Sydney 2019

!! IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS !!

• You can use any 64-bit version of Windows, Apple macOS, or Linux as your core operating system that also can install and run VMware virtualization products.
• It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows that will detect whether your host supports 64-bit guest virtual machines or not.
• For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities.
• For Apple macOS users, please use this support page from Apple to determine 64-bit capability.
• Additionally, Windows users must ensure that Credential Guard is disabled per these instructions.
• Please download and install VMware Workstation 14, VMware Fusion 10, or VMware Player Plus 14 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. VMware Player Plus is a free download that does not need a commercial license. Please note that other virtualization software is not supported in the lab environment and may not successfully run the supplied virtual machines.

MANDATORY FOR572 SYSTEM HARDWARE REQUIREMENTS:

• CPU: 64-bit Intel x64 2.0+ GHz processor or higher based system is mandatory for this class (Important - a 64-bit system processor is mandatory! Test your VMware Software before coming to class. Some BIOS configurations may require special settings (such as "VT-x" and/or "no-execute memory protection") to allow virtualization. You must also have administrative access to your BIOS, in case changes are needed when in class.)
• RAM: 16 GB of RAM is strongly recommended. Laptops with 8 GB of RAM may still permit labs to function but will be significantly slow and severely limited.
• Host Operating System: Fully patched and updated Windows 10 or Apple macOS 10.14 that can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player. Windows 7 and older versions of macOS may work but are not recommended. Students should always fully update their host operating system prior to the class. Students that use Linux hosts are warned that this configuration is unsupported in the classroom due to the complexity of testing such a wide variety of operation system distributions. Expert students who use Linux hosts must be able to access ExFAT partitions using the appropriate kernel and/or FUSE modules. Again, this is unsupported in the classroom and is not recommended for novice Linux users.
• Disable Credential Guard if enabled. Credential Guard, which is required for Hyper-V virtualization, conflicts with the VMware products required for the course.
• Networking: Wireless 802.11 B, G, or N
• Hardware:
• USB 3.0 port(s) (Note: Some endpoint protection software prevents the use of USB devices - test your system with a USB drive before class to ensure you can load the course data.)
• 200 Gigabytes of Free Space on your System Hard Drive (Note: The free space is needed for the SIFT Workstation VM and the evidence we will be adding to your system)

MANDATORY FOR572 SYSTEM SOFTWARE REQUIREMENTS (Install the following prior to the beginning of the class):

• The student should have Local Administrator Access within their host operating system as well as the BIOS for the laptop, if applicable. We have found several cases where the BIOS virtualization settings must be changed from their factory defaults prior to running 64-bit operating systems as VMware guests.
• Install VMware Workstation 14, VMware Fusion 10, or VMware Player Plus 14 (higher versions are ok).
• Download and install 7Zip (Windows, macOS, or Linux) or Keka (macOS).

OPTIONAL ITEMS TO BRING TO CLASS

• Bring/install any other forensic tool you feel could be useful (Maltego, NetWitness, etc). For the final challenge at the end of the course, you can utilize any forensic tool, including commercial capabilities, to help you and your team. If you have any dongles, licensed software, etc. you are free to use them.
• Although SANS is not responsible for the security of your personal effects, you might want to consider bringing a laptop lock.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

• Incident response team members and forensicators who are expanding their investigative scope from endpoint systems to the network
• Hunt team members who proactively seek adversaries already in their network environments through leveraging new intelligence against previously-collected evidence
• Law enforcement officers, federal agents, and detectives who want to become network forensic subject matter experts
• Security Operations Center (SOC) personnel and information security practitioners who support hunt operations, seeking to identify attackers in their network environments
• Network defenders who are taking on added investigative and/or incident response workloads
• Information security managers who need to understand network forensics in order to manage risk, convey information security implications, and manage investigative teams
• Network engineers who are proactively orienting their networks to best meet investigative requirements
• Information technology professionals who want to learn how network investigations take place
• Anyone interested in computer network intrusions and investigations who has a solid background in computer forensics, information systems, and information security

Use this sample training request letter, or elements of it, to justify the time and budget required to complete SANS training to your manager. Simply copy and paste text into an email to your manager, then make any necessary adjustments to personalize the information.

• Custom distribution of the Linux SANS SIFT Workstation Virtual Machine with over 500 digital forensics and incident response tools prebuilt into the environment, including network forensic tools added just for this course
• SOF-ELK(R) Virtual Machine - a publicly available appliance running the ELK stack and the course author's custom set of configurations and dashboards. The VM is preconfigured to ingest syslog logs, HTTPD logs, and NetFlow, and will be used during the class to help students wade through the hundreds of millions of records they are likely to encounter during a typical investigation
• Moloch Virtual Machine - a standalone VM running the free Moloch application. Moloch ingests and indexes live network data or pcap files, providing a platform that makes full-packet analysis attainable.
• Realistic case data to examine during class, from multiple sources including:
• NetFlow data
• Web proxy, firewall, and intrusion detection system logs
• Network captures in pcap format
• Network service logs
• SB drive(s) loaded with case examples, tools, and documentation

• Extract files from network packet captures and proxy cache files, allowing follow-on malware analysis or definitive data loss determinations
• Use historical NetFlow data to identify relevant past network occurrences, allowing accurate incident scoping
• Reverse engineer custom network protocols to identify an attacker's command-and-control abilities and actions
• Decrypt captured SSL/TLS traffic to identify attackers' actions and what data they extracted from the victim
• Use data from typical network protocols to increase the fidelity of the investigation's findings
• Identify opportunities to collect additional evidence based on the existing systems and platforms within a network architecture
• Examine traffic using common network protocols to identify patterns of activity or specific actions that warrant further investigation
• Incorporate log data into a comprehensive analytic process, filling knowledge gaps that may be far in the past
• Learn how attackers leverage meddler-in-the-middle tools to intercept seemingly secure communications
• Examine proprietary network protocols to determine what actions occurred on the endpoint systems
• Analyze wireless network traffic to find evidence of malicious activity
• Learn how to modify configuration on typical network devices such as firewalls and intrusion detection systems to increase the intelligence value of their logs and alerts during an investigation
• Apply the knowledge you acquire during the week in a full-day capstone lab, modeled after real-world nation-state intrusions and threat actors

"Essential to any investigators skill set. This course makes the advanced network forensics techniques easily graspable." - Casey Brooks, Leidos Cyber

"This course is fantastic. It has prepared me with new ideas to take back to work." - Ryan Fletcher, Fulton Financial Corp

"First course I've taken that gives insight into the forensic mindset required for investigating incidents." - Tyler Whittington, PWC

"Single word: Relevancy. Techniques and methodologies taught in his class will immediately improve your IR posture." - Nathan Hwang, Strategic Investment Group

"Useful, real world scenarios make the training relevant. Walkthrough labs are extremely helpful!" - Roisin Cullen, NCA

"All of the material has been very informative and beneficial. One of the best courses I've ever taken." - Chris Pardo, Relia Quest

"The exposure to top-notch instruction, relevant information, & hands-on activities (labs) provides a comprehensive learning experience." - Ryan Paros, NCCI Holdings, Inc.

"Content is excellent and the course is very intense. I've improved my knowledge and tool use skills. I think all IR engineers should take this course." - Yigit Turak, ING Bank

"We had to deal with a DDoS where the only available data was a 600GB PCAP file. We reduced to NetFlow and loaded that to the SOF-ELK VM. It quickly showed the waves of attack and how effective the countermeasures were." -David D.

"FOR572 is the best SANS course I have taken. The labs and course material are outstanding and everything I have learned is usable in real world application." - Lionel B.

"This was the best course I've ever been to. Nothing but the best to say about SANS and this course. SANS stuff is really expensive, but I know why now. It was incredibly helpful to our duties here." - Anonymous

"You won't get exposure to the breadth of info on network forensics in any other course." - Devin J.

"NetFlow is cool. We've been receiving massive NetFlow feeds but were unable to fully utilize them apart from DDoS. With this course, I'm getting so many ideas how to use them in hunting." - Anonymous

"I literally was alerted to a potential incident from work on day 5 and used things I'd learned in class to analyze and help remediate." - Patterson C.

"I feel like I have won the lottery with the wealth of information from this week! Very relevant and applicable. I have already started using in our environments with results." - Charlie H.

"This is an incredible curriculum. This class NEEDED to happen, and I am glad it did." - Peter S.

"Cutting edge - puts me ahead in the job market." - Anonymous

"Very good real-world material." - Jason L.

"Great resource. Only true network forensics course I know of." - Jeremy R.

"If you are into disk/memory forensics, you will need this, too!" - Wouter J.

"This class is immediately applicable to my work environment." - Thomas H.

"No FLUFF - focused and targeted learning!" - Jackie S.

"Awesome! Best SANS course I have taken!" - Jim H.

"Although FOR572 is a network forensics class, it gets exactly right what most incident response courses get wrong. Instead of focusing on specific exploits and malware that quickly become outdated, 'Advanced Network Forensics' taught me about the full range of evidence sources available and how to effectively mine them for clues. Even more importantly, FOR572 taught me how to use different evidence sources to fill in missing gaps. This is critical, as most environments or incidents will not have every type of evidence available. A large-scale APT breach will not have full packet capture available for what could be over a year of attacker activity but making effective use of network log files can fill in those gaps. It also dove into advanced topics like analyzing unknown protocols, which is an important skill when dealing with the ever-evolving landscape of malware and odd but legitimate applications. Finally, the network forensics capstone investigation is a small but realistic simulation of an APT breach. Having to perform a realistic investigation under the pressure of limited in-class hours felt much like the pressures of investigating a live incident under the pressure of stopping ongoing data theft. It is an excellent class, and I would definitely recommend it to anyone wanting to bring their IR skills to the next level." - Alexander B.

"Loving the detailed and mutli-layered labs. I have been doing the walkthroughs for time sake but will revisit in depth later." - Anonymous

"FOR572 - next step in developing top notch incident response and network analysis professionals." - Tom L.

"Phil shared an example of extracting cached content and identifying and extracting a GZIP file. These practical analysis examples I think are extremely valuable." - Anonymous

"Material is directly relevant to what our analysts are doing daily. Highly useful." - Tom L.