an unknown and I’ve got a lot more to learn but it was a step in the right direction.

I went straight from my online hacking course to the SANS 408 Windows Forensic Course in Phoenix and learned a ton about examining Windows systems. Four weeks after that class I attended the 401 course and had a great week, learned a lot and met some great people. Now that I’ve knocked out my GCFE and GSEC certificates I’ve set my sights on the CISSP. I’ll be taking the SANS 414 course in a few weeks and I’ve scheduled my CISSP exam in late May.

In Eleven months I obtained a CCFE, CHFI, GCFA, A+, GCIH, Net+, AS|PT, GCFE and GSEC and hopefully I can add a tenth cert in twelve months by passing my CISSP.

It hasn’t been cheap or easy and there are absolutely times when I feel mentally drained but the feeling I get from knowing what I’m talking about is well worth it.