Sans Security 558 – Network Forensics

Added on March 8, 2010 in General.

I will be using this post to review, day by day, the content of this course whilst I’m over here in Orlando. The course is being lead by Jonathan Ham, of jham corp and co-written by Sherri Davidoff, who have now both converged to form Lake Missoula Group – an independent, vendor-neutral consulting collective. The 558 course focuses on forensic investigations “without the hard drive” – can enough information be gathered through network analysis to make/break a case? Lets find out!

Day One

I have just arrived back to the hotel room after completing Day 1 of the course. As is customary on SANS courses, much of the day was introductory topics designed to at least help along the folk who may not quite be at the required standard for the rest of the content. However, this usually provides a good refresher for those who may work in this field and today was no different. Jonathan certainly delivered the content with enthusiasm (perhaps a slight understatement!) and gave a fantastic overall picture of some basic tools and techniques. Diving into some hands-on material we learned tcpdump syntax, BPF techniques, tcpxtract, ngrep and more. Today, at least, felt very similar to 503 – Intrusion Detection In-Depth and I feel the 2 courses compliment each other incredibly well. One bonus of the 558 course structure is the new addition of the pre-configured (and free) netbooks handed out to students. Having previous experiences of spending much of the first day configuring and troubleshooting difficult VMWare installs or tools on my own laptop, this method is a truly great solution. Once unboxed and powered up, the whole 45+ class was ready to go with identical tool versions, folder structures and the like. I am certain this could be the way forward for SANS given the falling prices of these netbooks and the added demand for increasingly hands-on training.

Overall the course delivery was, as is expected from SANS, top-notch and the supporting vendor events and catering was excellent. Being a new course, the material is constantly evolving but has the potential to be one of the best courses delivered by SANS for network Intrusion Detection/Forensic specialists. I’m certainly looking forward to day 2!

Day 2

Early finish for day two in order to take advantage of the Vendor sponsored food and (somewhat limited) freebies! Today the course content included much Hex-fu (gotta love the hex-fu) carving files and packets from inside icmp/dns tunnels. Whilst this wasn’t new to me, I’m sure it was to the majority of the class. What did catch my attention was Jonathan’s reference to the 4th challenge on Forensics Contest to which we are asked to determine what port scanner was used in the recon attempt, and what results the attacker would see. Interesting…

Overall another great day. If nothing else, it is making me wonder how much obfuscated/tunnelled data I am missing on my sensors, and whether anyone is actually using these methods to get data in/out of my networks. I’m wondering how many false-positives I would be getting out of a signatures looking for crafted ICMP packets. A good reference for this can be found here.

I’d like to again take this opportunity to rave about the SNIFT kit that comes along with the course, again it proved its worth today with all the tools and whatnot working correctly with no issues what so ever! Roll on day 3 :)

Day 3

So we are past the half way mark now, boy what a fun day! Who doesn’t love carving files with hex editors! ;) – squid proxy analysis, Snort, all the good network-level fun-ness that is right down my street. I guess I am kinda biased towards content like today’s, however it is always fun to see just what you can find inside all the perimeter devices we have lying around and the logs they contain. One thing I did get out of today was the motivation to finally get on and learn how to write Perl scripts properly. So much can be done with so little effort – I need to upgrade from Bash!

Days 4 & 5

The past 2 days of the course have been introducing us to, and working through the final case study. One thing that was immediately apparent was the depth Jonathan and Sherri had gone into with this scenario. A very well written case study with twists and turns all over the place! – The scenario was very believable and indicative of the real world. Overall, I enjoyed the course and the structure was great as are most SANS courses.

The course works great with the sec503 Intrusion Detection in Depth option. I think you can approach the course in 2 ways, either with you’re forensic hat, or your network defence hat – there is something for both sides.

Post to Twitter Post to Delicious Post to Digg Post to Facebook Post to Ping.fm Post to StumbleUpon

0 Comments

0 Responses to “Sans Security 558 – Network Forensics”

Feed for this Entry Trackback Address
  • No Comments

Leave a Reply

About Me

Hi. I'm Matt Newham, 23 years old. I'm a network security engineer, specializing in Intrusion Detection.

My Skype Status

Add me to Skype - Matt Newham: My status is Offline
» Get Skype, call free!

Post Archive

  • -2010 (12)
  • +2009 (7)

Dynamic Tag Cloud

IDS K2 powershell Rants Skype Snipt Snorby Snort Twonky Ubuntu Wordpress General (14)
Reviews (2)
Technical Articles (3)

WP Cumulus Flash tag cloud by Roy Tanck and Luke Morton requires Flash Player 9 or better.