Major Update

FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

GIAC Network Forensic Analyst (GNFA)
GIAC Network Forensic Analyst (GNFA)
  • In Person (6 days)
  • Online
36 CPEs
Whether you handle an intrusion incident, data theft case, employee misuse scenario, or are engaged in proactive adversary discovery, the network often provides an unparalleled view of the incident. SANS FOR572 covers the tools, technology, and processes required to integrate network evidence sources into your investigations to provide better findings, and to get the job done faster.
Course Authors:

What You Will Learn

Take your system-based forensic knowledge onto the network. Incorporate network evidence into your investigations, provide better findings, and get the job done faster.

It is exceedingly rare to work any forensic investigation that doesn't have a network component. Endpoint forensics will always be a critical and foundational skill for DFIR professionals but overlooking their network communications is like ignoring security camera footage of a crime as it was committed. Whether you handle an intrusion incident, data theft case, employee misuse scenario, or are engaged in proactive adversary discovery, the network often provides an unparalleled view of the incident. Its evidence can provide the proof necessary to show intent, uncover attackers that have been active for months or longer, or may even prove useful in definitively proving a crime actually occurred.

FOR572: ADVANCED NETWORK FORENSICS: THREAT HUNTING, ANALYSIS AND INCIDENT RESPONSE was designed to cover the most critical skills needed for the increased focus on network communications and artifacts in today's investigative work, including numerous use cases. Many investigative teams are incorporating proactive threat hunting to their skills in which existing evidence is used with newly acquired threat intelligence to uncover evidence of previously unidentified incidents. Others focus on post-incident investigations and reporting. Still others engage with an adversary in real time, seeking to contain and eradicate the attacker from the victim's environment. In these situations and more, the artifacts left behind from attackers' communications can provide an invaluable view into their intent, capabilities, successes, and failures.

In FOR572, we focus on the knowledge necessary to examine and characterize communications that have occurred in the past or continue to occur. Even if the most skilled remote attacker has compromised a system with an undetectable exploit, the system must still communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. Put another way: bad actors are talking - we'll teach you to listen.

This course covers the investigative tools, techniques, and procedures required to integrate network evidence sources into your investigations, with a focus on efficiency and effectiveness. You will leave this week with a well-stocked toolbox and the knowledge to use it on your first day back on the job. We will cover the full spectrum of network evidence, including high level NetFlow analysis, low-level pcap-based dissection, ancillary network log examination, and more. We cover how to leverage existing infrastructure devices that may contain months or years of valuable evidence as well as how to place new collection platforms while an incident is underway.

Whether you are a consultant responding to a client's site, a law enforcement professional assisting cybercrime victims and seeking prosecution of those responsible, an on-staff forensic practitioner, or a dedicated threat hunter, this course offers hands-on experience with real-world scenarios that will help take your work to the next level. Network defenders will benefit from the FOR572 perspective on security operations as they take on more incident response and investigative responsibilities. Those with existing endpoint-based DFIR experience can take their existing operating system or device knowledge and apply it directly to the network-based attacks that occur daily. In FOR572, we solve the same caliber of real-world problems without the use of disk or memory images.

Most of FOR572's hands-on labs have been developed in conjunction with the authors of FOR508, Advanced Incident Response, Threat Hunting, and Digital Forensics. In these shared scenarios, you'll quickly see why a hybrid approach to forensic examination that includes both host and network artifacts is ideal. Although our primary focus is on the network side of that equation, we will point out areas where the host perspective could provide additional context or where the network perspective gives deeper insight. Both former and future FOR508 students will appreciate the nexus between these extensive evidence sets.

The hands-on labs in this class cover a wide range of tools and platforms, including the venerable tcpdump and Wireshark for packet capture and analysis; NetworkMiner for artifact extraction; and open-source tools including nfdump, tcpxtract, tcpflow, and more. Newly added tools in the course include the free and open-source SOF-ELK® platform - a VMware appliance pre-configured with the Elastic stack and tailored to DFIR and security operations workflows. This "big data" platform includes the Elasticsearch storage and search database, the Logstash ingest and parsing engine, and the Kibana graphical dashboard interface. Together with the custom SOF-ELK® configuration files, the platform gives forensicators a ready-to-use platform for log and NetFlow analysis. For full-packet analysis and hunting at scale, the free and open-source Arkime platform is also covered and used in a hands-on lab. Through all the in-class labs, shell scripting skills are highlighted as quick and easy ways to rip through hundreds of thousands or even millions of data records.

FOR572 is an advanced course - we hit the ground running on day one. Bring your entire bag of skills: forensic techniques and methodologies, full-stack networking knowledge (from the physical medium all the way up to user-facing services), Linux shell utilities, and everything in between. They will all benefit you throughout the course material as you FIGHT CRIME. UNRAVEL INCIDENTS...ONE BYTE (OR PACKET) AT A TIME.

You Will Be Able To

  • Extract files from network packet captures and proxy cache files, allowing follow-on malware analysis or definitive data loss determinations
  • Use historical NetFlow data to identify relevant past network occurrences, allowing accurate incident scoping
  • Reverse engineer custom network protocols to identify an attacker's command-and-control abilities and actions
  • Decrypt captured SSL/TLS traffic to identify attackers' actions and what data they extracted from the victim
  • Use data from typical network protocols to increase the fidelity of the investigation's findings
  • Identify opportunities to collect additional evidence based on the existing systems and platforms within a network architecture
  • Examine traffic using common network protocols to identify patterns of activity or specific actions that warrant further investigation
  • Incorporate log data into a comprehensive analytic process, filling knowledge gaps that may be far in the past
  • Learn how attackers leverage meddler-in-the-middle tools to intercept seemingly secure communications
  • Examine proprietary network protocols to determine what actions occurred on the endpoint systems
  • Analyze wireless network traffic to find evidence of malicious activity
  • Use scripting techniques to scale analysis to an arbitrarily large collection of evidence
  • Apply the knowledge you acquire during the week in a full-day capstone lab, modeled after real-world nation-state intrusions and threat actors

Course Topics

  • Packet capture applications and data
    • Unique considerations for network-focused forensic processes
    • Network evidence types and sources
    • Network architectural challenges and opportunities for investigators
    • Investigation OPSEC and footprint considerations
  • Network protocol analysis

    • Hypertext Transfer Protocol (HTTP)
    • Domain Name Service (DNS)
    • File Transfer Protocol (FTP)
    • Server Message Block (SMB) and related Microsoft protocols
    • Simple Mail Transfer Protocol (SMTP)
  • Commercial network forensic tools
  • Automated tools and libraries
  • NetFlow
    • Introduction
    • Collection approaches
    • Open-source NetFlow tools
  • Wireless networking
    • Capturing wireless traffic
    • Useful forensic artifacts from wireless traffic
    • Common attack methods and detection
  • Log data to supplement network examinations
    • Syslog
    • Microsoft Windows Event Forwarding
    • HTTP server logs
    • Network Security Monitoring (NSM) platforms
    • Log collection, aggregation, and analysis
    • Web proxy server examination
  • Encryption

    • Transport Layer Security (TLS)
    • Profiling TLS clients without interception
    • Meddler-in-the-middle and TLS interception
  • Deep packet work
    • Network protocol reverse engineering
    • Payload reconstruction

Business Takeaways

  • Round out your team's investigations to include network perspectives inherent in all environments
  • Build baselines that can be used to proactively identify malicious activity early in a compromise, before large-scale damage is done
  • Provide additional value for existing network data collections that support existing operational requirements
  • Ensure critical observations from the network are not overlooked in proactive hunting or post-compromise IR actions

"I feel like the last week has been a massive eye-opener into what extra information I can now use in my forensic investigations." - Will B.

What You Will Receive

Custom distribution of the Linux SANS SIFT Workstation Virtual Machine with over 500 digital forensics and incident response tools prebuilt into the environment, including network forensic tools added just for this course

  • SOF-ELK® Virtual Machine - a custom distribution of the publicly available appliance running the ELK stack and the course author's custom set of configurations and dashboards. The VM is preconfigured to ingest syslog logs, HTTPD logs, and NetFlow, and will be used during the class to help students wade through the hundreds of millions of records they are likely to encounter during a typical investigation
  • Arkime Virtual Machine - a standalone VM running the free Arkime platform. Arkime ingests and indexes live network data or pcap files, providing a platform that makes full-packet analysis attainable
  • Realistic case data to examine during class, from multiple sources including:
    • NetFlow data
    • Web proxy, firewall, and intrusion detection system logs
    • Network captures in pcap format
    • Network service logs
  • Electronic downloadable package loaded with case examples, tools, and documentation

Syllabus (36 CPEs)

Download PDF
  • Overview

    Although many fundamental network forensic concepts align with those of any other digital forensic investigation, the network presents many nuances that require special attention. Today you will learn how to apply what you already know about digital forensics and incident response to network-based evidence. You will also become acclimated to the basic tools of the trade.

    Network data can be preserved, but only if captured or documented while in transit. Whether tactical or strategic, packet capture methods are quite straightforward. While we will use packet capture evidence to explore useful network artifacts in their original form, long-term full-packet capture is still uncommon in most environments. Therefore, many artifacts that can tell us about what happened on the wire in the past come from devices that manage network functions. You will learn about what kinds of devices can provide valuable evidence and at what level of granularity. We will walk through collecting evidence from one of the most common sources of network evidence - a web proxy server - then you'll go hands-on to find and extract stolen data from the proxy.

    Exercises
    • tcpdump and Wireshark Hands-On (Bonus lab)
    • Proxy Log and Cache Analysis (Walk-through)
    • Carve Exfiltrated Data
    Topics
    • Evaluating Web Proxy Data
      • Role of a web proxy
      • Proxy solutions - commercial and open-source
      • Squid proxy server
      • Configuration
        • Logging
        • Automated analysis
        • Cache extraction
    • Network Evidence Acquisition
      • Three core types: full-packet capture, Logs, NetFlow
      • Capture devices: switches, taps, Network Packet Brokers, Layer 7 sources, NetFlow
      • Planning to capture: strategies; commercial and home-built platforms
    • Network Challenges and Opportunities
      • Challenges provided by a network environment
      • Future trends that will affect network forensics
    • Hypertext Transfer Protocol (HTTP) Part 1: Protocol
      • Forensic value
      • Request/response dissection
      • Useful HTTP fields
      • HTTP tracking cookies
      • HTTP/2 and HTTP/3 differences
      • Artifact extraction
  • Overview

    Network connection logging, commonly called NetFlow, is often the single most valuable source of evidence in network investigations. Many organizations have extensive archives of flow data due to its minimal storage requirements. Since NetFlow does not capture any content of the transmission, many legal issues regarding long-term retention are mitigated. Even without content, NetFlow provides an excellent means of guiding an investigation and characterizing an adversary's activities from pre-attack through operations on objective. Whether for moving within a victim's environment or for data exfiltration, adversaries must move their quarry around using various file access protocols. By knowing some of the more common file access and transfer protocols, a forensicator can quickly identify an attacker's theft actions.

    Just as even a fuzzy photo can provide valuable leads in a traditional investigation, NetFlow data can provide a network forensicator with extremely high-value intelligence about network communications. The key to extracting that value is in knowing how to use NetFlow evidence to drive more detailed investigative activities.

    NetFlow is also an ideal technology to use in baselining typical behavior of an environment, and therefore, deviations from that baseline that may suggest areas for further investigation. Threat hunting teams can also use NetFlow to identify prior connections consistent with newly identified suspicious endpoints or traffic patterns.

    In this section, you will learn the contents of typical NetFlow protocols, as well as common collection architectures and analysis methods. You'll also discuss how to distill full-packet collections to NetFlow records for quick initial analysis before diving into more cumbersome pcap files.

    You'll then examine the File Transfer Protocol, including how to reconstruct specific files from an FTP session. While FTP is commonly used for data exfiltration, it is also an opportunity to refine protocol analysis techniques, due to its multiple-stream nature.

    Lastly, you'll explore a variety of the network protocols unique to a Microsoft Windows or Windows-compatible environment. Significant time will be spent exploring the SMB protocol, used for file transfers and countless other purposes in a Microsoft Windows domain structure. Attackers frequently use these protocols to "live off the land" within the victim's environment. By using existing and expected protocols, the adversary can hide in plain sight and avoid deploying malware that could tip off the investigators to their presence and actions.

    Exercises
    • HTTP Profiling
    • DNS Profiling, Anomalies, and Scoping
    • SOF-ELK Log Aggregation and Analysis
    Topics
    • Hypertext Transfer Protocol (HTTP) Part 2: Logs
      • Log formats
      • Expanded mod_forensic logging
      • Analysis methods
    • Domain Name Service (DNS): Protocol and Logs
      • Architecture and core functionality
      • Fast flux and domain name generation algorithms (DGAs)
      • Logging methods and formats
      • DNS evolution and adaptations
    • Forensic Network Security Monitoring (NSM)
      • NSM's emergence from Intrusion Detection Systems (IDSs)
      • Zeek NSM platform
        • Proactive/live use case
        • Post-incident DFIR use case
        • Logs created and formats used
      • JSON parsing with the "jq" utility
      • Community-ID flow hash value
    • Logging Protocols and Aggregation
      • Syslog
        • Dual role: server and protocol
        • Source and collection platforms
        • Event dissection
        • rsyslog configuration

      • Microsoft Windows Event Forwarding
        • Deployment model and capabilities
        • Windows Event Forwarding
        • Architecture
        • Analysis mode
      • Log Data Collection, Aggregation, and Analysis
        • Benefits of aggregation: scale, scope, independent validation, efficiency
        • Known weaknesses and mitigations
        • Evaluating a comprehensive log aggregation platform
    • Elastic Stack and the SOF-ELK® Platform
      • Basics and pros/cons of the Elastic stack
      • SOF-ELK®
        • Inputs
        • Log-centric dashboards
        • Use as a data exploration platform
  • Overview

    Network connection logging, commonly called NetFlow, may be the single most valuable source of evidence in network investigations. Many organizations have extensive archives of flow data due to its minimal storage requirements. Since NetFlow does not capture any content of the transmission, many legal issues with long-term retention are mitigated. Even without content, NetFlow provides an excellent means of guiding an investigation and characterizing an adversary's activities from pre-attack through operations. Whether for moving within a victim's environment or for data exfiltration, adversaries must move their quarry around through the use of various file access protocols. By knowing some of the more common file access and transfer protocols, a forensicator can quickly identify an attacker's theft actions.

    Just as even a fuzzy photo can provide valuable leads in a traditional investigation, NetFlow data can provide a network forensicator with extremely high-value intelligence about network communications. The key to extracting that value is in knowing how to use NetFlow evidence to drive more detailed investigative activities.

    NetFlow is also an ideal technology to use in baselining typical behavior of an environment, and therefore, deviations from that baseline that may suggest malicious actions. Threat hunting teams can also use NetFlow to identify prior connections consistent with newly-identified suspicious endpoints or traffic patterns.

    In this section, you will learn the contents of typical NetFlow protocols, as well as common collection architectures and analysis methods. You'll also learn how to distill full-packet collections to NetFlow records for quick initial analysis before diving into more cumbersome pcap files.

    You'll then examine the File Transfer Protocol, including how to reconstruct specific files from an FTP session. While FTP is commonly used for data exfiltration, it is also an opportunity to refine protocol analysis techniques, due to its multiple-stream nature.

    Lastly, you'll explore a variety of the network protocols unique to a Microsoft Windows or Windows-compatible environment. Significant time will be spent exploring the SMB protocol, used for file transfers and countless other purposes in a Microsoft Windows domain structure. Attackers frequently use these protocols to "live off the land" within the victim's environment. By using existing and expected protocols, the adversary can hide in plain sight and avoid deploying malware that could tip off the investigators to their presence and actions.

    Exercises
    • Visual NetFlow Analysis with SOF-ELK®
    • Tracking Lateral Movement with NetFlow
    • nfcapd Data Consolidation and Reduction (Bonus lab)
    • SMB Session Analysis & Reconstruction
    Topics
    • NetFlow Collection and Analysis
      • Origins and evolution
      • NetFlow v5 and v9 protocols
      • Architectural components
      • NetFlow artifacts useful for examining encrypted traffic
    • Open-Source Flow Tools
      • Using open-source tool sets to examine NetFlow data
      • nfcapd, nfpcapd, and nfdump
      • SOF-ELK®: NetFlow ingestion and dashboards
    • File Transfer Protocol (FTP)
      • History and current use
      • Shortcomings in today's networks
      • Capture and analysis
      • File extraction
    • Microsoft Protocols
      • Architecture and capture positioning
      • Exchange/Outlook
      • Server Message Block (SMB)
  • Overview

    Commercial tools are an important part of a network forensicator's toolkit. We'll discuss the benefits specific commercial tools may provide, as well as how they may best be integrated into an investigative workflow. With the runaway adoption of wireless networking, investigators must also be prepared to address the unique challenges this technology brings to the table. However, regardless of the protocol being examined or budget used to perform the analysis, having a means of exploring full-packet capture is a necessity, and having a toolkit to perform this at scale is critical.

    Commercial tools hold clear advantages in some situations a forensicator may typically encounter. Most commonly, this centers on scalability. Many open-source tools are designed for tactical or small-scale use. Whether using them for large-scale deployments or for specific niche functionalities, these tools can immediately address many investigative needs.

    Additionally, we will address the forensic aspects of wireless networking. We will cover similarities with and differences from traditional wired network examinations, as well as what interesting artifacts can be recovered from wireless protocol fields. Some inherent weaknesses of wireless deployments will also be covered, including how attackers can leverage those weaknesses during an attack and how they can be detected.

    Finally, we will look at methods that can improve at-scale hunting from full-packet captures, even without commercial tooling. We will look at the open-source Arkime platform and how it can be used in live and forensic workflows. You'll receive a ready-to-use Arkime virtual machine and load source data from an incident we previously investigated, seeking additional clarity from the previously captured full-packet data.

    Exercises
    • Automated Extraction with NetworkMiner
    • Scaling With pcap_iterator.sh
    • Using Command-Line Tools for Analysis (Bonus lab)
    • Network Forensic Analysis Using Arkime
    Topics
    • Simple Mail Transfer Protocol (SMTP)
      • Lifecycle of an email message
      • Artifacts embedded along the delivery pathway
      • Adaptations and extensions
    • Object Extraction with NetworkMiner
      • Value of commercial tools in a DFIR workflow
      • NetworkMiner
        • Capabilities and user interface
        • Use cases for object extraction
        • Limitations and mitigations
    • Wireless Network Forensics
      • Translating analysis of wired networks to the wireless domain
      • Capture methodologies: hardware and software
      • Useful protocol fields
      • Typical attack methodologies based on protection mechanisms
    • Automated Tools and Libraries
      • Common tools that can facilitate large-scale analysis and repeatable workflows
      • Libraries that can be linked to custom tools and solutions
      • Chaining tools together effectively
    • Full-Packet Hunting with Arkime
      • Arkime's architecture and use cases
      • Methods of ingesting packet data for DFIR workflows
      • Session awareness, filtering, typical forensic use cases
      • Raw packet searching with hunt jobs
      • Enrichment of extracted metadata
      • Custom decoding with CyberChef
  • Overview

    Advancements in common technology have made it easier to be a bad actor and harder for us to track them. Strong encryption methods are readily available and custom protocols are easy to develop and employ. Despite this, there are still weaknesses in the methods of even the most advanced adversaries. As we learn what the attackers have deliberately hidden from us, we must operate carefully to avoid tipping our hats regarding the investigative progress - or the attacker can quickly pivot, nullifying our progress.

    Encryption is frequently cited as the most significant hurdle to effective network forensics - for good reason. When properly implemented, encryption can be a brick wall between an investigator and critical answers. However, technical and implementation weaknesses can be used to our advantage. Even in the absence of these weaknesses, the right analytic approach to encrypted network traffic can still yield valuable information about the content. We will discuss the basics of encryption and how to approach it during an investigation. The section will also cover flow analysis to characterize encrypted conversations.

    We will also discuss undocumented protocols and the misuse of existing protocols for nefarious purposes. Specifically, we will address how to derive intelligence value with limited or nonexistent knowledge of the carrier protocol.

    Finally, we will look at how common missteps can provide the attacker with clear insight to the forensicator's progress. This often leads to the attacker changing their tactics, confounding the investigator, and even erasing all the progress made to that point. We'll address best practices on conducting investigations in a compromised environment and ways to share hard-earned intelligence that mitigate the risks involved.

    Exercises
    • TLS Profiling
    • Decrypting Forward Secrecy and Exploring HTTP/2
    • Undocumented Protocol Features
    • Mini-Comprehensive Investigation (Bonus lab)
    • Capstone Evidence Preparation (Bonus lab)
    Topics
    • Encoding, Encryption, and SSL/TLS
      • Encoding algorithms
      • Encryption algorithms
        • Symmetric
        • Asymmetric
      • Profiling SSL/TLS connections with useful negotiation fields
      • Analytic mitigation
      • Perfect forward secrecy
    • Meddler-in-the-Middle (MITM)
      • Malicious uses and their artifacts
      • Benevolent uses and associated limitations
      • Common MITM tools
    • Network Protocol Reverse Engineering
      • Using known protocol fields to dissect unknown underlying protocols
      • Pattern recognition for common encoding algorithms
      • Addressing undocumented binary protocols
      • Follow-on steps in an incident response context
    • Investigation OPSEC and Threat Intel
      • Operational Security
        • Basic analysis can tip off attackers
        • How to mitigate risk without compromising quality
      • Intelligence
        • Plan to share smartly
        • Protect intelligence to mitigate risks
    • Capstone Challenge Kickoff
  • Overview

    This section will combine all of what you have learned prior to and during this week. In groups, you will examine network evidence from a real-world compromise by an advanced attacker. Each group will independently analyze data, form and develop hypotheses, and present findings. No evidence from endpoint systems is available - only the network and its infrastructure.

    Students will test their understanding of network evidence and their ability to articulate and support hypotheses through presentations made to the instructor and class. The audience will include senior-level decision makers, so all presentations must include executive summaries as well as technical details. Time permitting, students should also include recommended steps that could help to prevent, detect, or mitigate a repeat compromise.

    Exercises
    • Capstone Lab
    Topics
    • Network Forensic Case
      • Analysis using only network-based evidence
        • Determine the original source of an advanced attacker's compromise
        • Identify the attacker's actions while in the victim's environment
        • Confirm what data the attacker stole from the victim
      • Reporting
        • Present executive-level summaries of your findings at the end of the day-long lab
        • Document and provide low-level technical backup for findings
        • Establish and present a timeline of the attacker's activities

GIAC Network Forensic Analyst

The GIAC Network Forensic Analyst (GNFA) certified professional has demonstrated the ability to perform advanced analysis of network forensic artifacts. The GNFA certification focuses on validating the skills required to understand the fundamental practice of network forensics, process and interpret normal and abnormal network activity and analyze application activity through system logs, network traffic captures and network metadata.

  • Network architecture, network protocols, and network protocol reverse engineering
  • Encryption and encoding, NetFlow analysis and attack visualization, security event & incident logging
  • Network analysis tools and usage, and open source network security proxies
More Certification Details

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY FOR572 SYSTEM HARDWARE REQUIREMENTS

  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 16GB of RAM or more is required.
  • 350GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.

MANDATORY FOR572 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS

  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Microsoft Office (any version) or OpenOffice installed on your host. Note that you can download Office Trial Software online (free for 30 days).
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org

Author Statement

"When I first became interested in computer and network security in the mid-1990s, the idea of "attacking" another computer network was still science fiction. Today, commercial, governmental, military, and intelligence entities have robust, integrated information security processes. Within the forensic community, we have seen developments that show the agility we must have to remain effective in the face of dynamic adversaries. Endpoint forensic practices will remain the keystone of digital forensics for the foreseeable future - this is where the events ultimately occur, after all.

"We created FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response to address the most transient domain of digital forensics. Many enterprises have grown to the scale that identifying which handful of endpoints to examine among thousands is a significant challenge. Additionally, the network has become its own medium for incident response and investigation. Our ability to use evidence from all kinds of network devices as well as from captured network data itself will be critical to our success in addressing threats today and tomorrow. From low-grade "script kiddie" attacks to long-term, strategic state-sponsored espionage activity, the network is one of the few common elements found throughout the life cycle of an incident. FOR572 will provide you with the tools and methods to conduct network investigations within environments of all sizes, using scenarios developed from real-world cases. You will finish the course with valuable knowledge that you will use the first day back on the job, and with the methodologies that will help address future generations of adversaries' capabilities." - Phil Hagen, SANS Fellow, Course Lead and Author

"Phil is probably one of the best instructors I've ever learned from. He's an excellent guy, smart, has a ton of relevant industry knowledge that he can bring in while teaching, and knows how to keep the content interesting." - Ronald B.

Register for FOR572

Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

Loading...