I just came back from SANS Crystal City 2015 where I facilitated the FOR408 class with Instructor Mike Pilkington. This is my 4th year in a row facilitating for SANS. I was told close to 40 people applied to facilitate for this class so that gives you an idea how fierce the competition is.
Day 0
This day is basically the same for all small events. We started by going over what facilitating involves, what is expected etc. From there we jumped right into unpacking books, shirts, and other collateral. Each facilitator organizes and inventories the books for his class. An exact count is taken and compared to the master inventory sheet. A quality control check is performed. Facilitators go through at least two books page by page checking for any missing pages, major creases, and other defects. I always like to take two more books and do spot checks to make sure everything is correct. Once the books are good to go they are put in SANS totes as they will be given to students the next morning when they register. Other random tasks included setting up signage, assisting setting up AV, etc. This day ended around 2:30PM so I went sightseeing to DC.
If there are night talks each facilitator needs to sign up to assist with at least one of these. They topics are usually very cool and up to date so many facilitators end up attending several. This year we had topics such as credit card fraud, DLP countermeasures (stego, encryption), and Continuous Monitoring.
Day 1
For facilitators this is the longest day as we are required to be ready at 6AM. We started organizing the registration table, revising that signage is still where it's supposed to be, and tackling anything that may pop up last second. This doesn't take long so by 6:30 we were done. Registration started at 7AM. Since I have facilitating experience I stayed at the table until 9:30 to register a few stragglers. By the time I got to class
Early in the morning the Here they set the stage discussing what to expect the rest of the week. The discussion started by discussing how artifacts change across different versions of Windows. A few slides cover the purpose of forensics and the importance of properly scoping the investigation. From there we moved on to talk about RAM extraction, registry analysis, order of volatility, differences between spinning drives and SSDs, and others. We also talked about file carving. Lab exercises reinforced every single topic covered. We started building a timeline for the case being analyzed which involved insider trading activity. The plan is to have by day 5 a clear picture and a forensic trail of illegal activity performed by the subject being investigated.
Day 2
Here we started with registry analysis. We looked at MRUs, Shellbags, NTUSER.dat, USRCLASS.dat, all kinds of registry hives, identifying system name, version, network adapters, geo-locating using WiFi networks, and others. We also looked into artifacts related to evidence of file execution, folder access, Save/Run dialog boxes, and entries related to the UserAssist feature. In the labs we played with Regripper, YARU, and CAFAE.
Day 3
Day 3 picked up with more Shellbag analysis, a look into jump lists, lnk files, and the all-important USB activity examination. We discussed the forensic implications of BYOD, and also touched on BitLocker. There was a 10,000 feet look into EnCase and FTK, leaning heavily towards FTK mainly because the labs use a pre-indexed case for the sake of time. There was a cool exercise where we had to track down USB activity, use FTK to pull a Bitlocker recovery key, mount the Bitlocker module, and extract some data.
Day 4
Discussion started with email Forensics. It opened by discussing headers and antiforensics techniques that could be used in headers to throw off investigators. We also touched on web-base email and Outlook/Exchange details. Lots of info on this area. Next topic was Windows artifacts such as thumbs.db, prefect file analysis, and recycle bin details. The last section was related to event log analysis. Labs focused on analyzing logs with different tools as well as using the Nuix suite for email analysis. Another useful lab was searching for evidence of time manipulation within Windows.
Day 5
This day is all about browser forensics. All three major browsers are discussed in detail. Artifacts that can be recovered from each one are discussed and details were provided on where to find every valuable piece of information. We parsed the DBs for Firefox and Chrome to gather forensic evidence. I particularly liked a section on dissecting Google Analytics cookies. There was also a good discussion on InPrivate or equivalent modes including how we can get artifacts from those sessions. The labs covered all of this.
On this day we were given a fresh image that we would use the next day for the challenge exercise. I spent an hour or so at night peeking through this image to see what the case could be about. I thought I had a good idea of what was going on but boy was I missing more than half of the story!
Day 6
Challenge time! We opened the day by discussing briefly the anatomy of a forensic findings report. This was just the barebones, nothing particularly detailed, but still useful. After that we dug into the exercise. The premise is that we are given some background information on a case completely unrelated to the insider trading we worked throughout the week, but still featuring similar logistics where we need to figure out what happened based on the forensic artifacts we recover. As I mentioned above I took a peek into the image the night before and though I knew what was going on. Turns out the course creator made sure there was more than meets the eye. When the instructor passed out the instructions I realized I only had half of the story and it had more holes in it than a colander.
The class was divided in five groups of 3-4 people each. Now, the idea was to work the evidence, present it in front of the group, and then everyone would vote for the group they thought presented their case best. Kind of a mini-trial where you are presenting the findings in front of the court. Out of five groups one decided that they wouldn't compete and would only work the evidence as a lab. Fine by me, less competition
As background, let me tell you that two years ago I lost the SEC504 coin for a mere 30 seconds. Another group beat us because we took too long with a steganography component. Back then the person we asked to document findings did a fatal job which cost a lot of time going in circles around stuff the we never documented. That scarred me big time and I was determined to get the forensics coin this time. I took the lead of the group and decided to document the timeline myself. That was a great decision as I was able to identify holes connecting the dots and assigned to different member specific plot holes to work on. We banged at this for 5 hours straight. When the instructor signaled it was 5 minutes to "hands off the keyboard" moment, we panicked as we didn't even have the PowerPoint ready. We hustled and put it together. Once all groups presented we were excited because some of the very important artifacts we found were not discovered by any other group.
And the best part: my team won the challenge and we got the
LETHAL FORENSICATOR Ccoin!!!
Final thoughts
One the best aspects of this course is that it shows you how to get artifacts both manually and through the use of tools. The only problem that I found is that most tools they focus on are commercial and there's very little open source in the laundry list of tools discussed. Since many are doing forensics on a shoestring budget I think there’s a lot of value on integrating more open source tools. Another thing missing that I was expecting was perhaps more discussion on the forensics process itself along the lines of NIST 800-66.
I definitely recommend this class for those tasked with performing forensics on Windows systems.
Now on to study for the GCFE.
