FOR610 Review
I've just recieved the books for my vlive FOR610/GREM course. While my course doesn't start until next week, i'm going through the first book and will be reviewing the material and my prep here.
Book 1 is an introduction to malware analysis. It covers basic dynamic analysis, static code analysis, and has a large lab setup section. Looking at the **** sheets I can see there are a lot of tools that are new to me that I will be using.
I am a bit suprised at this point that basic static analysis was barely mentioned. I'm not sure how relevant it still is, but no memtion of hashing and submitting the sample online for scanning (or doing it locally)
So far i've made it through the first two sections listed above, still need to setup the lab per the instuctions. I will also need to go back and do the lab from book1 when I get setup.
The code analysis section is decent. Once I re-read it this morning it was easier to understand and so far, easier to understand than the PMA book.
Book 1 is an introduction to malware analysis. It covers basic dynamic analysis, static code analysis, and has a large lab setup section. Looking at the **** sheets I can see there are a lot of tools that are new to me that I will be using.
I am a bit suprised at this point that basic static analysis was barely mentioned. I'm not sure how relevant it still is, but no memtion of hashing and submitting the sample online for scanning (or doing it locally)
So far i've made it through the first two sections listed above, still need to setup the lab per the instuctions. I will also need to go back and do the lab from book1 when I get setup.
The code analysis section is decent. Once I re-read it this morning it was easier to understand and so far, easier to understand than the PMA book.
OSWP, GPEN, GWAPT, GCIH, CPT, CCENT, CompTIA Trio.
Comments
I haven't had much additional time to go through book 1 during the day but I have to add that it appears the book is going backwards to cover static analysis. It's very strange and I don't know why the book is setup this way. This is not in the teaching section, it's in the "lab setup and validation" portion, but it looks like there is going to be more instruction. Just flipping through they will be covering additional techniques and tools. I'll be coming back to edit this post when I get through the book tonight hopefully.
Book 1 is a good introduction like I said before. The lecture material does serve to reinforce the material and to answer any questions, though it seems that my group must be pretty knowledgeable, few questions are asked.
Book 2 starts getting into code analysis. Specifically assembly and understanding code conversions. (usually so far, seeing how C|C++ instuctions appear in assembly when looking at jumps and loops.
What I like about the book and lecture material for this book is that while it doesn't baby you, it is clear and flows logically. I know a little about assembly, but even without it, I think I could pick it up by reading and listening to the instructor (and seeing him do it). Seeing the instructor open a file in IDA Pro or Olly D, is really helpful. It is a different learning style than the one presented in something like PMA. The advice I would give you though, use the additional materials with book 2, don't think you can read your way through if you aren't comfortable ith ASM, listen to the MP3 or lecture, go through it on your own time (There isn't really enough time during the breaks to do it) I would actually suggest this: Read the book prior to the class. Either a day before, or something. Listen to the lecture during your class time, and do all the labs at the end of the class or while he is working them. You can actually do them during your reading, and you can ask questions you had during the lecture while he is doing them, but you'll likely get it while he is doing them.
I don't know how I like doing this class through vLive, as time management is an issue. Class is held at night. If you are working the day after your class, getting sleep can be an issue. Having to juggle work, transportation, sleep, ect can be... annoying. During book2 part 1 I was half asleep for a portion of the class and had to head off to bed during the last part (about an hr), so in addition to my "review" I had to try to watch the missing hr. well the next night, SWTOR came out with an update, no sleep that night, certainly no studying...
If I can i'll edit this with any additional information gleaned after this weekend.
so what that means for this thread is that it will be a few weeks before I can get back into this. I expect to be fully into GREM study mode in about 2 weeks. i'm going to try to refresh some of my material over the next week and a half and hopefully go in hard for a final push and review. I hope to get one or two analysis in on my blog when I am done and if that goes well, a practice exam and a cert attempt.
Day three starts off with dealing with packed malware. We discuss recognizing packed malware, automated and manual methods for unpacking, debugging. We learn that there are issues with ASLR and unpacking malware, that unpacking is often a trial and error process.
We also brefly step back into dynamic analysis, talking about network connection tools such as INetSim, Fiddler, Honeyd, ect.
Part 2 of Day 3 starts off on how to deal with web based malware. Specifically we are talking about websites that perform malicious actions through the browser, malicious redirects, encoded javascript or other browser based attacks, we discuss how to debug and deobfuscate when possible. Again, we drive home that it is a tedious process some times as code can be obfuscated numerous times. But I think this portion of the course will be more important in performing analysis assuming you have the opportunity to examine websites in your work.
Day 5 is about Malicious documents and memory forensics.
We discuss how infections occur through delivered documents, from malicious word and excel documents, which may contain shellcode, VBA macros, and javascript. We also delve into malicious PDFs and how to detect them, and how to pull out malicious content. We cover a number of tools to perform this work. Finally we delve into memory analysis with tools such as volitility framework. We discuss its use when we need to examine a live system or other event where we do not have an original exe at the outset to examine.
I've technically finished the course at this point, and long story short i'm going back through for review and relearning, its going to take some time, I purchased my exam attempt and took a practice test, far from where I want to be. It seemed to me that a number of the questions seemed to come out of left field or used terminology that was not used during the course. An example of a question type that may have been present would be something about how to trigger a breakpoint when you need to set to its authentication function. Wha? authentication function? I know how to set a software or hardware breakpoint, I know when to use which, but I don't remember anything about authentication. Or a question about something seen when examining a packed executable. The get being that the sample wasn't packed, but had the name of the programming language shown by the tool, but it has a version number. Unless you knew that the name of the language was a language, not a packer, there is no way to tell the difference. Seems to me an unfair question since that specific language was never discussed.
I remember some threads somewhere that discussed this exam, and perhaps mentioned such issues, obviously I will need to review those, as well as creating an index. As you all may know, I don't generally create indexes, most people do and I can see their use, but I never have. In this case I may do it to better study, and to insure I can access everything when I need it. This will also likely be the first GIAC exam where I use both practice exams I expect.
In the end however this is a good thing for me, i'm already being considered for a position with malware analysis duties, i'll have to talk to the person, make sure i'm going to have a mentor, but i'm seriously considering it.
The test was difficult but not impossible. The material must be not just memorized but understood. This means working through the concepts and the tools together. I found the course extremely interesting and the material (for me) took quite a while to absorb. It could be that I am a bit dense though
You list the certification GREM on your cert list, I assume you retook the exam and passed it. Are you willing to share your practice test scores? I'm always interested in hearing how people scored on there practice tests vs the exam.
The first test I was highly rushed due to waiting until the last two weeks to study. Long story but a lot of badness took up my time and had to quick study for the test, before it expired. Due to that I rushed through the sample tests before I should have taken them. My sample scores were abyssmal, but I do not remember what they were but when I took the test the first time I was not ready period the end.
side note: Keep in mind that a 'quick study' was about 50-100 hours beyond the course. I am a bit dense so it may take me longer than others