FOR508: Advanced Computer Forensic Analysis and Incident Response
Come prepared to learn a lot.
Todd Black Lee, The Golden 1 Credit Union
My SOC focuses a lot on incident response and quick forensics, so the course material is extremely valuable.
-This course focuses on providing incident responders with the necessary skills to hunt down and counter a wide range of threats within enterprise networks, including economic espionage, hactivism, and financial crime syndicates. The completely updated FOR508 addresses today's incidents by providing real-life, hands-on response tactics. Don't miss the NEW FOR508!
DAY 0: A 3-letter government agency contacts you to say that critical information was stolen by a targeted attack on your organization. Don't ask how they know, but they tell you that there are several breached systems within your enterprise. You are compromised by an Advanced Persistent Threat, aka an APT - the most sophisticated threat you are likely to face in your efforts to defend your systems and data.
Over 90% of all breach victims learn of a compromise from third party notification, not from internal security teams. In most cases, adversaries have been rummaging through your network undetected for months or even years. Gather your team - it's time to go hunting.
FOR508: Advanced Computer Forensic Analysis and Incident Response will help you determine:
- How did the breach occur?
- What systems were compromised?
- What did they take? What did they change?
- How do we remediate the incident?
The updated FOR508 trains digital forensic analysts and incident response teams to identify, contain, and remediate sophisticated threats-including APT groups and financial crime syndicates. A hands-on lab-developed from a real-world targeted attack on an enterprise network-leads you through the challenges and solutions. You will identify where the initial targeted attack occurred and which systems an APT group compromised. The course will prepare you to find out which data was stolen and by whom, contain the threat, and provide your organization the capabilities to manage and counter the attack.
During a targeted attack, an organization needs the best incident responders and forensic analysts in the field. FOR508 will train you and your team to be ready to do this work.
THE APT IS IN YOUR NETWORK - TIME TO GO HUNTING
Course Will Prepare You To:
- Detect unknown live, dormant, and custom malware in memory across multiple windows systems in an enterprise environment
- Find malware beaconing outbound to its command and control (C2) channel via memory forensics, registry analysis, and network connection residue
- Identify how the breach occurred by identifying the beach head and spear phishing attack mechanisms
- Target anti-forensics techniques like hidden and time-stomped malware, along with utility-ware that the attackers uses to move in your network and maintain their presence
- Use memory analysis and forensic tools in the SIFT Workstation to detect hidden processes, malware, attacker command-lines, rootkits, network connections, and more
- Track user and attacker activity second by second on the system you are analyzing through in-depth timeline and super-timeline analysis
- Recover data cleared using anti-forensic techniques via Volume Shadow Copy and Restore Point analysis
- Learn how filesystems work and discover powerful forensic artifacts like NTFS $I30 indexes, journal parsing, and detailed Master File Table analysis
- Identify lateral movement and pivoted within your enterprise and show how attackers transition from system to system without being detected
- Understand how the attacker can acquire legitimate credentials, including domain administrator rights in a locked down environment
- Track data movement as the attackers collect critical data and shift it to exfiltration systems
- Recover and analyze rar archive files used by APT-like attackers to exfiltrate sensitive data from the enterprise network
- Advanced Use of the SIFT Workstation in Incident Response and Digital Forensics
- Responding to an APT group, Organized Crime Hackers, and Hackivists
- Incident Response and Intrusion Forensics Methodology
- Threat and Security Intelligence
- Remote and Enterprise IR System Analysis
- Windows Live Incident Response
- Memory Analysis
- Timeline Analysis
- System Restore Points and Volume Shadow Copy Exploitation
- File System Analysis
- In-depth Windows NTFS File System Examination
- Advanced File Recovery and Data Carving
- Recovering Key Windows Files
- Discovering Unknown Malware on a System
- Adversary Threat Intelligence Development, Indicators of Compromise, and Usage
- Step-by-Step Methodologies to Respond to and Investigate Intrusion Cases
|FOR508.1: Enterprise Incident Response||Alissa Torres||
Mon Sep 15th, 2014
9:00 AM - 5:00 PM
Incident responders should be armed with the latest tools, memory analysis techniques, and enterprise scanning methodologies in order to identify, track and contain advanced adversaries, and remediate incidents. Incident response and forensic analysts responding must be able to scale their examinations from the traditional one analyst per system toward one analyst per 1,000 or more systems. Enterprise scanning techniques are now a requirement to track targeted attacks by an APT group or crime syndicate groups which propagate through thousands of systems. This is simply something that cannot be accomplished using the standard "pull the hard drive" forensic examination methodology. Such an approach will in fact alert the adversary that you are aware and may allow them to quickly exfiltrate sensitive information. In this section, the six-step incident response methodology is examined as it applies to response in an enterprise during a targeted attack. We will show how important development of security intelligence is in affecting the adversaries "kill chain." We will also demonstrate live response techniques and tactics that can be applied on a single system and across the entire enterprise.
CPE/CMU Credits: 6
SIFT Workstation Overview
Incident Response Methodology
Threat and Adversary Intelligence
Intrusion Digital Forensics Methodology
Remote and Enterprise IR System Analysis
Windows Live Incident Response
|FOR508.2: Memory Forensics||Alissa Torres||
Tue Sep 16th, 2014
9:00 AM - 5:00 PM
Critical to many IR teams detecting advanced threats in the organization, memory forensics has come a long way in just a few years. It can be extraordinarily effective at finding evidence of worms, rootkits, and advanced malware used by an APT group of attackers. While traditionally solely the domain of Windows internals experts, recent tools now make memory analysis feasible for anyone. Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field. This section will introduce some of the newest free tools available and give you a solid foundation in adding core and advanced memory forensic skills to your incident response and forensics armory.
CPE/CMU Credits: 6
Memory Forensics Analysis Process
Memory Forensics Examinations
|FOR508.3: Timeline Analysis||Alissa Torres||
Wed Sep 17th, 2014
9:00 AM - 5:00 PM
Timeline Analysis will change the way you approach digital forensics and incident response... forever.
Learn advanced analysis techniques uncovered via timeline analysis directly from the developers that pioneered timeline analysis tradecraft. Temporal data is located everywhere on a computer system. Filesystem modified/access/creation/change times, log files, network data, registry data, and, internet history files all contain time data that can be correlated into critical analysis to successfully solve cases. Pioneered by Rob Lee in 2001, timeline analysis has become a critical investigative technique to solve complex cases. New timeline analysis frameworks provide the means to conduct simultaneous examinations of a multitude of time based artifacts. Analysis that once took days now takes minutes. This section will step you through the two primary methods of creating and analyzing timelines created during advanced incidents and forensic cases. Exercises will not only show each analyst how to create a timeline, but introduce key methods to use them effectively in your cases.
CPE/CMU Credits: 6
Timeline Analysis Overview
Filesystem Timeline Creation and Analysis
Super Timeline Creation and Analysis
|FOR508.4: Deep Dive Forensics And Anti-Forensics Detection||Alissa Torres||
Thu Sep 18th, 2014
9:00 AM - 5:00 PM
A major criticism of digital forensic professionals is that many tools simply require a few mouse clicks to have the tool automatically recover data as evidence. This "push button" mentality has led to many inaccurate case results in the past few years including high profile cases such as the Casey Anthony murder trial. You will stop being reliant on "push button" forensic techniques as we cover how the engines of digital forensic tools really work. To understand how to carve out data, it is best to understand how to do it by hand and then show how automated tools should be able to recover the same data. You will learn how to perform string searches looking for specific residue from a file and learn multiple ways to recover the file data across the layers of the filesystem. If a file or registry key has been wiped or deleted, this section shows how to use Windows historical artifacts to still recover key pieces of the data that no longer exist on the system. This knowledge will allow you to see beyond most anti-forensic techniques allowing you to gain the advantage while responding to breaches in your organization where an adversary is actively attempting to hide from you.
CPE/CMU Credits: 6
Windows XP Restore Point Analysis
VISTA , Windows 7, Server 2008 Shadow Volume Copy Analysis
Deep Dive Forensics Analysis
|FOR508.5: Intrusion Forensics-The Art of Finding Unknown Malware||Alissa Torres||
Fri Sep 19th, 2014
9:00 AM - 5:00 PM
The adversaries are good, we must be better.
Over the years, we have observed that many incident responders have a challenging time finding malware without effective indicators of compromise (IOCs) or threat intelligence gathered prior to a breach. This is especially true in APT group intrusions.
This advanced session will demonstrate techniques used by first responders to discover malware or forensic artifacts when very little information exists about their capabilities or hidden locations. We will discuss techniques to help funnel possibilities down to the candidates most likely to be evil malware trying to hide on the system.
The section concludes with a step-by-step approach on how to handle some of the most difficult types of investigations. You will learn the best ways to approach intrusion and spear phishing attacks. You will understand locations you can examine to determine if file wiping occurred. You will discover techniques to prove that privacy clearing software was utilized. Regardless of the actions hackers might take, they will always leave something that can be traced. This discussion will solidify your new skills into a working attack plan to solve these difficult cases.
CPE/CMU Credits: 6
INTRUSION FORENSICS - THE ART OF FINDING UNKNOWN MALWARE
Step-by-Step Finding Unknown Malware On A System
Anti-Forensics Detection Methodologies
Methodology to Analyze and Solve Challenging Cases
|FOR508.6: The Incident Response and Forensic Challenge||Alissa Torres||
Sat Sep 20th, 2014
9:00 AM - 5:00 PM
This incredibly rich and realistic enterprise intrusion exercise based on an real-world APT group brings together some of the most exciting techniques learned earlier in the week and tests your newly acquired skills in a case that simulates an attack by an advanced adversary such as an APT. This challenge brings it all together using a simulated intrusion into a real enterprise environment consisting of multiple Windows systems. You will be asked to uncover how the systems were compromised in the initial intrusion, find other systems the adversary moved to laterally, and identify intellectual property stolen via data exfiltration. You will walk out of the course with hands-on experience investigating realistic scenarios, which were put together by a cadre of individuals with many years of experience fighting advanced threats such as an APT group.
CPE/CMU Credits: 6
The Intrusion Forensic Challenge will have each Incident Response team analyzing multiple systems in the Enterprise network.
Each Incident Response team will be asked to answer the following key questions during the challenge just like they would during a real-breach in their organizations:
IDENTIFICATION AND SCOPING:
CONTAINMENT AND SECURITY INTELLIGENCE GATHERING:
REMEDIATION AND RECOVERY
!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!!
You can use any 64-bit version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products. For MACs, we recommend setting up Boot Camp and running Windows directly on your MAC. We have had challenges with VMware Fusion products with several exercises in class.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities.
Please download and install VMware Workstation 10, VMware Fusion 6.0, or VMware Player 6.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.
MANDATORY FOR508 SYSTEM HARDWARE REQUIREMENTS:
MANDATORY FOR508 SYSTEM SOFTWARE REQUIREMENTS (Please install the following prior to the beginning of the class):
OPTIONAL ITEMS TO BRING TO CLASS
If you have additional questions about the laptop specifications, please contact email@example.com.
|Who Should Attend|
FOR508 (Advanced Forensics and Incident Response) and FOR408 (Computer Forensic Investigations - Windows In-Depth) are designed to be companion courses with skills that build upon one another. While we suggest taking FOR408 prior to FOR508, students will benefit from taking the courses in any order. SANS has a free forensic skill assessment that might be useful to take if you are unsure which class is right for you. The assessment can be found here: http://computer-forensics.sans.org/training/assessment
|HANDS-ON APT Enterprise Intrusion Lab|
One of the biggest complaints that many have in the digital forensics and incident response community is the lack of realistic intrusion data. Most real-world intrusion data is simply too sensitive to be shared.
Starting a year ago, course authors created a realistic scenario based on experiences surveyed from panel of responders who regularly respond to targeted APT attacks. They helped review and guide the targeted attack "script" used to create the scenario. As a result, the authors created an incredibly rich and realistic attack scenario across multiple enterprise systems. This APT attack lab forms the basis for training during the week. The network was setup to mimic a standard "protected" enterprise network using standard compliance checklists.
This exercise and challenge will be used to show real adversary traces across host systems, system memory, hibernation/pagefiles and more.
In the end, we will have created authentic memory captures on each box, network captures, malware samples, in addition to full disk images w/Restore Points (XP) and VSS for (Win7 and Win2008) systems
|Why Take This Course?|
What you Will Learn
|What You Will Receive|
|You Will Be Able To|
|Press & Reviews|
"THE SANS508 COURSE EXCEEDED MY EXPECTATIONS IN EVERY WAY. IT PROVIDED ME THE SKILLS, KNOWLEDGE, AND TOOLS TO EFFECTIVELY RESPOND TO AND HANDLE APTS AND OTHER ENTERPRISE WIDE THREATS." -Josh Moulin NSTEC/NNSA/DOE
"THE EXAMPLES IN THE COURSE RELATE TO WHAT I NEED TO KNOW TO DEAL WITH REAL WORLD THREATS." -Tim Weaver, Digital Mtn. Inc.
"I WAS SURPRISED AND AMAZED AT HOW EASY IT IS TO DO MEMORY ANALYSIS AND HOW HELPFUL IT IS." - Brian Dugay, Apple
"THE LEVEL OF DETAIL IS AMAZING. THE METHODOLOGY IS CLEARLY EFFECTIVE AT FINDING PERTINENT ARTIFACTS." - no name
"I'VE TAKEN OTHER NETWORK INTRUSION CLASSES BUT NOTHING THIS IN-DEPTH. THE CLASS IS OUTSTANDING!" -- Craig Goldsmith, FBI
"CUTTING EDGE EXPERTISE TAUGHT BY WORLD CLASS EXPERTS." -Joseph Murray, Deloitte
"I AM A DIFFERENT MAN AS A RESULT OF THIS COURSE." - Travis Farral, XTO Energy
"ABSOLUTELY ESSENTIAL KNOWLEDGE. TRADITIONAL KNOWLEDGE IS USEFUL, BUT THIS COURSE PROVIDES THE PRACTICAL SIDE OF A GROWING TREND." -Erik Musick, Arkansas State Police
"THIS IS A GREAT CLASS AND SHOULD BE MANDATORY FOR ANYONE IN THE FORENSIC FIELD. GREAT JOB, ROB!" -Mark Merchant, State of Alaska/State Security Office
"COME PREPARED TO LEARN A LOT." -Todd Black Lee, The Golden 1 Credit Union
"YOU CAN DELETE IT, HIDE IT, RENAME IT, BUT WE WILL FIND IT." -Edward Fuller, Department of Defense
"GREAT COURSE! THIS NOT ONLY HELPS ME IN FORENSICS BUT ALSO IN CREATING USE-CASES FOR OUR OTHER INTRUSION ANALYSIS TOOLS." -Joseph Murray, Deloitte
"IT IS HARD TO REALLY SAY SOMETHING THAT WILL PROPERLY CONVEY THE AMOUNT OF MENTAL GROWTH I HAVE EXPERIENCED THIS WEEK." -Travis Farral, XTI Energy
"EXCELLENT COURSE, INVALUABLE HANDS-ON EXPERIENCE TAUGHT BY PEOPLE WHO NOT ONLY KNOW THE TOOLS AND TECHNIQUES, BUT KNOW THEIR QUIRKINESS THROUGH PRACTICAL, REAL-WORLD EXPERIENCE." -John Alexander, US Army
"THIS COURSE (FOR508) REALLY TAKES YOU FROM 0-60 IN UNDERSTANDING THE CORE CONCEPTS OF FORENSICS, ESPECIALLY THE FILE SYSTEM." -Matthew Harvey, U.S. Department of Justice
"IF YOU NEED TO TRACK DOWN WHAT HAPPENED IN YOUR ENVIRONMENTS, THIS IS A MUST HAVE COURSE!" -Fran Moniz, American National Insurance
"THE CAPSTONE EXERCISE IS AWESOME, PUTS TRACKING THE APT INTO PRACTICE." -Gavin Worden, SD-LECC
"BEST FORENSICS TRAINING I'VE HAD SO FAR. I THOUGHT THE SOME OTHERS COURSES WERE GREAT BUT 508 IS A LOT MORE CURRENT AND APPLICABLE TO THE REAL WORLD! EXCELLENT COURSE AND INSTRUCTOR OVERALL!" -Marc Bleicher, Bit9
"THE MORE I PROGRESS THROUGH THE COURSE, THE MORE I REALIZE JUST HOW MUCH CAPACITY THERE IS TO PRODUCE ANSWERS TO TOUGH QUESTIONS. WHERE I MIGHT NOT HAVE FOUND SUPPORTING EVIDENCE IN PAST CASES, I FEEL I HAVE SO MANY NEW AVENUES TO EXPLORE. A REAL EYE-OPENER. I ALSO GREATLY APPRECIATE THE FOCUS ON INCIDENT RESPONSE." - Dave Ockwell-Jenner, SITA
"I HAVE ALREADY USED SEVERAL OF THE TOOLS/TECHNIQUES FROM THE COURSE WITH PAST-CASE EVIDENCE TO UNCOVER THINGS I DID NOT PREVIOUSLY KNOW." - Dave Ockwell-Jenner, SITA
"MY SOC FOCUSES A LOT ON INCIDENT RESPONSE AND QUICK FORENSICS, SO THE COURSE MATERIAL IS EXTREMELY VALUABLE." - Anonymous
"I ROUTINELY PERFORM LIVE MEMORY CAPTURES AND HAVE GONE THROUGH THEM LOOKING FOR THE OBVIOUS, BUT I HAD NO IDEA, UNTIL FOR508, HOW MANY ARTIFACTS ARE CONTAINED IN RAM." - M Scott Saul, FBI
"THE SANS INSTITUTE IS CURRENTLY THE LEADER IN THE COMMERCIAL IR AND COMPUTER FORENSIC TRAINING MARKET. THEY HAVE A LARGE NUMBER OF QUALITY COURSES." - Luttgens, Jason; Pepe, Matthew; Mandia, Kevin. Incident Response & Computer Forensics, Third Edition - July 2014
"YOU HAVE THE CONTENT WHICH IS CLOSE TO REAL WTHEN YOU HAVE THE INSTRUCTOR THAT GOES INTO A LOT OF REAL WORLD EXAMPLES. JUST GREAT." -Anonymous
"FOR508 COMBINED WITH FOR572 SHOWS A COMPLETE PICTURE FROM DISK SIDE TO NETWORK SIDE." - Dow Shirley, Energy Solutions
FULL REVIEW AND WRITE UP OF FOR508 BY DAVID NIDES, KPMG-
PRESS ARTICLES ABOUT THE NEW FOR508 COURSE:
Should I take SANS 408 or 508? (part 1) - http://digitalforensicstips.com/category/training_reviews/
SANS 508 Compared to 408 Part Two (part 2) - http://digitalforensicstips.com/2013/04/sans-508-compared-to-408-part-two-plus-a-side-of-610/