FREE CloudSecNext Summit | Jun 3-4: At this global event, stay informed with what's next in cloud security. Register now!

Amsterdam September 2021

Amsterdam, Netherlands | Mon, Sep 6 - Tue, Sep 14, 2021
Event starts in 115 Days

DFIR NetWars Tournament

For those learning to become a fireman, it is hard to learn how to fight a fire by simply reading a book. You need to battle an actual fire in order to gain the experience needed so when you are fighting the real thing you know what to do.

Incident response and digital forensics have the same challenge. Typically, expertise and proficiency, such as "muscle memory," is forcefully developed only when an incident occurs. Having your team make common mistakes during an incident is unacceptable. A single mistake might place your organization at a greater risk. DFIR Netwars Tournament is unique in that it provides time-limited challenges that can be used to test the skills you've mastered and, at the same time, help you identify the skills you are missing.

SANS DFIR NetWars Tournament is an incident simulator packed with a vast amount of forensic and incident response challenges, for individual or team-based "firefights." It is developed by incident responders and forensic analysts who use these skills daily to stop data breaches and solve complex crimes. DFIR NetWars Tournament allows each player to progress through multiple skill levels of increasing difficulty, learning first-hand how to solve key challenges they might experience during a serious incident. DFIR NetWars Tournament enables players to learn and sharpen new skills prior to being involved in a real incident.

Challenge yourself before the enemy does - SANS DFIR NetWars Tournament

DFIR NetWars Tournament Room

DFIR NetWars Tournament Topics:

DFIR NetWars Tournament is packed with challenges covering host forensics, network forensics, and malware and memory analysis. Each NetWars Tournament level is designed to not only exercise an individual's capabilities to solve a particular problem, but teach them proper analysis techniques regardless of the toolset they use. SANS DFIR NetWars Tournament is unique as it truly tests a blue team's capabilities to perform in real-world situations by solving a series of unique challenges commonly found during major incidents. DFIR NetWars Tournament also helps organizations evaluate performance and identify areas where their response teams might need to obtain additional knowledge.

How DFIR NetWars Tournament works:

Each player signs into the NetWars environment where they will face answering multiple levels of questions regarding an incident. We provide multiple evidence files to answer questions from - system, network, memory, and malware samples.

Answer a question right - you will earn points on the DFIR NetWars Tournament scoreboard.

Answer a question wrong - you will get points deducted after the second incorrect answer on the same question.

Don't know where to start, need a refresher? Request a series of hints to guide your analysis.

Each player can observe their ranking compared to other players. The player with the highest score at the end of DFIR NetWars Tournament wins.

DFIR NetWars Tournament Sample Questions - Level 1

DFIR NetWars Tournament Sample Questions - Level 3

DFIR NetWars Tournament Scoreboard

How to Level Up in DFIR NetWars Tournament:

Players progress through the levels by answering questions and earning points. The next level will unlock after a number of points is obtained. The points are cumulative across all levels. The better you do on one level, the quicker the next one will open itself up. There are currently five levels in DFIR NetWars Tournament. Levels 1 and 2 are designed to be approachable by those completely new to forensics and include hints that will not only help answer the questions, but teach the players specific techniques as they progress. The upper levels are meant to challenge you and expose where your skills need more work.

The DFIR NetWars Tournament Tool Armory:

It is not the tool that makes a good forensicator, but being able to apply the tool or technique at the right time and under the right conditions to accurately solve critical challenges. We allow participants to bring any toolset or capability to our challenge. Challenge answers should not change if you utilize a different tool to solve them. That is one of the things that makes SANS DFIR NetWars Tournament truly special -- we test the skills of the analyst and not their ability to navigate a specific toolset. If you do not bring your own tools, SANS DFIR NetWars Tournament will provide you with the SIFT Workstation, a free collection of tools that can be used to solve every challenge in the game.

Laptop Requirements

  • CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
  • It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx". Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary. Test it!
  • 16 GB (Gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 16 GB of RAM or higher of RAM is mandatory and minimum.)
  • USB 3.0 Type-A port is required. At least one open and working USB 3.0 Type-A port is required. (A Type-C to Type-A adapter may be necessary for newer laptops.) (Note: Some endpoint protection software prevents the use of USB devices - test your system with a USB drive before class to ensure you can load the course data.)
  • 200 Gigabytes of Free Space on your System Hard Drive - Free Space on Hard Drive is critical to host the VMs and data sets we distribute
  • Local Administrator Access is required. This is absolutely required. Don't let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • Wireless 802.11 Capability - there are no wired networks in the classroom.
  • Host Operating System: Latest version of Windows 10 or macOS 10.15.x
  • On Windows hosts, VMware products cannot coexist with the Hyper-V hypervisor. Disable Hyper-V and ensure VMware can boot a virtual machine. Disabling Hyper-V, Device Guard, and Credential Guard can be accomplished using these instructions.
  • Please note: It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
  • Linux hosts cannot be supported in the classroom due to their numerous variations. Students that wish to use Linux hosts must be experienced users or administrators, and must also be able to access ExFAT partitions using the appropriate kernel and/or FUSE modules.

Course Syllabus
Schedule Instructors
Thu Sep 9th, 2021
6:30 PM - 9:30 PM
Fri Sep 10th, 2021
6:30 PM - 9:30 PM