SANS SEC 508 - Course Schedule
Here is the schedule for the course. Please read all assignments before each class, so we can discuss the topics and review the hands-on exercises together.
Week 1 - Introduction & Certification Overview
For this class, please just bring your books and materials to class. We will starting with introductions. I would like find out more about each of you. I will be asking you all about your experience in the field and what you expect to get out of this class.
Week 2 - Essentials
Reading: Book 1, pp. 1 - 74
In addition to the reading, please setup your VMWare environment that is described in the first few pages of Book 1, and let me know if you have any issues. In the past, students have usually had the most issues with the networking configuration. Please verify that you can communicate between the Linux Forensic Workstation and your host operating system.
I also recommend that you setup your own VMWare image of Windows even if you are already running that as your host OS. It is easier to run many of the hands-on exercises if you don't have to worry about your corporate anti-virus program, administrator privileges, and sensitive data. Just create a simple Windows XP image with a small disk (4-5 gig) and limited memory so that it is faster to acquire.
If you need a copy of VMWare Workstation for class, you can download an evaluation version that is good for 30 days (Evaluate VMWare Workstation for Windows). You will need at least version 6 of Workstation for the SANS images to work correctly.
We will also work through the exercise in Appendix A of Book 1 together in class. No advance preparation is required.
Week 3 - Filesystem Basics & IR Intro
Reading: Book 1, pp. 75 - 131
During this class, we will start by reviewing the File System Basics, then we will jump right into the Linux File System Basics. We will finish up class by reviewing the Incident Response and Volatile Evidence Collection material. During class, I will demonstrate live acquisition from your RedHat Hacked machine. It should be in a suspended state when you first load it into VMWare.
I also plan to demonstrate the live tools available on the Helix disc, so please bring your copy if you would like to follow along.
Week 4 - IR and Evidence Acquisition
Reading: Book 2-3, pp. 1 - 119
Week 5 - Investigation and Media Analysis, and Automated Toolkits
Reading: Book 2-3, pp. 120 - 227
Week 6 - Windows Imaging, and Volatile Evidence Gathering
Reading: Book 2-3 , Supplements; Book 4, pp. 1 - 50
Week 7 - Windows Media & Artifact Analysis, and Windows Challenge
Reading: Book 4, pp. 51 - 116
Week 8 - Computer Investigative Law
Reading: Book 5, pp. 1 - 113
This class will be a brief overview of the legal topics from Book 5, but obviously we can't cover everything in 2 hours. If you haven't listened to the MP3s yet, I highly recommend listerning to the Day 5 recording before class. We will be reviewing the following topics from the book:
- Who Can Investigate
- Data Collection
- Post-Collection Data Preservation
- Data Analysis & Report Writing
- Presentation of Acquired Data in Court
I will also bring in some sample (sanitized) forensic reports, so we can review the format and how you might want to present your evidence and methodology.
Week 9 - Advanced Forensics & Forensic Challenge
Reading: Book 6, pp. 1 - 54
We will be reviewing Application Footprinting and Fuzzy Hashing in class, and also starting to talk about the setup for the Forensic Challenge. I will also bring in some malware samples so we can do some live analysis in a virtual environment to demonstrate some of non-programmer malware analysis techniques.
Week 10 - Wrap Up & Forensic Challenge
Reading: Book 6
This is our last together, so we will spend class time going over the forensic challenge case. Come to class prepared to discuss your findings and methodology.