SANS SEC 508 - Discussion
I plan to use this site to post discussion topics related to each session's materials, supplemental resources, and current events relating to our class. I ask that everyone keep their comments professional and related to class. If you don't want to post your question in this public forum, then please send me an email directly or ask me in class.
I am still working on making this part of the site interactive, so check back soon.
Wed, Apr 1, 2009 -- Updated Study Aid for Certification ExamI have posted two copies of the Book Index that Johnny updated based on the version previous students had compiled. The first is sorted in page order (MS Word file) and the second is alphabetical by topic (MS Word file). Posted By: Evan Wheeler |
|
Wed, Mar 11, 2009 -- Malware Analysis ToolsYesterday in class, we talked about fuzzing hashing, I showed you how the ssdeep.exe tool works. If you would like a more detailed analysis of how this technique works, check out these resources:
I also showed you how to use the Sysinternals suite of tools and SysAnalyzer from iDefense to perform malware analysis without having to know anything about programming. Book 6 also has a nice supplemental section at the end which walks you through some of the more technical approaches to malware analysis. Try the following resources for additional information on the art of malware analysis:
I also briefly mentioned Image Mount Pro and Virtual Forensic Computing (VFC) for Windows. These are excellent tools that let you mount a disk image in Windows like we have been doing on our Linux workstation, and VFC allows you boot a disk image using VMWare Player. Posted By: Evan Wheeler |
|
Tue, Mar 10, 2009 -- Additional Acquisition ResourcesIf you're looking for information about hardware and software write blockers from a trusted source, take a look at NIST's Computer Forensic Tool Testing pages:
If you have the budget for some high-end equipment, I personally like to get my gear from Digital Intelligence. They sell mobile devices, as well as workstations with all the bells and whistles for acquisition and analysis. If you find yourself doing a lot of media acquistions, I would recommend looking at their products. Posted By: Evan Wheeler |
|
Tue, Mar 4, 2009 -- Legal ResourcesTonight we discussed our own experiences with notifying third-parties about a security incident. Whether that be another victim, an affected vendor, or a security advisory, make sure you know who in your organization is authorized to make that call. Chances are it isn't you.
Here are some links in case you are ever inclined to escalate an incident to law enforcement over the Internet:
If nothing else, these sites provide some good information about what kinds of information law enforcement may initially require when you contact them. In the context of reporting vulnerabilities or security incidents, I also mentioned the FS-ISAC as an example of an industry specific version of a CERT. Members of the financial industry use this forum to share security intelligence. It also provides good advisories for security issues in the context of the financial sector. Several similar ISACs exist for other industries as well such as the Multi-State ISAC. Posted By: Evan Wheeler |
|
Tue, Mar 3, 2009 -- Study Aid for Certification ExamI have posted a copy of the Book Index (MS Word file) that previous students compiled to help them prepare for the certification exam. Keep in mind that this file was made from a 2008 version of the courseware, and likely needs to be updated. Maybe someone from our class would be willing to go through and update it so I can share it with everyone ... any volunteers? Posted By: Evan Wheeler |
|
Tue, Feb 3, 2009 -- Timelining with MS AccessI have posted a copy of the MS Access database (ZIP file) I used to analyze the Batman timeline in class today. It includes a few saved queries that focus on identifying noteworthy events based on some common criteria. I have found that this really helps me dig through large data sets. Posted By: Evan Wheeler |
|
Mon, Feb 2, 2009 -- Some Evidence Acquisition and Imaging ResourcesI recommend that you check out the following evidence acquisition resources as a supplement to this week's materials:
There are many commercial and open source tools out there, and even many that aren't specifically forensic tools, so you need to learn how to validate new tools. The above resources are a good start. Posted By: Evan Wheeler |
|
Tue, Jan 27, 2009 -- Forensic Incident ResponseIf you are looking for additional resources, these sites all provide a wealth of content and links to other popular digital forensic resources:
I read the SANS blog often as a way to keep up on the latest developments in the field. I actually maintain the last site listed above and use it as a way to organize the resources I find valuable during an investigation. We went through some of the basic features of the live windows side of Helix in class this week, but I also recommend that you take a look at its bootable Linux interface. Once you are comfortable with it, check out the Boot Options section on page 99 of the Helix Guide v0307 (PDF) for cheat codes and advanced settings when booting with Helix. Posted By: Evan Wheeler |
|
Tue, Jan 20, 2009 -- Forensic Tool TestingIf you would like to learn more about digital forensic tools that have been validated by a trusted third-party, check out these two sites:
Also, another good resource for those of you who are building a jump bag for forensic investigations can be found at this site: http://www.squidoo.com/jumpbag. Posted By: Evan Wheeler |