Over the years, I've taken several classes in computer forensics (vendor specific and neutral), information security and networks. Back in April, I realized what was missing - specific training in acquiring and analyzing network-based evidence in a methodical and reproduceable format. Oh sure, I've used many of the current network tools, but I've always wondered if there was a better way to collect the evidence. That's when a colleague of mine pointed out a new training course, specifically aimed at meeting this need; and perhaps completing my "Circle of Forensics".
In July, 2010 I had the privilege of attending the new Network Forensics Course - Forensics 558 being offered by the SANS Institute (Washington, DC). The instructors were Johathan Ham (co-author of the course) and Alan Ptak who provided outstanding training over the 5-day course. I can tell you, it was very different than my previous training in "traditional forensics". For over a year now, we've been preparing, training and researching various techniques for acquiring targeted data in a scenario which required us to specifically target and forensically acquire the data which will/would form our evidence (and ensure we do not miss anything, overtly or covertly). In the day and age of TB-sized hard drives, FDE, volatile data, etc, the move to identify and target key evidentiary information is needed. Jonathan and Alan's training not only identified key areas to focus on, but several techniques on how to acquire and analyze this information in a more forensically-sound manner. The course requires a "moderate" degree of Linux familiarity; the instructor's exceptional knowledge and instructional technique more than made up if someone was a little weak in any area.
One point worth mentioning. While SANS appears to offer laptops on some courses, I have to say that the pre-loaded laptop provided on this course was a good move. The SNIFT kit had been preloaded onto the laptop and for five straight days, I never heard a single complaint of "something not working", "hardware issues", "I don't have that version", etc. The laptop had a 250GB hard drive, with VM Workstation and several pre-configured VM sessions (which were essential to the course). If anyone from SANS reads this - good call! The hardware (Lenovo S10-3) and software (SNIFT Kit) worked - each and every time. (if it didn't, it was likely my fault :)
From hearing the various instructors and other speaking during the Summit and Network Forensics course, it appears that SANS has found another niche with a huge demand. It was an expensive trip - but all in all, very well worth the high quality training.
ps..the presentation from Chris Pogue on Sniper Forensics was awesome and coincidentally, complemented the training provided by Jonathan. If you ever get to attend this presentation by Chris, don't pass on the opportunity.
In terms of identifying information "to be sniped" from within a larger system, I see a huge need for someone to lead discussion in this area. It will be necessary to qualify the type of investigation, type of guest/target systems and OS, type of forensics system/tools available, criminal/non-criminal, etc. The biggest problem I see is that discussions in this area focus on EITHER network/volatile-based evidence, or that normally acquired through "traditional" hard-drive forensics. We need a discussion which includes all areas of forensics.