!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!!

Download the latest version of the SIFT Workstation here: http://computer-forensics.sans.org/community/downloads. You can use any 64-bit version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Please download and install VMware Workstation 8, VMware Fusion 5.0, or VMware Player 5.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.

MANDATORY FOR508 SYSTEM HARDWARE REQUIREMENTS:

• CPU: 64-bit Intel x64 2.0+ GHz processor or higher based system is mandatory for this class (Important - Please Read: a 64 bit system processor is mandatory)
• RAM: 4 GB (Gigabytes) of RAM minimum (Note: We strongly recommend 6 GB of RAM or higher to get the most out of the course)
• Host Operating System: Any version of Windows or MAC OSX that also can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player)
• Networking: Wireless 802.11 B, G, or N
• DVD/CD Combo Drive
• USB 2.0 or higher Port(s)
• 200 Gigabyte Host System Hard Drive minimum
• ~80 Gigabytes of Free Space on your System Hard Drive (Note: The free space is needed for the SIFT Workstation VM and the evidence we will be adding to your system)

• The student should have the capability to have Local Administrator Access within their host operating system

MANDATORY FOR508 SYSTEM SOFTWARE REQUIREMENTS (Please install the following prior to the beginning of the class):

1. Install VMware Workstation 8, VMware Fusion 5.0, or VMware Player 5.0 (higher versions are ok)
2. Download the latest version of the SIFT Workstation VMware zipfile here: http://computer-forensics.sans.org/community/downloads
3. Download and install 7Zip
4. Microsoft Office (any version) w/Excel installed on your host - Note you can download Office Trial Software online (free for 60 days)

OPTIONAL ITEMS TO BRING TO CLASS

• If you attended FOR408, please bring your copy of the FOR408 - Windows SIFT Workstation Virtual Machine as you can use it for the final challenge.
• Bring/install any other forensic tool you feel could be useful (EnCase, FTK, etc). For the final challenge at the end of the course, you can utilize any forensic tool, including commercial capabilities, to help you and your team. If you have any dongles, licensed software, you are free to use it.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

• Information Security Professionals who respond to data breach incidents and intrusions
• Incident Response Team Members who respond to complex security incidents/intrusions from an APT group / advanced adversaries and need to know how to detect, investigate, recover, and remediate compromised systems across an enterprise.
• Experienced Digital Forensic Analysts who want to solidify and expand their understanding of file system forensics, investigating technically advanced individuals, incident response tactics, and advanced intrusion investigations targeting APT groups.
• Federal Agents and Law Enforcement, who want to master advanced intrusion investigations, incident response, and expand their investigative skill beyond traditional host-based digital forensics
• Red Team Members, Penetration Testers, and Exploit Developers who want to learn how their opponents can identify their actions. Discover how common mistakes can compromise operations on remote systems, and how to avoid them. This course covers remote system forensics and data collection techniques that can be easily integrated into post-exploit operating procedures and exploit testing batteries.
• SANS FOR408 and SEC504 Graduates looking to take their skills to the next level

FOR508 (Advanced Forensics and Incident Response) and FOR408 (Computer Forensic Investigations - Windows In-Depth) are designed to be companion courses with skills that build upon one another. While we suggest taking FOR408 prior to FOR508, students will benefit from taking the courses in any order.

One of the biggest complaints that many have in the digital forensics and incident response community is the lack of realistic intrusion data. Most real-world intrusion data is simply too sensitive to be shared.

Starting a year ago, course authors created a realistic scenario based on experiences surveyed from panel of responders who regularly respond to targeted APT attacks. They helped review and guide the targeted attack "script" used to create the scenario. As a result, the authors created an incredibly rich and realistic attack scenario across multiple enterprise systems. This APT attack lab forms the basis for training during the week. The network was setup to mimic a standard "protected" enterprise network using standard compliance checklists.

• Full auditing turned on per recommended FISMA guidelines
• Windows DC set up and configured. DC not tightened down the network more than what is expected in real enterprise networks
• Systems installed and have real software on it that is used (Office, Adobe, Skype, Tweetdeck, Email, Dropbox, Firefox, Chrome)
• Fully patched (Patches are automatically installed)
• Enterprise Incident Response agents

• Enterprise A/V and On-Scan capability based on DoD's Host Based Security System - HBSS

  • McAfee Endpoint Protection -Anti-virus, Anti-spyware, Safe surfing, Anti-spam, Device Control, Onsite Management, Host Intrusion Prevention (HIPS)
• Firewall only allowed inbound port 25 and outbound ports 25, 80, 443 only.

This exercise and challenge will be used to show real adversary traces across host systems, system memory, hibernation/pagefiles and more.

• Phase 1 - Spearphishing attack and malware C2 beacon installation
• Phase 2 - Lateral movement to other systems, malware utilities download, install additional beacons, and obtain domain admin credentials
• Phase 3 - Search for intellectual property, profile network, dump email, dump enterprise hashes
• Phase 4 - Collect data to exfiltrate and copy to staging system. Archive data using rar and a complex passphrase
• Phase 5 - Exfiltrate rar files from staging server, perform cleanup on staging server.

In the end, we will have created authentic memory captures on each box, network captures, malware samples, in addition to full disk images w/Restore Points (XP) and VSS for (Win7 and Win2008) systems

What you Will Learn

• Applying incident response processes, threat intelligence, and digital forensics to investigate breached enterprise environments from Advanced Persistent Threat (APT) groups, organized crime syndicates, or hackivists.
• Discover every system compromised in your enterprise utilizing incident response tools such as F-Response and digital forensic analysis capabilities in the SIFT Workstation to identify APT beach head and spear phishing attack mechanisms, lateral movement, and data exfiltration techniques.
• Using the SIFT Workstations capabilities, perform forensic analysis and incident response on any remote enterprise hard drive or system memory without having to image the system first allowing for immediate response and scalable analysis to take place across the enterprise.
• Using system memory and the Volatility toolset to discover active malware on a system, determine how the malware was placed there, and recover it to help develop key threat intelligence to perform proper scoping activities during incident response.
• Detect advanced capabilities such as Stuxnet, TDSS, or APT command and control malware immediately through memory analysis using Redlines Malware Rating Index (MRI) to quickly ascertain the threat to your organization and aid in scoping the true extent of the data breach
• Track the exact footprints of an attacker crossing multiple systems and observe data they have collected to exfiltrate as you track your adversarys movements in your network via timeline analysis using the log2timeline toolset
• Begin recovery and remediation of the compromise via the use of Indicators of Compromise (IOC), Threat Intelligence, and IR/Forensics key scanning techniques to identify active malware and all enterprise systems affected by the breach
• Perform filesystem surgery using the sleuthkit tool to discover how filesystems work and uncover powerful forensic artifacts such as NTFS $I30 directory file indexes, journal parsing, and detailed Master File Table analysis
• Using volume shadow snapshot examinations, XP restore point analysis, and NTFS examination tools in the SIFT Workstation, recover artifacts hidden by anti-forensic techniques such as timestomping, file wiping, rootkit hiding, and privacy cleaning.
• Discover an adversarys persistence mechanisms to allow malware to continue to run on a system after a reboot using command-line tools such as autorunsc, psexec, jobparser, group policy, triage-ir, and IOCFinder.

• SIFT Workstation Virtual Machine used with many of the class hands-on exercise

  • This course uses the SIFT Workstation to teach incident responders and forensic analysts how to respond to and investigate sophisticated attacks. SIFT contains hundreds of free and open source tools, easily matching any modern forensic and incident response tool suite.

• F-Response TACTICAL
• TACTICAL enables incident responders to access remote systems and physical memory of a remote computer via the network
• Gives any IR or forensic tool the capability to be used across the enterprise
• Perfect for intrusion investigations and data breach incident response situations
• Best-selling book "File System Forensic Analysis" by Brian Carrier
• Course DVD loaded with case examples, tools, and documentation

• Apply incident response processes, threat intelligence, and digital forensics to investigate breached enterprise environments from Advanced Persistent Threat (APT) groups, organized crime syndicates, or hackivists.
• Discover every system comprised in your enterprise utilizing incident response tools such as F-Response and digital forensic analysis capabilities in the SIFT Workstation to identify APT beach head and spear phishing at- tack mechanisms, lateral movement, and data exfiltration techniques.
• Using the SIFT Workstation's capabilities, preform forensic analysis and incident response on any remote enterprise hard drive or system memory without having to image the system first, allowing for immediate response and scalable analysis to take place across the enterprise.
• Using system memory and the Volatility toolset to discover active malware on a system, determine how the malware was placed there, and recover it to help develop key threat intelligence to perform proper scoping activities during incident response.
• Detect advanced capabilities such as Stuxnet, TDSS, or APT command and control malware immediately through memory analysis using Redlines Malware Rat- ing Index (MRI) to quickly ascertain the threat to your organization and aid in scoping the true extent of the data breach
• Track the exact footprints of an attacker crossing multiple systems and observe data they have collected to exfiltrate as you track your adversarys movements in your network via timeline analysis using the log2timeline toolset
• Begin recovery and remediation of the compromise via the use of Indicators of Compromise (IOC), Threat Intelligence, and IR/Forensics key scanning techniques to identify active malware and all enterprise systems affected by the breach
• Preform filesystem surgery using the sleuth kit tool to discover how filesystems work and uncover powerful forensic artifacts such as NTFS $I30 directory file indexes, journal parsing, and detailed Master File Table analysis
• Using volume shadow snapshot examinations, XP restore point analysis, and NTFS examination tools in the SIFT Workstation, recover artifacts hidden by anti-forensic techniques such as timestomping, file wiping, rootkit hiding, and privacy cleaning.
• Discover an adversary's persistence mechanisms to allow malware to continue to run on a system after a reboot using command-line tools such as autorunsc, psexec, jobparser, group policy, triage-ir, and IOCFinder.

"THE SANS508 COURSE EXCEEDED MY EXPECTATIONS IN EVERY WAY. IT PROVIDED ME THE SKILLS, KNOWLEDGE, AND TOOLS TO EFFECTIVELY RESPOND TO AND HANDLE APTS AND OTHER ENTERPRISE WIDE THREATS." -Josh Moulin NSTEC/NNSA/DOE

"THE EXAMPLES IN THE COURSE RELATE TO WHAT I NEED TO KNOW TO DEAL WITH REAL WORLD THREATS." -Tim Weaver, Digital Mtn. Inc.

"I WAS SURPRISED AND AMAZED AT HOW EASY IT IS TO DO MEMORY ANALYSIS AND HOW HELPFUL IT IS." - Brian Dugay, Apple

"THE LEVEL OF DETAIL IS AMAZING. THE METHODOLOGY IS CLEARLY EFFECTIVE AT FINDING PERTINENT ARTIFACTS." - no name

FULL REVIEW AND WRITE UP OF FOR508 BY DAVID NIDES, KPMG-

• http://davnads.blogspot.com/2012/07/sans-dfir-sumitt-forensic4cast-award-my.html

PRESS ARTICLES ABOUT THE NEW FOR508 COURSE:

• CSO ONLINE: Advanced Persistent Threats can be beaten, says expert Detection is key, but how you respond to APTs is equally important
• SECURITY BISTRO: Understanding and defeating APT, Part 1: Waking up to the who and why behind APT
• SECURITY BISTRO: Understanding and defeating APT, Part 2: Fighting the 'forever war' against implacable foes

Should I take SANS 408 or 508? (part 1) - http://digitalforensicstips.com/category/training_reviews/

SANS 508 Compared to 408 Part Two (part 2) - http://digitalforensicstips.com/2013/04/sans-508-compared-to-408-part-two-plus-a-side-of-610/