Monday, August 2, 2010

"The Missing Link" in my computer forensic training.....Network Forensics!

Over the years, I've taken several classes in computer forensics (vendor specific and neutral), information security and networks. Back in April, I realized what was missing - specific training in acquiring and analyzing network-based evidence in a methodical and reproduceable format.  Oh sure, I've used many of the current network tools, but I've always wondered if there was a better way to collect the evidence.  That's when a colleague of mine pointed out a new training course, specifically aimed at meeting this need; and perhaps completing my "Circle of Forensics".

In July, 2010 I had the privilege of attending the new Network Forensics Course - Forensics 558 being offered by the SANS Institute (Washington, DC).  The instructors were Johathan Ham (co-author of the course) and Alan Ptak who provided outstanding training over the 5-day course.  I can tell you, it was very different than my previous training in "traditional forensics".  For over a year now, we've been preparing, training and researching various techniques for acquiring targeted data in a scenario which required us to specifically target and forensically acquire the data which will/would form our evidence (and ensure we do not miss anything, overtly or covertly).  In the day and age of TB-sized hard drives, FDE, volatile data, etc, the move to identify and target key evidentiary information is needed.  Jonathan and Alan's training not only identified key areas to focus on, but several techniques on how to acquire and analyze this information in a more forensically-sound manner.  The course requires a "moderate" degree of Linux familiarity; the instructor's exceptional knowledge and instructional technique more than made up if someone was a little weak in any area.

One point worth mentioning.  While SANS appears to offer laptops on some courses, I have to say that the pre-loaded laptop provided on this course was a good move.  The SNIFT kit had been preloaded onto the laptop and for five straight days, I never heard a single complaint of "something not working", "hardware issues", "I don't have that version", etc.  The laptop had a 250GB hard drive, with VM Workstation and several pre-configured VM sessions (which were essential to the course).   If anyone from SANS reads this - good call!  The hardware (Lenovo S10-3) and software (SNIFT Kit) worked - each and every time.  (if it didn't, it was likely my fault :)

From hearing the various instructors and other speaking during the Summit and Network Forensics course, it appears that SANS has found another niche with a huge demand.  It was an expensive trip - but all in all, very well worth the high quality training.

ps..the presentation from Chris Pogue on Sniper Forensics was awesome and coincidentally, complemented the training provided by Jonathan.  If you ever get to attend this presentation by Chris, don't pass on the opportunity.

In terms of identifying information "to be sniped" from within a larger system, I see a huge need for someone to lead discussion in this area.  It will be necessary to qualify the type of investigation, type of guest/target systems and OS, type of forensics system/tools available, criminal/non-criminal, etc.  The biggest problem I see is that discussions in this area focus on EITHER network/volatile-based evidence, or that normally acquired through "traditional" hard-drive forensics.  We need a discussion which includes all areas of forensics.


  1. Just out of curiosity...and this is something I've been struggling with with respect to internal/team training...why do you feel that you need to go to/pay for training (SANS or anywhere else...) in order to learn something new?

    I ask, as I've had team members state, "I can't learn anything without going off and sitting in a classroom for 5 days." Seriously.

    Conversely, one of the hallmarks of an analyst that I (and others) tend to look for is the ability to investigate, search, and process new information.

    Again, just curious...your post struck a chord with me, perhaps in a way that you hadn't intended...

  2. In case you were wondering, my blog is

    Thanks for giving me props on my Sniper Forensics talk! Wait until v2.0 and v3.0 come out! I am currently working on both right now.

  3. Keydet89:

    I'm a firm believer in "in house" training but the corporate (ie: FedGovt) mantra suggests that:
    - higher quality of training is often received from those who have committed the time to develop the necessary courseware and means to evaluate your level of knowledge. I can see the truth to this (in some cases); although there is a lot of training out there that seriously lacks the necessary technical content I need/desire. (I've learned more from reading a single chapter from one of your books that I have from entire classes in some some cases).
    - in a lab/workplace with a large case load, it is almost impossible to put aside the time for local training, particularly when you'd like to have several employees attend.
    - lastly, like it or not, I believe the Courts like seeing (some) external training to enhance ones' professional training.

    My personal preference is to find a balance. I often suggest that should look to involve a larger ratio of in-house training and even invite other employees from other labs across the Country. I'm not sure what the barrier is - perhaps they feel they don't have the time to prepare the training and then present it(?). I believe that presenting to your colleagues and fielding some questions after adds considerably to your professional ability - and can aid in your ability to present in different forums (outside presentations, Court, etc). If you look at the level of training and experience that we have as a larger body of employees, it is a shame we do not capitalize on our learned knowledge and investigative experience. The level of knowledge-sharing without our organization could be MUCH better.

    I believe my opinion often falls on deaf ears though, and our training continues to take place in "silos".

  4. keydet89:

    I run down the middle. My organization is national, made up of several regional centers. In my regional center, we generally have little in-house training, though I have been trying to get management to allow us to have some training locally. One issue is the enormous workload, it is hard to get time to have any training, never mind the time to research and put together a presentation.

    Now we do have alot of in-house training from our national headquarters, but obviously those all require travel funds. The in-house training, also, is not as focused or advanced as outside vendors. In-house stuff generally focuses on the organization's SOPs and most common cases.

    On the third hand, I like outside courses because I get to dive in full speed and more importantly, I get a point of view from someone who has not had the same training/experience that I have.

  5. I hear you about the training...but *making* the time for training is a management issue. Like you, I've been incorporate environments where management mandated training, but due to the business model, you just couldn't get the time to do it, even off-site.

    There are just times when you need to make the time yourself to get a better understanding of things and how they work. This is, in part, why I'm such an advocate for networking/sharing...sometimes, hours of searching and reading can be obviated by a 20 min phone call, or an email.

  6. Sounds like people are overworked, little resources to keep the ship afloat, and there is little hiring to manage risk. What's up with that?

  7. Thanks for the blogs.............
    Best Fingerprinting Services
    Our process for electronic fingerprinting uses high quality equipment, called fingerprint live scanner., Our process is virtually error-free, avoiding smudged readings and/or delivery errors often associated with the ink processing method.

  8. I am bit interested in having the knowledge of forensic and investigating thing with the help of Computer and your blog help me in knowing more about it . Computer Classes NY

  9. I agree that a technology program needs to be well thought out.Computer are use for Relearning the lesson in the class and just having more exposure to the language that one might not get in the classroom. Computer Training NYC