FOR610 Review

I've just recieved the books for my vlive FOR610/GREM course. While my course doesn't start until next week, i'm going through the first book and will be reviewing the material and my prep here.

Book 1 is an introduction to malware analysis. It covers basic dynamic analysis, static code analysis, and has a large lab setup section. Looking at the **** sheets I can see there are a lot of tools that are new to me that I will be using.

I am a bit suprised at this point that basic static analysis was barely mentioned. I'm not sure how relevant it still is, but no memtion of hashing and submitting the sample online for scanning (or doing it locally)

So far i've made it through the first two sections listed above, still need to setup the lab per the instuctions. I will also need to go back and do the lab from book1 when I get setup.

The code analysis section is decent. Once I re-read it this morning it was easier to understand and so far, easier to understand than the PMA book.

Find more posts tagged with

Comments

docrice

This is great. We definitely don't get to hear much about FOR610. I was considering taking this at one point, but my lack of background in low-level computer architecture and programming had me shy away from it.

SaSkiller

So far it hasn't been bad, I'll definitely note how I feel as someone with very limited programming experience.

I haven't had much additional time to go through book 1 during the day but I have to add that it appears the book is going backwards to cover static analysis. It's very strange and I don't know why the book is setup this way. This is not in the teaching section, it's in the "lab setup and validation" portion, but it looks like there is going to be more instruction. Just flipping through they will be covering additional techniques and tools. I'll be coming back to edit this post when I get through the book tonight hopefully.

BlackBeret

I'm registered for 503/GCIA right now for work, then I'll be doing GREM in 2-3 months so I'll be following this. I'm also interested in how it compares to PMA which is sitting in my library right now.

SaSkiller

Sorry for the late updates.

Book 1 is a good introduction like I said before. The lecture material does serve to reinforce the material and to answer any questions, though it seems that my group must be pretty knowledgeable, few questions are asked.

Book 2 starts getting into code analysis. Specifically assembly and understanding code conversions. (usually so far, seeing how C|C++ instuctions appear in assembly when looking at jumps and loops.

What I like about the book and lecture material for this book is that while it doesn't baby you, it is clear and flows logically. I know a little about assembly, but even without it, I think I could pick it up by reading and listening to the instructor (and seeing him do it). Seeing the instructor open a file in IDA Pro or Olly D, is really helpful. It is a different learning style than the one presented in something like PMA. The advice I would give you though, use the additional materials with book 2, don't think you can read your way through if you aren't comfortable ith ASM, listen to the MP3 or lecture, go through it on your own time (There isn't really enough time during the breaks to do it) I would actually suggest this: Read the book prior to the class. Either a day before, or something. Listen to the lecture during your class time, and do all the labs at the end of the class or while he is working them. You can actually do them during your reading, and you can ask questions you had during the lecture while he is doing them, but you'll likely get it while he is doing them.

I don't know how I like doing this class through vLive, as time management is an issue. Class is held at night. If you are working the day after your class, getting sleep can be an issue. Having to juggle work, transportation, sleep, ect can be... annoying. During book2 part 1 I was half asleep for a portion of the class and had to head off to bed during the last part (about an hr), so in addition to my "review" I had to try to watch the missing hr. well the next night, SWTOR came out with an update, no sleep that night, certainly no studying...

Next night was class book2 part 2... so now i'm going to have to catch up on 2 nights this weekend. It can easily snowball.

If I can i'll edit this with any additional information gleaned after this weekend.

WilliamK99

I am taking this course in a few weeks, would love to see how the rest of the course is like, good information thus far.

SaSkiller

Sorry, quick update, with work and everything else, study pretty much ground to a halt. I am currently waking up at 4 to get to work on time without getting killed on the interstate or sitting in heavy traffic. working for 8 hrs and then it taking anywhere from 30 minutes to an hr and half or more to get home just in time for me to go to sleep insuring I get my 8 hrs. It isn't realistic, and the benefits weren't matching up, so I made the decision to leave my current company to spend time taking care of my study, and hopefully some vacation as well, school stuff as well. On the other side I expect to have a strong resume, and the energy to come back and do some good things to build towards my goals.

so what that means for this thread is that it will be a few weeks before I can get back into this. I expect to be fully into GREM study mode in about 2 weeks. i'm going to try to refresh some of my material over the next week and a half and hopefully go in hard for a final push and review. I hope to get one or two analysis in on my blog when I am done and if that goes well, a practice exam and a cert attempt.

BlackBeret

Sounds good. I actually did the same thing with the GCIA and am just now getting to the last book. Seems like I should factor in at least 1 week on, 1 week off for future self-study courses.

SaSkiller

Hi everyone, thank you for your patience.

Day three starts off with dealing with packed malware. We discuss recognizing packed malware, automated and manual methods for unpacking, debugging. We learn that there are issues with ASLR and unpacking malware, that unpacking is often a trial and error process.

We also brefly step back into dynamic analysis, talking about network connection tools such as INetSim, Fiddler, Honeyd, ect.

Part 2 of Day 3 starts off on how to deal with web based malware. Specifically we are talking about websites that perform malicious actions through the browser, malicious redirects, encoded javascript or other browser based attacks, we discuss how to debug and deobfuscate when possible. Again, we drive home that it is a tedious process some times as code can be obfuscated numerous times. But I think this portion of the course will be more important in performing analysis assuming you have the opportunity to examine websites in your work.

SaSkiller

Day 4 deals with bypassing anti-analysis defenses. We discuss how malware may act differently when being analyzed automatically or manually. We see how malware may shut down when certain tools are opened (such as wireshark or analysis tool processes), some samples may contain numerous types of anti-analysis techniques, and sometimes you will have to perform code level analysis to find what is in your way, **** a new exe and try again, only to find that there is another roadblock. We discuss patching executables, as well as some really sneaky anti-analysis defenses that really illustrate the need to have a properly setup lab. Later in the day we try a number of lab examples.

Day 5 is about Malicious documents and memory forensics.

We discuss how infections occur through delivered documents, from malicious word and excel documents, which may contain shellcode, VBA macros, and javascript. We also delve into malicious PDFs and how to detect them, and how to pull out malicious content. We cover a number of tools to perform this work. Finally we delve into memory analysis with tools such as volitility framework. We discuss its use when we need to examine a live system or other event where we do not have an original exe at the outset to examine.

I've technically finished the course at this point, and long story short i'm going back through for review and relearning, its going to take some time, I purchased my exam attempt and took a practice test, far from where I want to be. It seemed to me that a number of the questions seemed to come out of left field or used terminology that was not used during the course. An example of a question type that may have been present would be something about how to trigger a breakpoint when you need to set to its authentication function. Wha? authentication function? I know how to set a software or hardware breakpoint, I know when to use which, but I don't remember anything about authentication. Or a question about something seen when examining a packed executable. The get being that the sample wasn't packed, but had the name of the programming language shown by the tool, but it has a version number. Unless you knew that the name of the language was a language, not a packer, there is no way to tell the difference. Seems to me an unfair question since that specific language was never discussed.

I remember some threads somewhere that discussed this exam, and perhaps mentioned such issues, obviously I will need to review those, as well as creating an index. As you all may know, I don't generally create indexes, most people do and I can see their use, but I never have. In this case I may do it to better study, and to insure I can access everything when I need it. This will also likely be the first GIAC exam where I use both practice exams I expect.

In the end however this is a good thing for me, i'm already being considered for a position with malware analysis duties, i'll have to talk to the person, make sure i'm going to have a mentor, but i'm seriously considering it.

EngRob

Great write up. This is definitely a course I would love to jump into and it's great to hear from someone with similar programming experience.

gespenstern

Awesome, keep us posted. I plan to take on GREM somewhere in 2016.

LR0926

+1 Great update. I'm another member here scheduled to take GREM soon and enjoy reading your posts.

sap1437

Thanks for the feedback! I have taken the FOR610 online class a few months back and have decided I will pursue this certification by Spring of 2016. As you have mentioned, there were a lot of materials covered and would need to get "back on the horse" and do my review prior to taking the exam. Keep us posted and let us know what you think of the exam itself.

sufius

Hitting the books after i took the class last month. Tough course and will take some time to get things in my head. I expect a lot of hours practicing. Most of my index is complete.

SaSkiller

Good luck, looking forward to hearing more.

sufius

Had my first certification failure attempt of my life but was due to just not studying/practicing enough and missed passing by one point. This was on me as I did not study enough plain and simple. I had a lot of things going on so the course ware took a backseat for a while.

The test was difficult but not impossible. The material must be not just memorized but understood. This means working through the concepts and the tools together. I found the course extremely interesting and the material (for me) took quite a while to absorb. It could be that I am a bit dense though

I am going to try the GCIH next...hopefully it will go faster haha!!!!

TechGromit

sufius wrote: »

Had my first certification failure attempt of my life but was due to just not studying/practicing enough and missed passing by one point.

You list the certification GREM on your cert list, I assume you retook the exam and passed it. Are you willing to share your practice test scores? I'm always interested in hearing how people scored on there practice tests vs the exam.

sufius

Yes, I retook it after failing.

The first test I was highly rushed due to waiting until the last two weeks to study. Long story but a lot of badness took up my time and had to quick study for the test, before it expired. Due to that I rushed through the sample tests before I should have taken them. My sample scores were abyssmal, but I do not remember what they were but when I took the test the first time I was not ready period the end.

side note: Keep in mind that a 'quick study' was about 50-100 hours beyond the course. I am a bit dense so it may take me longer than others

I spent more time after before my second attempt.