FOR508: Advanced Computer Forensic Analysis and Incident Response
Updated Course / Content Notice
Brand New! Relaunch in 2012 - Entire course materials, exercises, and challenges fully updated to give students experience in investigating real-world advanced attacks and APT-like scenarios in a Windows Enterprise Environment. Don't miss the NEW FOR508!
Over the past two years, we have seen a dramatic increase in sophisticated attacks against nearly every type of organization. Economic espionage in the form of cyber-attacks, also known as the Advanced Persistent Threat (APT), has proven difficult to suppress. Attackers from Eastern Europe and Russia continue to steal credit card and financial data resulting in millions of dollars of losses. Hackivist groups attacking government and Fortune 500 companies are becoming bolder and more frequent.
Sophisticated hackers can advance rapidly through your network using advances in spear phishing, web application attacks, and custom malware. Incident Responders and Digital Forensic Investigators must master a variety of operating systems, investigative techniques, incident response tactics, and even legal issues in order to combat challenging intrusion cases across the enterprise.
Attackers will use anti-forensic techniques to hide their tracks. They use rootkits, file wiping, timestamp adjustments, privacy cleaners, and complex malware to hide in plain sight and avoid detection by standard host-based security measures. Every action that adversaries make leaves a trace; you merely need to know where to look.
Our adversaries are good and getting better. Are we learning how to counter them? Yes we are. Learn how.
FOR508: Advanced Computer Forensic Analysis and Incident Response will give you the tools and techniques necessary to master advanced incident response, investigate data breach intrusions, find tech-savvy rogue employees, counter the Advanced Persistent Threat, and conduct complex digital forensic cases.
This course uses the popular SIFT Workstation to teach investigators how to investigate sophisticated crimes. SIFT contains hundreds of free and open source tools, easily matching any modern forensic tool suite. It demonstrates that advanced investigations and incident response can be accomplished using frequently updated, cutting-edge open source tools.
- Advanced Use of the SIFT Workstation in investigations
- Investigating the Advanced Persistent Threat (APT), Organized Crime Hackers, and Hackivists
- Hacker/Breach investigations, intrusion analysis, and advanced investigative strategies
- Advanced computer forensics methodology
- In-depth Windows FAT and exFAT file system examination
- In-depth Windows NTFS file system examination
- Remote and complex forensic acquisition/analysis tactics
- Advanced memory acquisition and analysis
- Live response and volatile evidence collection
- System restore points and Volume Shadow Copy Exploitation
- File System Timeline Analysis
- Super Timeline Analysis
- File system and data layer examination
- Metadata and file name layer examination
- File sorting and hash comparisons
- Advanced file recovery
- Discovering unknown malware on a host
- Recovering key Windows files
- Indicators of compromise development and usage
- Step-by-Step methodologies to investigate intrusion cases
|FOR508.1: Windows File Systems - In-Depth|
Incident responders should be armed with the latest tools, memory analysis techniques, and enterprise scanning meth- odologies in order to identify, track and contain advanced adversaries, and remediate incidents. Incident response and forensic analysts responding must be able to scale their examinations from the traditional one analyst per system toward one analyst per 1,000 or more systems. Enterprise scanning techniques are now a requirement to track targeted attacks by an APT group or crime syndicate groups which propagate through thousands of systems.
CPE/CMU Credits: 6
SIFT Workstation overview
Incident response and digital forensics methodology
File system essentials
Windows FAT and exFAT file systems in-depth
Windows NTFS file systems in-depth
Section 1 exercises
|FOR508.2: Incident Response and Memory Analysis|
Intrusion investigators must be armed with the latest in incident response tools, volatile/memory analysis, and enterprise acquisition methodologies in order to track advanced adversaries. The section starts with advanced acquisition techniques teaching you how to acquire system memory, volatile data, and creating live images from remote systems. Forensic analysts responding to enterprise intrusions must be able to scale their examinations from the traditional one analyst per machine examination to one analyst per 1,000 machines. Enterprise techniques are a now a requirement to quickly track advanced adversaries through thousands of machines. This is simply not something that can be accomplished using standard forensic examination techniques.
Memory forensics has come a long way in just a few years. It can be extraordinarily effective at finding evidence of worms, rootkits, and advanced malware. While traditionally the sole domain of Windows internals experts, recent tools now make memory analysis feasible for anyone. Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field. This section will introduce some of the newest free tools available and give you a solid foundation in adding core and advanced memory forensic skills to your security armory.
CPE/CMU Credits: 6
Windows Live Response
Mounting images for examinations
Remote and enterprise forensic examinations
Section 2 exercises
|FOR508.3: Timeline Analysis|
Timeline analysis will change the way you approach digital forensics... forever.
Learn advanced analysis techniques uncovered via timeline analysis directly from the analysts that pioneered timeline analysis tradecraft. Temporal data is located everywhere on a computer system. Filesystem modified/access/creation/change times, log files, network data, registry data, and, Internet history files all contain time data that can be correlated into critical analysis to successfully solve cases. Pioneered by Rob Lee in 2001, timeline analysis has become a critical investigative technique to solve complex cases. New timeline analysis frameworks provide the means to conduct simultaneous examinations of a multitude of time-based artifacts. Analysis that once took days now takes hours.
Over the past 3 years, a renaissance has occurred in tool development for timeline analysis. SANS has spearheaded research and development by sponsoring some of the newly created tools such as log2timeline. As a result of recent developments, many professionals now turn to timeline analysis as one of their core tools and capabilities. This section will step you through the two primary methods of creating and analyzing timelines created during advanced cases. Exercises will not only show each analyst how to create a timeline, but introduce key methods to use them effectively in their cases.
CPE/CMU Credits: 6
Timeline analysis overview
Filesystem timeline creation and analysis
Super timeline creation and analysis
Section 3 exercises
|FOR508.4: Filesystem Forensic Analysis|
A major criticism of digital forensic professionals is that many tools simply require a few mouse clicks to have the tool automatically recover data as evidence. This "push button" mentality has led to many inaccurate case results in the past few years including high profile cases such as the Casey Anthony murder trial.
You will stop being reliant on "push button" forensic techniques as we cover how the engines of digital forensic tools really work. To understand how to carve out data, it is best to understand how to do it by hand and then show how automated tools should be able to recover the same data. You will learn how to perform string searches looking for specific residue from a file and learn multiple ways to recover the file data across the layers of the filesystem. If a file or registry key has been wiped or deleted, this section shows how to use Windows historical artifacts found in the Volume Shadow Copy or Restore Points to still recover key pieces of the data that no longer exist today.
This section will provide an in-depth look at file-based and stream-based file extraction using the Sleuthkit, Foremost, and Bulk Extractor. These three complementary software packages are a reliable set of tools useful for analyzing forensic evidence from multiple file systems, including Windows NTFS and FAT.
CPE/CMU Credits: 6
Windows XP Restore Point Analysis
VISTA, Windows 7, Server 2008 Shadow Volume Copy analysis
Stream-based data recovery
Filesystem-based data recovery
Data recovery layer examinations
Metadata layer examinations
Filename layer examinations
File sorting and hash comparisons
Section 4 exercises
|FOR508.5: Intrusion Analysis|
The adversaries are good; we must be better.
Over the years, we have observed that many incident responders have a challenging time finding malware without effective Indicators of Compromise (IOCs) or threat intelligence gathered prior to a breach. This is especially true in APT intrusions.
During this advanced session we will demonstrate techniques used by first responders to discover malware or forensic artifacts when very little information exists about their capabilities or hidden locations. We will discuss techniques to help funnel possibilities down to the candidates most likely to be evil malware trying to hide on the system.
This section concludes with a step-by-step approach on how to handle some of the most difficult types of investigations. You will learn the best ways to approach intrusion and spear phishing attacks. You will understand locations you can examine to determine if file wiping occurred. You will discover techniques to prove that privacy clearing software was utilized. Regardless of the actions hackers might take, they will always leave something that can be traced. This discussion will solidify your new skills into a working attack plan to solve these difficult cases.
Part 2 - Computer Investigative Law for Forensic Analysis
As a team lead, you will need to know where legal land mines might exist. This half day of material focuses on what you must know before beginning any digital forensic investigation to protect you and your team.
Legal issues, especially liability, remain foremost in the minds of an incident handler or forensic investigator. Therefore, this section has more discussion than any other we offer. Learn to investigate incidents while minimizing the risk for legal trouble. This course is designed not for management, but for the Digital Forensic and Incident Response team leaders in charge of an investigation. The content focuses on challenges that every lead investigator needs to understand before, during, and post investigation. Since many investigations can end up in a criminal or civil courtroom, it is essential to understand how to perform a computer-based investigation legally and ethically.
We will confront many of the legal myths that have caused you to hesitate when developing your incident handling procedures and pursuing incidents. You will also gain a realistic perspective on the strengths and limitations of law enforcement assistance in the investigation of incidents and the prosecution of attackers. Written by one of the foremost computer crime lawyers, the information presented provides an essential legal foundation for professionals managing or working in incident handling teams around the world.
CPE/CMU Credits: 6
Step-by-step finding unknown malware
Anti-Forensics detection methodologies
Methodology to analyze and solve challenging cases
Section 5 exercises
Who can investigate and investigative process laws
Evidence acquisition/analysis/preservation laws and guidelines
Laws investigators should know
Forensic reports and testimony
|FOR508.6: The Intrusion Forensic Challenge|
Put your new skills to the test during the end of the week capstone investigation called the Intrusion Forensic Challenge.
This brand new exercise created in 2012 brings together some of the most exciting techniques learned earlier in the week and tests your new skills in a case that simulates an attack by an advanced adversary such as the APT. The entire course culminates in this intrusion into a real enterprise environment consisting of multiple Windows systems. You will be asked to uncover how the systems were compromised in the initial intrusion, find other systems the adversary moved to laterally, and identify intellectual property stolen via data exfiltration. You will walk out of the course with hands-on experience investigating realistic scenarios put together by a cadre of individuals with many years of experience fighting advanced threats such as the APT.
CPE/CMU Credits: 6
The Intrusion Forensic Challenge
Section 6 exercises
!! BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS!!
A properly configured computer system is required for each student participating in this course. Before coming to class, download the forensic installation document that will describe the steps in detail to follow to complete the installation. If you do not carefully read and follow these instructions exactly, you are guaranteed to leave the course unsatisfied since you will not be able to accomplish many of the in-class exercises.
You will use VMware with preconfigured virtual forensic workstations that will enable you to perform hands-on analysis during class. You must download and install VMware Workstation 7, VMware Fusion 4.0, or VMware Player 4.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Player is a free download.
Due to the hard drive space and processing requirements for the lab exercises, students should bring a laptop meeting the mandatory laptop requirements listed below in order to get the most of the course.
MANDATORY LAPTOP REQUIREMENTS:
INSTALL THE FOLLOWING:
Install the following on your host Windows machine
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
|Who Should Attend|
Students should consider attending FOR408: Computer Forensic Investigations - Windows In-Depth prior to taking this course. A good assessment of the desired knowledge suggested for FOR508 can be found in the FOR408 Assessment Test. A score of 70% or higher on the FOR408 Assessment Test represents the ideal knowledge base recommended for FOR508.
|What You Will Receive|
Free SANS Investigative Forensic Toolkit (SIFT) Advanced
As a part of this course you will receive the SANS Investigative Forensic Toolkit (SIFT) Advanced.
The SIFT Advanced Toolkit consists of:
Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.