Sydney 2019

A properly configured system is required to fully participate in this course. These requirements are the mandatory minimums. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

This is common sense, but we will say it anyway. Back up your system before class. Better yet, do not have any sensitive data stored on the system. SANS can't responsible for your system or data.

MANDATORY FOR572 SYSTEM HARDWARE REQUIREMENTS

• CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
• It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
• BIOS settings must be set to enable virtualization technology, such as "Intel-VTx". Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary. Test it!
• 16 GB (Gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 16 GB of RAM or higher of RAM is mandatory and minimum.)
• USB 3.0 Type-A port is required. At least one open and working USB 3.0 Type-A port is required. (A Type-C to Type-A adapter may be necessary for newer laptops.) (Note: Some endpoint protection software prevents the use of USB devices - test your system with a USB drive before class to ensure you can load the course data.)
• 200 Gigabytes of Free Space on your System Hard Drive - Free Space on Hard Drive is critical to host the VMs and data sets we distribute
• Local Administrator Access is required. This is absolutely required. Don't let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
• Wireless 802.11 Capability - there are no wired networks in the classroom.

MANDATORY FOR572 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS

• Host Operating System: Your system must be running either Windows 10 Pro or macOS 10.12 or later that also can install and run VMware virtualization products (VMware Workstation 14, VMware Fusion 10, or VMware Player 14).
• On Windows hosts, VMware products cannot coexist with the Hyper-V hypervisor. Disable Hyper-V and ensure VMware can boot a virtual machine. Disabling Hyper-V, Device Guard, and Credential Guard can be accomplished using these instructions.
• Please note: It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
• Linux hosts cannot be supported in the classroom due to their numerous variations. Students that wish to use Linux hosts must be experienced users or administrators, and must also be able to access ExFAT partitions using the appropriate kernel and/or FUSE modules.

PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS

1. Microsoft Office (any version) w/Excel or OpenOffice w/Calc installed on your host - Note you can download Office Trial Software online (free for 30 days)
2. Download and install VMware Workstation 14, VMware Fusion 10, or VMware Player 14 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Player offers fewer features than VMware Workstation, and Workstation is recommended for a more seamless student experience.
3. Download and install 7Zip (for Windows Hosts) or Keka (for macOS)

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

• Incident response team members and forensicators who are expanding their investigative scope from endpoint systems to the network
• Hunt team members who proactively seek adversaries already in their network environments through leveraging new intelligence against previously-collected evidence
• Law enforcement officers, federal agents, and detectives who want to become network forensic subject matter experts
• Security Operations Center (SOC) personnel and information security practitioners who support hunt operations, seeking to identify attackers in their network environments
• Network defenders who are taking on added investigative and/or incident response workloads
• Information security managers who need to understand network forensics in order to manage risk, convey information security implications, and manage investigative teams
• Network engineers who are proactively orienting their networks to best meet investigative requirements
• Information technology professionals who want to learn how network investigations take place
• Anyone interested in computer network intrusions and investigations who has a solid background in computer forensics, information systems, and information security

Use this sample training request letter, or elements of it, to justify the time and budget required to complete SANS training to your manager. Simply copy and paste text into an email to your manager, then make any necessary adjustments to personalize the information.

• Custom distribution of the Linux SANS SIFT Workstation Virtual Machine with over 500 digital forensics and incident response tools prebuilt into the environment, including network forensic tools added just for this course
• SOF-ELK(R) Virtual Machine - a publicly available appliance running the ELK stack and the course author's custom set of configurations and dashboards. The VM is preconfigured to ingest syslog logs, HTTPD logs, and NetFlow, and will be used during the class to help students wade through the hundreds of millions of records they are likely to encounter during a typical investigation
• Moloch Virtual Machine - a standalone VM running the free Moloch application. Moloch ingests and indexes live network data or pcap files, providing a platform that makes full-packet analysis attainable.
• Realistic case data to examine during class, from multiple sources including:
• NetFlow data
• Web proxy, firewall, and intrusion detection system logs
• Network captures in pcap format
• Network service logs
• SB drive(s) loaded with case examples, tools, and documentation

• Extract files from network packet captures and proxy cache files, allowing follow-on malware analysis or definitive data loss determinations
• Use historical NetFlow data to identify relevant past network occurrences, allowing accurate incident scoping
• Reverse engineer custom network protocols to identify an attacker's command-and-control abilities and actions
• Decrypt captured SSL/TLS traffic to identify attackers' actions and what data they extracted from the victim
• Use data from typical network protocols to increase the fidelity of the investigation's findings
• Identify opportunities to collect additional evidence based on the existing systems and platforms within a network architecture
• Examine traffic using common network protocols to identify patterns of activity or specific actions that warrant further investigation
• Incorporate log data into a comprehensive analytic process, filling knowledge gaps that may be far in the past
• Learn how attackers leverage meddler-in-the-middle tools to intercept seemingly secure communications
• Examine proprietary network protocols to determine what actions occurred on the endpoint systems
• Analyze wireless network traffic to find evidence of malicious activity
• Learn how to modify configuration on typical network devices such as firewalls and intrusion detection systems to increase the intelligence value of their logs and alerts during an investigation
• Apply the knowledge you acquire during the week in a full-day capstone lab, modeled after real-world nation-state intrusions and threat actors

"Essential to any investigators skill set. This course makes the advanced network forensics techniques easily graspable." - Casey Brooks, Leidos Cyber

"This course is fantastic. It has prepared me with new ideas to take back to work." - Ryan Fletcher, Fulton Financial Corp

"First course I've taken that gives insight into the forensic mindset required for investigating incidents." - Tyler Whittington, PWC

"Single word: Relevancy. Techniques and methodologies taught in his class will immediately improve your IR posture." - Nathan Hwang, Strategic Investment Group

"Useful, real world scenarios make the training relevant. Walkthrough labs are extremely helpful!" - Roisin Cullen, NCA

"All of the material has been very informative and beneficial. One of the best courses I've ever taken." - Chris Pardo, Relia Quest

"The exposure to top-notch instruction, relevant information, & hands-on activities (labs) provides a comprehensive learning experience." - Ryan Paros, NCCI Holdings, Inc.

"Content is excellent and the course is very intense. I've improved my knowledge and tool use skills. I think all IR engineers should take this course." - Yigit Turak, ING Bank

"We had to deal with a DDoS where the only available data was a 600GB PCAP file. We reduced to NetFlow and loaded that to the SOF-ELK VM. It quickly showed the waves of attack and how effective the countermeasures were." -David D.

"FOR572 is the best SANS course I have taken. The labs and course material are outstanding and everything I have learned is usable in real world application." - Lionel B.

"This was the best course I've ever been to. Nothing but the best to say about SANS and this course. SANS stuff is really expensive, but I know why now. It was incredibly helpful to our duties here." - Anonymous

"You won't get exposure to the breadth of info on network forensics in any other course." - Devin J.

"NetFlow is cool. We've been receiving massive NetFlow feeds but were unable to fully utilize them apart from DDoS. With this course, I'm getting so many ideas how to use them in hunting." - Anonymous

"I literally was alerted to a potential incident from work on day 5 and used things I'd learned in class to analyze and help remediate." - Patterson C.

"I feel like I have won the lottery with the wealth of information from this week! Very relevant and applicable. I have already started using in our environments with results." - Charlie H.

"This is an incredible curriculum. This class NEEDED to happen, and I am glad it did." - Peter S.

"Cutting edge - puts me ahead in the job market." - Anonymous

"Very good real-world material." - Jason L.

"Great resource. Only true network forensics course I know of." - Jeremy R.

"If you are into disk/memory forensics, you will need this, too!" - Wouter J.

"This class is immediately applicable to my work environment." - Thomas H.

"No FLUFF - focused and targeted learning!" - Jackie S.

"Awesome! Best SANS course I have taken!" - Jim H.

"Although FOR572 is a network forensics class, it gets exactly right what most incident response courses get wrong. Instead of focusing on specific exploits and malware that quickly become outdated, 'Advanced Network Forensics' taught me about the full range of evidence sources available and how to effectively mine them for clues. Even more importantly, FOR572 taught me how to use different evidence sources to fill in missing gaps. This is critical, as most environments or incidents will not have every type of evidence available. A large-scale APT breach will not have full packet capture available for what could be over a year of attacker activity but making effective use of network log files can fill in those gaps. It also dove into advanced topics like analyzing unknown protocols, which is an important skill when dealing with the ever-evolving landscape of malware and odd but legitimate applications. Finally, the network forensics capstone investigation is a small but realistic simulation of an APT breach. Having to perform a realistic investigation under the pressure of limited in-class hours felt much like the pressures of investigating a live incident under the pressure of stopping ongoing data theft. It is an excellent class, and I would definitely recommend it to anyone wanting to bring their IR skills to the next level." - Alexander B.

"Loving the detailed and mutli-layered labs. I have been doing the walkthroughs for time sake but will revisit in depth later." - Anonymous

"FOR572 - next step in developing top notch incident response and network analysis professionals." - Tom L.

"Phil shared an example of extracting cached content and identifying and extracting a GZIP file. These practical analysis examples I think are extremely valuable." - Anonymous

"Material is directly relevant to what our analysts are doing daily. Highly useful." - Tom L.