Tuesday, November 1, 2011

Forensic Course Review: SANS Forensics 558 (Network Forensics)

I was fortunate last week to attend SANS Network Forensics (FOR-558) taught by Paul Henry during SANS Chicago 2011 event. Overall, I would give this course four and a half (4.5) out of five (5) stars and highly recommend it to any #DFIR practitioner. Of mention, fellow forensicator, friend, and blogger, Ken Pryor, also attended FOR-558 and I am sure he will have a review posted over at the Digital Forensics blog soon. As with any SANS event, the "SANS fire hose effect" began the morning of day one. Before diving deep into FOR-558, I would like to thank Mr. Paul Henry. Paul is a great instructor, bringing his many years of experience to the classroom, and an expert in all facets of InfoSec and Digital Forensics (Paul, you rock!).

Day One: Covert Tunnels 
Day One we hit the ground running capturing network traffic utilizing tools like tcpdump, which is pre-compiled right from the SNIFT (SANS Network Investigative Forensic Toolkit) workstation that is issued to FOR-558 students. We went through network protocols and the layers of the OSI Model starting with DHCP, MACs, and quickly moved into capturing and filtering data packets utilizing the SNIFT workstation. We then moved into network tunneling of encapsulated data packets, which was cool! We even dissected an ICMP Tunnel .pcap using tcpdump, Wireshark, and a hex editor. The afternoon of Day One was spent on hands-on labs looking at covert ICMP and DNS tunnels. We also went through a quick *nix command-line refresher, since we would be working primarily from the command-line on our SNIFT workstation for the entire week. I quickly learned how important | grep | and other Linux command-line tools would be during the labs and capstone investigation.

Day Two: Deep Packet Analysis
Day Two was focused on forensic methodology, collecting evidence, and deep packet analysis, which was full of wireshark, tshark, ngrep, ssh, scp, tcpxtract, oftcat, pcapcat, networkminer, and smtpdump to name a few. Day Two we spent a lot of hands-on using Wireshark reviewing packets from an OFT (OSCAR File Transfer). During these lab exercises, it also reiterated anomalies in Wireshark (and other forensic tools) on how data is parsed and presented to the GUI. Validate, validate, validate! Day Two could have been an additional half-day with all the lab exercises.

Day Three: Firewalls, IDS, Proxies, and Data Reconstruction 
Day Three was full of analysis on firewalls, routers, IDS, Splunk and Log analysis, and full content reconstruction from packet captures and proxy caches. The morning of Day Three, I had some networking issues with my MBP and VmWare Fusion 4, so Paul was gracious enough to let me utilize his machine for the labs and by the afternoon, I had the networking issues with my system corrected. Through these lab exercises I learned a ton of information about iptables and firewall rules, which aided me during the capstone investigation, as I was tasked with analyzing all the firewall log entries for my team. We also looked at snort, splunk, and squid cache in our afternoon lab exercises. The file carving exercise from squid cache was pretty darn cool (Note: Those of us whom were "forensicators" really enjoyed the file carving exercises that were integrated into the labs). Day Three could have also been an additional half-day with all the lab exercises.

Day Four: Network Forensics Unplugged
Day Four was 802.11 and was my favorite day of FOR-558. We spent the day discussing WAPs with lab exercises on acquiring and analyzing data. The lab exercises were great and tied everything together for the week to gear the class up for the capstone investigation on Day Five.

Day Five: Capstone Investigation
Day Five was our final/capstone investigation. We were broken up as a class into 4-5 person teams. Without revealing too much about the capstone, it drove home a concept that often we as forensic analysts overlook. If you work a case from just one angle, you can overlook other indicators that may lead down an opposite path, where you locate other forensic artifacts that may support/refute your hypothesis. Maintain focus on the goal of your digital forensic examination, but be prepared to change your hypothesis, if necessary. Always have a Plan B, Plan C, and so forth, when Plan A doesn't go as strategized. Objectivity, during your forensic examinations, will ensure you are looking at the digital evidence through a broad lens. As with any digital forensic examination, have a plan, establish chain of custody, take good case notes, include supporting artifacts, and complete a solid, easily understandable report. All of which were important during the capstone, but also during any digital forensic examination/investigation.

In summary, FOR-558 was a great course. The data carving techniques that we use in everyday forensic examinations are symmetrical to network forensics. I'm giving the course a four and a half (4.5) star review because more time is needed for lab exercises. After speaking with several attendees, they also felt more time was needed on lab exercises. If you decide to attend FOR-558 or any SANS Forensics course, make sure that you practice the labs in the evenings and on your own time, as it will aid in retaining the course material. I found this very helpful on the evening of Day Three. As forensic practitioners ("forensicators") we like to get our hands dirty and tear things apart (per se) to learn the process, and understand what the output from the parsed data is showing us. The lab exercises rocked; however, more time is needed to really drill down into the data and learn the concepts.
Having primarily a forensics background and listening to Paul discuss some of his DF/IR engagements, reiterated the importance of the lab exercises we were doing, and it made it easy for me to relate to the command-line kung-fu with my own present and past cases. After attending any course, the real learning takes place when the course is over and the analyst returns to his/her everyday routine. Just like any learned skill, if it is not used then it will fade. FOR-558 is no different and I highly encourage anyone working in digital forensics or the network realm to complete FOR-558. If you enjoy the command-line and learning through hands-on labs then FOR-558 is for you!
 The lab exercises and course material give the student practical application immediately, plus you get the SNIFT VM, supplement exercises, VMs, and puzzles.
Speaking of puzzles, checkout the ForensicsContest.com for network forensic puzzles. Puzzle #10 is due 11/22/11 (11:59:59PM UTC -11) and one cool thing about these puzzles, are the forensic tools that have been developed as a result of solving these forensic puzzles (i.e. oftcat, pcapcat, etc.). Now head on over to ForensicsContest.com and maybe you'll solve the puzzle. :)

No hard drive? No problem. Network Forensics to the rescue.