SANS SEC 508 - Course Schedule

Here is the schedule for the course. Please read all assignments before each class, so we can discuss the topics and review the hands-on exercises together.

Session 1 - Introduction & Certification Overview

For this class, please just bring your books and materials to class. We will starting with introductions. I would like find out more about each of you. I will be asking you all about your experience in the field and what you expect to get out of this class.

Session 2 - Essentials

Reading: Book 1, pp. 1 - 74

In addition to the reading, please setup your VMWare environment that is described in the first few pages of Book 1, and let me know if you have any issues. In the past, students have usually had the most issues with the networking configuration. Please verify that you can communicate between the Linux Forensic Workstation and your host operating system.

I also recommend that you setup your own VMWare image of Windows even if you are already running that as your host OS. It is easier to run many of the hands-on exercises if you don't have to worry about your corporate anti-virus program, administrator privileges, and sensitive data. Just create a simple Windows XP image with a small disk (4-5 gig) and limited memory so that it is faster to acquire.

If you need a copy of VMWare Workstation for class, you can download an evaluation version that is good for 30 days (Evaluate VMWare Workstation for Windows). You will need at least version 6 of Workstation for the SANS images to work correctly.

We will also work through the exercise in Appendix A of Book 1 together in class. No advance preparation is required.

Session 3 - Filesystem Basics & IR Intro

Reading: Book 1, pp. 75 - 131

During this class, we will start by reviewing the File System Basics, then we will jump right into the Linux File System Basics. We will finish up class by reviewing the Incident Response and Volatile Evidence Collection material. During class, I will demonstrate live acquisition from your RedHat Hacked machine. It should be in a suspended state when you first load it into VMWare.

I also plan to demonstrate the live tools available on the Helix disc, so please bring your copy if you would like to follow along.

Session 4 - IR and Evidence Acquisition

Reading: Book 2-3, pp. 1 - 119

We didn't have time to review the Memory Forensics section last week, so we are going to start with a demo of memory acquisition and analysis during this session. We will also work through several examples of forensics incident response tools such as the lsof and md5sum commands.

I'll also show you how to do drive acquisitions using several different methods. If you would like to bring your hardware acquisition dongle to class, you can follow along with the demo.

Session 5 - Investigation and Media Analysis, and Automated Toolkits

Reading: Book 2-3, pp. 120 - 227

Since we ran out of time on Monday, I am planning to start class on Wednesday by showing you how to image an external drive using your IDE/SATA to USB adapter. We will also review the timeline information you should have gathered from the Hacked RedHat system (Exercise on p. 118 of Book 2-3).

Next we will review some of the most fundamental and critical analysis tools such as file, srch_strings, and grep. We will finish up class with a review of the Sleuthkit and its most popular graphical implementation, Autopsy.

Session 6 - Windows Imaging, and Volatile Evidence Gathering

Reading: Book 2-3 , Supplements; Book 4, pp. 1 - 50

We are running a little behind schedule, so I am going to start off class by reviewing a few items we didn't get to last week. We will also quickly go through the Autopsy graphical interface for all the Sleuthkit tools.

Next we will jump right into some examples of performing network forensic analysis for both Linux and Windows. You can find these exercises in Supplement 1 of Book 2-3 and Supplement 1 of Book 4. I'll also demo two tools that can help us extract data from network captures called Investigator and NetworkMiner.

I will only have time to introduce the Windows Challenge today, but we will spend some time reviewing it in class together on Wednesday. Finally if we have time, I am planning to go through some of the tools we use to gather volatile evidence from Windows systems, such as psexec, pslist, fport, and Windows Forensic Toolchest (WFT).

Session 7 - Windows Media & Artifact Analysis, and Windows Challenge

Reading: Book 4, pp. 51 - 116

Please try to run through the Windows Forensic Challenge on page 7 in Book 4 before class. We will go through the analysis using Autopsy together, but it will benefit you more if you try it first yourself. Remember not to trust anything the meta-data tells you. Question everything.

We will also start looking at system artifacts that are specific to Windows systems such as the registry, pre-fetch area, and restore points. Within the registry we will look at the wealth of information that you can glean when you know where to look.

Session 8 - Computer Investigative Law

Reading: Book 5, pp. 1 - 113

This class will be a brief overview of the legal topics from Book 5, but obviously we can't cover everything in 2 hours. If you haven't listened to the MP3s yet, I highly recommend listerning to the Day 5 recording before class. We will be reviewing the following topics from the book:

  • Who Can Investigate
  • Data Collection
  • Post-Collection Data Preservation
  • Data Analysis & Report Writing
  • Presentation of Acquired Data in Court

I will also bring in some sample (sanitized) forensic reports, so we can review the format and how you might want to present your evidence and methodology.

Session 9 - Advanced Forensics & Forensic Challenge

Reading: Book 6, pp. 1 - 54

We didn't have time to review the reports on Monday, so we will start by reviewing the two sample reports. Each has a slightly different format and approach.

We will be reviewing Application Footprinting and Fuzzy Hashing in class, and also starting to talk about the setup for the Forensic Challenge. I will also bring in some malware samples so we can do some live analysis in a virtual environment to demonstrate some of non-programmer malware analysis techniques.

Session 10 - Wrap Up & Forensic Challenge

Reading: Book 6

This is our last together, so we will spend class time going over the forensic challenge case. Come to class prepared to discuss your findings and methodology.