Final days to save $150 on top-notch cyber security training at SANS Seattle Spring 2020! Register now.

Network Security 2012

Las Vegas, NV | Sun, Sep 16 - Mon, Sep 24, 2012
This event is over,
but there are more training opportunities.

FOR508: Advanced Computer Forensic Analysis and Incident Response New

Mon, September 17 - Sat, September 22, 2012

If you need to track down what happened in your environments, this is a must have course!

Fran Moniz, American National Insurance

I was surprised and amazed at how easy it is to do memory analysis and how helpful it is.

Brian Dugay, Apple

Updated Course / Content Notice

Brand New! Relaunch in 2012 - Entire course materials, exercises, and challenges fully updated to give students experience in investigating real-world advanced attacks and APT-like scenarios in a Windows Enterprise Environment. Don't miss the NEW FOR508!


Over the past two years, we have seen a dramatic increase in sophisticated attacks against nearly every type of organization. Economic espionage in the form of cyber-attacks, also known as the Advanced Persistent Threat (APT), has proven difficult to suppress. Attackers from Eastern Europe and Russia continue to steal credit card and financial data resulting in millions of dollars of losses. Hackivist groups attacking government and Fortune 500 companies are becoming bolder and more frequent.

Sophisticated hackers can advance rapidly through your network using advances in spear phishing, web application attacks, and custom malware. Incident Responders and Digital Forensic Investigators must master a variety of operating systems, investigative techniques, incident response tactics, and even legal issues in order to combat challenging intrusion cases across the enterprise.

Attackers will use anti-forensic techniques to hide their tracks. They use rootkits, file wiping, timestamp adjustments, privacy cleaners, and complex malware to hide in plain sight and avoid detection by standard host-based security measures. Every action that adversaries make leaves a trace; you merely need to know where to look.

Our adversaries are good and getting better. Are we learning how to counter them? Yes we are. Learn how.

FOR508: Advanced Computer Forensic Analysis and Incident Response will give you the tools and techniques necessary to master advanced incident response, investigate data breach intrusions, find tech-savvy rogue employees, counter the Advanced Persistent Threat, and conduct complex digital forensic cases.

This course uses the popular SIFT Workstation to teach investigators how to investigate sophisticated crimes. SIFT contains hundreds of free and open source tools, easily matching any modern forensic tool suite. It demonstrates that advanced investigations and incident response can be accomplished using frequently updated, cutting-edge open source tools.



  • Advanced Use of the SIFT Workstation in investigations
  • Investigating the Advanced Persistent Threat (APT), Organized Crime Hackers, and Hackivists
  • Hacker/Breach investigations, intrusion analysis, and advanced investigative strategies
  • Advanced computer forensics methodology
  • In-depth Windows FAT and exFAT file system examination
  • In-depth Windows NTFS file system examination
  • Remote and complex forensic acquisition/analysis tactics
  • Advanced memory acquisition and analysis
  • Live response and volatile evidence collection
  • System restore points and Volume Shadow Copy Exploitation
  • File System Timeline Analysis
  • Super Timeline Analysis
  • File system and data layer examination
  • Metadata and file name layer examination
  • File sorting and hash comparisons
  • Advanced file recovery
  • Discovering unknown malware on a host
  • Recovering key Windows files
  • Indicators of compromise development and usage
  • Step-by-Step methodologies to investigate intrusion cases


Course Syllabus

Rob Lee
Mon Sep 17th, 2012
9:00 AM - 5:00 PM


File systems are the core to your understanding of computer forensics. As every forensic tool utilizes this knowledge, you will learn how hard drives are used to store data from the partitioning to how file systems work. Utilizing real-world intrusion scenarios, you will see how to respond to complex attacks and learn how data is stored on a variety of operating systems. This knowledge will allow you to see beyond most anti-forensic techniques allowing you to gain the advantage while responding to breaches in your organization. Further, understanding file systems gives a more detailed understanding of forensic tools, as every forensic tool works at a particular file system level.

This section steps the analyst through the advanced internals of the most common file systems encountered in digital forensics and incident response (NTFS, FAT, and exFAT).

CPE/CMU Credits: 6


SIFT Workstation overview

  • Installation
  • Layout and configuration
  • Programs installed
  • Core tools used

Incident response and digital forensics methodology

  • Volatile evidence integrity
  • Order of volatility
  • Forensic methodology/incident response process flow
  • Timelines
  • String/Byte searching
  • Media and artifact analysis
  • Recover deleted or unallocated data

File system essentials

  • File system layer (Physical and logical disks)
  • Master Boot Record (MBR) and partition table
  • Bitlocker and encrypted disks
  • Windows disk signature
  • Allocated, unallocated, and slack space
  • Metadata layer fundamentals
  • File name layer fundamentals

Windows FAT and exFAT file systems in-depth

  • FAT12/16/32
  • exFAT in-depth file system dissection
  • FAT boot sector
  • File Allocation Table (FAT) structure
  • Root directory
  • FAT/exFAT timestamps
  • Directory entries (long/short)
  • Cluster chains
  • What happens when data is deleted from a FAT file system?

Windows NTFS file systems in-depth

  • NTFS overview
  • Master File Table (MFT)
  • NTFS system files
  • NTFS metadata attributes ($Standard_Information, $Filename, $Data)
  • NTFS timestamps
  • Resident vs. nonresident files
  • Alternate data streams
  • Directory listings and the $I30 file
  • Transaction logging and the $Logfile and $UsnJrnl
  • What happens when data is deleted from a NTFS file system?

Section 1 exercises

  • SIFT Workstation - laboratory setup
  • Master Boot Record (MBR) partition analysis
  • NTFS filesystem examination

Rob Lee
Tue Sep 18th, 2012
9:00 AM - 5:00 PM


Intrusion investigators must be armed with the latest in incident response tools, volatile/memory analysis, and enterprise acquisition methodologies in order to track advanced adversaries. The section starts with advanced acquisition techniques teaching you how to acquire system memory, volatile data, and creating live images from remote systems. Forensic analysts responding to enterprise intrusions must be able to scale their examinations from the traditional one analyst per machine examination to one analyst per 1,000 machines. Enterprise techniques are a now a requirement to quickly track advanced adversaries through thousands of machines. This is simply not something that can be accomplished using standard forensic examination techniques.

Memory forensics has come a long way in just a few years. It can be extraordinarily effective at finding evidence of worms, rootkits, and advanced malware. While traditionally the sole domain of Windows internals experts, recent tools now make memory analysis feasible for anyone. Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field. This section will introduce some of the newest free tools available and give you a solid foundation in adding core and advanced memory forensic skills to your security armory.

CPE/CMU Credits: 6


Windows Live Response

  • Volatile data collection
  • Process enumeration
  • Network data enumeration
  • Auto-start persistence checks
  • Getting around locked computer (screensaver)
  • Remote command prompts

Mounting images for examinations

  • Mounting raw and .E01 images
  • Mounting physical and logical drive images
  • Mounting split images
  • Standard vs. complex acquisitions

Remote and enterprise forensic examinations

  • Remote system forensics
  • Enterprise forensic analysis
  • Remote drive mounting and analysis
  • Remote memory acquisition and analysis

Memory acquisition

  • Acquisition of system memory for both Windows 32/64 bit systems
  • Hibernation and pagefile examination

Memory analysis

  • Memory analysis techniques with Redline
  • Identify rogue processes
  • Analyze process DLLs and handles
  • Review network artifacts
  • Look for evidence of code injection
  • Check for signs of a Rootkit
  • Acquire suspicious processes and drivers
  • Live memory forensics
  • Advanced memory analysis with volatility
  • Memory registry examinations
  • Memory Timelining
  • Memory event log parsing

Section 2 exercises

  • Mounting a disk image for examination
  • Mounting a remote system for examination
  • Acquiring and analyzing system memory of a Windows machine
  • Mandiant Redline pre-process
  • Redline memory analysis
  • Volatility memory analysis

Rob Lee
Wed Sep 19th, 2012
9:00 AM - 5:00 PM


Timeline analysis will change the way you approach digital forensics... forever.

Learn advanced analysis techniques uncovered via timeline analysis directly from the analysts that pioneered timeline analysis tradecraft. Temporal data is located everywhere on a computer system. Filesystem modified/access/creation/change times, log files, network data, registry data, and, Internet history files all contain time data that can be correlated into critical analysis to successfully solve cases. Pioneered by Rob Lee in 2001, timeline analysis has become a critical investigative technique to solve complex cases. New timeline analysis frameworks provide the means to conduct simultaneous examinations of a multitude of time-based artifacts. Analysis that once took days now takes hours.

Over the past 3 years, a renaissance has occurred in tool development for timeline analysis. SANS has spearheaded research and development by sponsoring some of the newly created tools such as log2timeline. As a result of recent developments, many professionals now turn to timeline analysis as one of their core tools and capabilities. This section will step you through the two primary methods of creating and analyzing timelines created during advanced cases. Exercises will not only show each analyst how to create a timeline, but introduce key methods to use them effectively in their cases.

CPE/CMU Credits: 6


Timeline analysis overview

  • Timeline benefits
  • Prerequisite knowledge
  • The Pivot Point
  • Timeline context clues
  • Timeline analysis process

Filesystem timeline creation and analysis

  • MACB meaning by file system (NTFS vs. FAT)
  • Rules of Windows timestamps for $STDINFO and $Filename
  • Windows time rules (file copy vs. file move)
  • File system timeline creation using Sleuthkit and fls
  • Bodyfile analysis and filtering using the mactime tool

Super timeline creation and analysis

  • Super timeline artifact rules
  • Program execution, file knowledge, file opening, file deletion
  • Timeline creation with log2timeline
  • log2timeline input modules
  • log2timeline output modules
  • Filtering the super timeline using l2t_process
  • Targeted super timeline creation
  • Automated super timeline creation
  • Super timeline analysis

Section 3 exercises

  • Windows timestamp analysis
  • File system timeline creation
  • Super timeline creation
  • Super timeline analysis

Rob Lee
Thu Sep 20th, 2012
9:00 AM - 5:00 PM


A major criticism of digital forensic professionals is that many tools simply require a few mouse clicks to have the tool automatically recover data as evidence. This "push button" mentality has led to many inaccurate case results in the past few years including high profile cases such as the Casey Anthony murder trial.

You will stop being reliant on "push button" forensic techniques as we cover how the engines of digital forensic tools really work. To understand how to carve out data, it is best to understand how to do it by hand and then show how automated tools should be able to recover the same data. You will learn how to perform string searches looking for specific residue from a file and learn multiple ways to recover the file data across the layers of the filesystem. If a file or registry key has been wiped or deleted, this section shows how to use Windows historical artifacts found in the Volume Shadow Copy or Restore Points to still recover key pieces of the data that no longer exist today.

This section will provide an in-depth look at file-based and stream-based file extraction using the Sleuthkit, Foremost, and Bulk Extractor. These three complementary software packages are a reliable set of tools useful for analyzing forensic evidence from multiple file systems, including Windows NTFS and FAT.

CPE/CMU Credits: 6


Windows XP Restore Point Analysis

  • XP Restore Point Analysis
  • Restore Point Historical Registry Analysis

VISTA, Windows 7, Server 2008 Shadow Volume Copy analysis

  • Shadow Copy data analysis
  • Acquiring Shadow Copy Volume image
  • Raw and live Shadow Copy examination
  • Creating and analyzing Shadow Volume timelines

Stream-based data recovery

  • Strings and Byte search basics
  • Detecting e-mail, credit card numbers, phone numbers
  • Detecting Advanced Encryption Standard (AES) encryption keys, search items
  • Detecting network information (TCP, IP, MAC, domain names)
  • Histogram analysis

Filesystem-based data recovery

Data recovery layer examinations

  • Extract key data from file system partition
  • Determine cluster/block Size
  • Extract unallocated and slack space
  • Determine location of data
  • File carving using file headers/footers

Metadata layer examinations

  • Locating metadata structures
  • Extracting data using Inode/MFT/FAT directory entry
  • Data pointers/timestamps/security information

Filename layer examinations

  • Directory hierarchy
  • File name pointers
  • Importance of file location
  • Recover deleted from file system

File sorting and hash comparisons

  • File sorting based on data type (documents, pictures, archives)
  • Using hash comparison to solve cases
  • Hash databases and how to use them
  • Creating known good and known bad databases
  • Fuzzy hashes and how to use them

Section 4 exercises

  • Extracting stream-based data
  • File carving
  • String searching and file carving from unallocated space
  • Metadata and filename layer examination
  • Windows filesystem challenge

Rob Lee ,
Richard Salgado
Fri Sep 21st, 2012
9:00 AM - 5:00 PM


Part 1

The adversaries are good; we must be better.

Over the years, we have observed that many incident responders have a challenging time finding malware without effective Indicators of Compromise (IOCs) or threat intelligence gathered prior to a breach. This is especially true in APT intrusions.

During this advanced session we will demonstrate techniques used by first responders to discover malware or forensic artifacts when very little information exists about their capabilities or hidden locations. We will discuss techniques to help funnel possibilities down to the candidates most likely to be evil malware trying to hide on the system.

This section concludes with a step-by-step approach on how to handle some of the most difficult types of investigations. You will learn the best ways to approach intrusion and spear phishing attacks. You will understand locations you can examine to determine if file wiping occurred. You will discover techniques to prove that privacy clearing software was utilized. Regardless of the actions hackers might take, they will always leave something that can be traced. This discussion will solidify your new skills into a working attack plan to solve these difficult cases.

Part 2 - Computer Investigative Law for Forensic Analysis

As a team lead, you will need to know where legal land mines might exist. This half day of material focuses on what you must know before beginning any digital forensic investigation to protect you and your team.

Legal issues, especially liability, remain foremost in the minds of an incident handler or forensic investigator. Therefore, this section has more discussion than any other we offer. Learn to investigate incidents while minimizing the risk for legal trouble. This course is designed not for management, but for the Digital Forensic and Incident Response team leaders in charge of an investigation. The content focuses on challenges that every lead investigator needs to understand before, during, and post investigation. Since many investigations can end up in a criminal or civil courtroom, it is essential to understand how to perform a computer-based investigation legally and ethically.

We will confront many of the legal myths that have caused you to hesitate when developing your incident handling procedures and pursuing incidents. You will also gain a realistic perspective on the strengths and limitations of law enforcement assistance in the investigation of incidents and the prosecution of attackers. Written by one of the foremost computer crime lawyers, the information presented provides an essential legal foundation for professionals managing or working in incident handling teams around the world.

CPE/CMU Credits: 6


Part 1

Step-by-step finding unknown malware

  • File sorting
  • Data carving
  • Indicators of Compromise (IOC) search
  • Automated memory analysis
  • Evidence of persistence
  • Supertimeline examination
  • Packing / entropy check
  • System logs
  • Memory analysis
  • Automated malware lookups
  • Master File Table (MFT) anomalies
  • Timeline anomalies

Anti-Forensics detection methodologies

  • Deleted file
  • Deleted registry key
  • File wiping
  • Clearing browsing history
  • Privacy cleaner
  • Adjusting timestamps

Methodology to analyze and solve challenging cases

  • Malware/intrusion
  • Spear phishing attacks
  • Web application attacks/SQL Injection
  • Advanced Persistent Threat (APT) Actors
  • Detecting data exfiltration

Section 5 exercises

  • Finding unknown malware

Part 2

Who can investigate and investigative process laws

  • Internal and external investigations
  • Authority to investigate
  • Credentials and training
  • Ramification of an incident that involves multiple countries
  • Following agency/employer policy and procedures
  • Digital forensic ethical standards

Evidence acquisition/analysis/preservation laws and guidelines

  • Major goals associated with acquiring data
  • Legal authority to allow for data acquisition
  • Stored and real-time data
  • Evidence/information you can share with third parties and law enforcement
  • Legal authority necessary to collect data

Laws investigators should know

  • Criminal and civil law procedures - understanding the laws and procedures related to evidence, search authority and scope.
  • Civil privacy laws
  • Wiretapping and pen register trap and trace laws

Forensic reports and testimony

  • Legal testimony
  • Address scientific process, audience, and legal utility
  • How to document work so it is repeatable
  • Scientific methods that show clear conclusions based in factual evidence

Rob Lee
Sat Sep 22nd, 2012
9:00 AM - 5:00 PM


Put your new skills to the test during the end of the week capstone investigation called the Intrusion Forensic Challenge.

This brand new exercise created in 2012 brings together some of the most exciting techniques learned earlier in the week and tests your new skills in a case that simulates an attack by an advanced adversary such as the APT. The entire course culminates in this intrusion into a real enterprise environment consisting of multiple Windows systems. You will be asked to uncover how the systems were compromised in the initial intrusion, find other systems the adversary moved to laterally, and identify intellectual property stolen via data exfiltration. You will walk out of the course with hands-on experience investigating realistic scenarios put together by a cadre of individuals with many years of experience fighting advanced threats such as the APT.

CPE/CMU Credits: 6


The Intrusion Forensic Challenge

  • Advanced use of the SIFT Workstation in investigations
  • Investigating the APT, organized crime hackers, and hackivists
  • Hacker/breach investigations, intrusion analysis, and advanced investigative strategy
  • Advanced computer forensics methodology
  • In-depth file system examination
  • Memory analysis
  • System restore points and Shadow Volume Copy exploitation
  • File system timeline analysis
  • Super timeline analysis
  • File system and data layer examination
  • Metadata and file name layer examination
  • File sorting and hash comparisons
  • Discovering unknown malware on a host
  • Recovering key windows files
  • Indicators of Compromise (IOC) development and usage
  • Finding malware
  • Find data exfiltration
  • Find evidence of lateral movement
  • Find evidence of anti-forensics

Section 6 exercises

  • Intrusion Forensic Challenge - Brand new for 2012

Additional Information


A properly configured computer system is required for each student participating in this course. Before coming to class, download the forensic installation document that will describe the steps in detail to follow to complete the installation. If you do not carefully read and follow these instructions exactly, you are guaranteed to leave the course unsatisfied since you will not be able to accomplish many of the in-class exercises.

You will use VMware with preconfigured virtual forensic workstations that will enable you to perform hands-on analysis during class. You must download and install VMware Workstation 7, VMware Fusion 4.0, or VMware Player 4.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Player is a free download.

Due to the hard drive space and processing requirements for the lab exercises, students should bring a laptop meeting the mandatory laptop requirements listed below in order to get the most of the course.

Download and Read FOR508 Install Guide


  • MAC or PC
  • We recommend that you run MS Windows natively
  • If MAC, running Windows running via Boot Camp mode is preferred for best results for processing intrusion data during class
  • CPU: 64bit based 2.0 GHz or higher CPU is required (Multi-Core recommended)
  • 4 Gigabyte of RAM minimum (More RAM is highly recommended)
  • DVD/CD Combo Drive
  • 2 USB Ports (optional - bring USB Port Replicator)
  • 100 Gigabytes of free space on your Host System Hard Drive
  • Free space on your host hard drive is critical


  1. VMware Workstation 7, VMware Fusion 4.0, or VMware Player 4.0 or higher versions
  2. Download and unzip the SIFT Workstation Distro
  3. Bring pre-configured Windows OS Virtual Machine
    • If you attended FOR408 please bring your copy of the FOR408 - Windows SIFT Workstation Virtual Machine
    • OR create a new Windows OS Virtual Machine Workstation
  4. Download and read FOR508 Install Guide for more information

Install the following on your host Windows machine

  1. Install MS Office 2010 (Demo Version for 60 Day Free Trial - You need EXCEL 2007 or higher for this class - No exceptions)
  2. Install latest version of RedLine (1.5 or higher)

If you have additional questions about the laptop specifications, please contact

  • Incident Response Team Members who are responding to complex security incidents/intrusions from sophisticated adversaries and need to know what to really do when examining a compromised system in an enterprise.
  • Experienced Digital Forensic Analysts who want to solidify and expand their understanding of file system forensics, advanced intrusion investigations, and incident response tactics.
  • Law Enforcement Officers, Federal Agents, or Detectives who want to master advanced computer forensics and expand their investigative skill set to include data breach investigations, intrusion cases, and tech-savvy users.
  • Media Exploitation Analysts who need to master Tactical Exploitation and Document and Media Exploitation (DOMEX) operations on systems used by advanced adversaries. Learn how to recover data left behind by anti-forensic and obfuscation techniques, within the compressed timeframes inherent in tactical analysis.
  • Red Team Members, Penetration Testers, and Exploit Developers who want to learn how their opponents can identify their actions and learn to avoid common mistakes that can compromise operations on remote systems. This course covers remote system forensics and data collection techniques that can be easily integrated into post-exploit operating procedures and exploit testing batteries.
  • Information Security Professionals with some background in hacker exploits, penetration testing, and incident response.

Students should consider attending FOR408: Computer Forensic Investigations - Windows In-Depth prior to taking this course. A good assessment of the desired knowledge suggested for FOR508 can be found in the FOR408 Assessment Test. A score of 70% or higher on the FOR408 Assessment Test represents the ideal knowledge base recommended for FOR508.

Free SANS Investigative Forensic Toolkit (SIFT) Advanced

As a part of this course you will receive the SANS Investigative Forensic Toolkit (SIFT) Advanced.

The SIFT Advanced Toolkit consists of:

  • SIFT Workstation Virtual Machine used with many of the class hands-on exercises
  • F-Response TACTICAL
  • TACTICAL enables investigators to access physical drives and physical memory of a remote computer via the network
  • Gives any forensic tool the capability to be used across the enterprise
  • The SIFT Workstation is pre-configured to leverage F-Response enterprise capabilities
  • Perfect for intrusion investigations and data breach incident response situations
  • Best-selling book "File System Forensic Analysis" by Brian Carrier
  • Course DVD loaded with case examples, tools, and documentation

Author Statement

Author Statement

"There are people smarter than you; they have more resources than you, and they are coming for you. Good luck with that." Matt Olney said this when describing the Advanced Persistent Threat and advanced adversaries. He was not joking. The results over the past several years clearly indicate that hackers employed by nation states and organized crime are racking up success after success. The Advanced Persistent Threat (APT) has compromised hundreds of organizations. Organized crime utilizing botnets are exploiting ACH fraud daily. Similar groups are penetrating banks and merchants stealing credit card data daily and data breaches and hacks in their annual stockholders reports.

The enemy is getting better, bolder, and their success rate is impressive.

We can stop them. We need to field more sophisticated incident responders and digital forensic investigators. We need lethal digital forensic experts that can detect and eradicate advanced threats immediately. A properly trained incident responder could be the only defense your organization has left during a compromise. Forensics 508: ADVANCED COMPUTER FORENSIC ANALYSIS AND INCIDENT RESPONSE is crucial training for you to become a lethal forensicator to step up to these advanced threats. The enemy is good. We are better. This course will help you become one of the best.

- Rob Lee