Thursday, July 25, 2013

SANS FOR 508 Advanced Computer Forensics and Incident Response Review

Last week I was lucky enough to attend the FOR 508: Advanced Computer Forensics and Incident Response course at SANS' Digital Forensics and Incident Response Summit, as a work study student. The course (508) was taught by Chad Tilbury (Check him out!), and is the brain child of SANS Fellow Rob Lee. Not only was Chad one of if not the best instructor I have had in the Computer Security field, but the course material is second to none. 508 is without a doubt worth the time and money you (or your employer) will invest in it.

The Concept:
508 has recently been retooled to focus on battling the much maligned Advanced Persistent Threat (APT). The class motto is "APT is in your network, start hunting". The APT focus makes it 100% relevant to not just forensic investigators, but to anyone wanting to learn to defend their network. This course is up to date with the latest forensics techniques, in fact, Chad introduced us to tools that were still in beta and methodologies that are still being researched!

The Material:
SANS recommends that students attend FOR 408: Computer Forensic Investigations - Windows In-Depth before attending 508 (they recommend it for a reason), but if you have a forensics background or are willing to put in a little overtime you should be able to catch up enough to take 508 (508 has more direct application to my needs, although I look forward to attending 408 in the future). Rob Lee says the expectation of 508 students is that they understand conversational forensics (can speak to different forensics artifacts and tools). This course is a smorgasbord of valuable skills and information for incident responders, system administrators, and forensicators alike.

On day 1 they cover the physical layers of the file system (from the physical platters to the file name layer that contains file names and a directory structure), and how to properly mount images for analysis (e.g. read only). Just when you think the first day couldn't cover any more information the class jumps into the exciting world of Enterprise Analysis and Live System Incident Response (my favorite!!).  This portion teaches students about domain authentication, how to secure domain administrator credentials, and many methods of accessing system information on remote of hosts (Many of my future blog posts will revolve around utilizing PowerShell for "Live System 'Enterprise' Incident Response" for lack of a better term).

Day 2 is spent covering memory forensics. SANS offers a course on Memory Forensics that is currently 5 days long and covers the details of memory (memory structures and such), but 508 offers a very practical lesson in how to implement memory forensics TODAY. Students will learn how to acquire memory, as well as, how to provide in depth analysis of the memory once acquired (Day 1 offers insight into a method of analyzing memory without having to first complete the acquisition process...which is awesome!). Memory forensics is absolutely necessary when combating APT as it is one of the best, if not only, methods to detect rootkits (See SANS instructor and FOR 526 author Jesse Kornblum's paper regarding the rootkit paradox). The best part of Day 2 is that it doesn't focus on one method of analyzing memory. Instead 508.2 spends the time to teach students the pros and cons to different tools, and even different methods of using the same tool.

Day 3 is dedicated to timeline analysis. No one should be considered a forensicator or incident responder if they do not have an intimate knowledge of timeline analysis (Specifically using log2timeline). Log2timeline came out of a GCFA Gold Paper written by Kristinn Guðjónsson, and the community has never looked back. Log2timeline is really a cultural shift in the way we perform investigations, as it aggregates almost every forensic artifact into one timeline that truly tells the story of actions taken on a machine. This is where that 408 knowledge comes in handy... if you do not know how to interpret a specific artifact, then you lose fidelity in your timeline (possibly the opportunity to spot malicious activity).

Day 4 and 5 begin with XP Restore Point and Volume Shadow Copy analysis which can be harnessed for some really cool stuff. We can use these snapshots to add fidelity and depth to our timeline, and we can use them to recover deleted files. Next, Chad covered deep dive forensics (This is where the class dives into the weeds of file system analysis). The class dives into $MFT analysis which introduces us to a second set of timestamps ($STDINFO), and new artifacts like the NTFS TriForce (David Cowen's baby). These artifacts will not be presented in any other course!  Day 5 wraps up with methods and techniques of finding unknown malware. Assuming anti-virus fails to detect a threat, what are some methods we can use for detection? FOR 508 introduces and spends half a day discussing the concept of malware funneling which is the process of reducing data through a series of automated tasks until you have a small enough data set that you can perform manual analysis (SANS instructor Alissa Torres has an excellent webinar on the subject).

The Lab (Day 6):
The last day of the class is spent in on a team exercise.  The team investigates a set of hosts that were part of an intrusion, however this is not your normal everyday exercise....this is where it gets interesting!

Rob Lee went all out on this course developing it around an "as real as it gets" scenario. The scenario is about an R&D firm that makes a great discovery, only to be hacked by APT. Students are given four hosts to conduct forensic investigations to determine what happened.  Questions like the initial infection vector, when the initial infection occurred, what data was lost, and the current state of the network can be answered.

When we talk about this lab it is important to understand the level of detail used to create this virtual network. Not only did the network have 100s of hosts and 1000s of users, Rob Lee went out of his way to ensure this network was as real looking as possible (He basically lived with multiple personalities over the course of a year to ensure the systems were used as they would be in a real domain environment). He hired a professional Red Team and trained them up to act like APT, he hired domain architects to build the domain in a professional/secure manner, and he even loaded the systems with some of the latest security tools.  You will not find a lab this extensive anywhere else!

All in all this course is so relevant and so practical that there is no reason not to put this one on your wishlist. If you are serious about finding bad guys in your network, cause lets face it they are there, then this course has your name on it. I learned more about forensics in one week than I have learned over the past three years!

At the DFIR Summit in Austin Rob Lee and his Forensicating Cohorts at SANS introduced, for the first time in the United States, a new version of SANS' famous NetWars. Following along with the 508 labs they have created a forensic version of NetWars which tests students on basic forensic artifacts, timeline, registry, file system, and memory analysis. Anyone that has participated in NetWars will agree that it is terrific learning environment and is worth the investment of time.

I was lucky enough to earn my Lethal Forensicator Coin by placing first in this NetWars competition at the DFIR Summit.

- Invoke-IR - By Jared Atkinson -