SANS FOR408 review (work study program)

cyberguyprcyberguypr Mod Posts: 6,928 Mod
I just came back from SANS Crystal City 2015 where I facilitated the FOR408 class with Instructor Mike Pilkington. This is my 4th year in a row facilitating for SANS. I was told close to 40 people applied to facilitate for this class so that gives you an idea how fierce the competition is.

Day 0
This day is basically the same for all small events. We started by going over what facilitating involves, what is expected etc. From there we jumped right into unpacking books, shirts, and other collateral. Each facilitator organizes and inventories the books for his class. An exact count is taken and compared to the master inventory sheet. A quality control check is performed. Facilitators go through at least two books page by page checking for any missing pages, major creases, and other defects. I always like to take two more books and do spot checks to make sure everything is correct. Once the books are good to go they are put in SANS totes as they will be given to students the next morning when they register. Other random tasks included setting up signage, assisting setting up AV, etc. This day ended around 2:30PM so I went sightseeing to DC.
If there are night talks each facilitator needs to sign up to assist with at least one of these. They topics are usually very cool and up to date so many facilitators end up attending several. This year we had topics such as credit card fraud, DLP countermeasures (stego, encryption), and Continuous Monitoring.

Day 1
For facilitators this is the longest day as we are required to be ready at 6AM. We started organizing the registration table, revising that signage is still where it's supposed to be, and tackling anything that may pop up last second. This doesn't take long so by 6:30 we were done. Registration started at 7AM. Since I have facilitating experience I stayed at the table until 9:30 to register a few stragglers. By the time I got to class
Early in the morning the Here they set the stage discussing what to expect the rest of the week. The discussion started by discussing how artifacts change across different versions of Windows. A few slides cover the purpose of forensics and the importance of properly scoping the investigation. From there we moved on to talk about RAM extraction, registry analysis, order of volatility, differences between spinning drives and SSDs, and others. We also talked about file carving. Lab exercises reinforced every single topic covered. We started building a timeline for the case being analyzed which involved insider trading activity. The plan is to have by day 5 a clear picture and a forensic trail of illegal activity performed by the subject being investigated.

Day 2
Here we started with registry analysis. We looked at MRUs, Shellbags, NTUSER.dat, USRCLASS.dat, all kinds of registry hives, identifying system name, version, network adapters, geo-locating using WiFi networks, and others. We also looked into artifacts related to evidence of file execution, folder access, Save/Run dialog boxes, and entries related to the UserAssist feature. In the labs we played with Regripper, YARU, and CAFAE.

Day 3
Day 3 picked up with more Shellbag analysis, a look into jump lists, lnk files, and the all-important USB activity examination. We discussed the forensic implications of BYOD, and also touched on BitLocker. There was a 10,000 feet look into EnCase and FTK, leaning heavily towards FTK mainly because the labs use a pre-indexed case for the sake of time. There was a cool exercise where we had to track down USB activity, use FTK to pull a Bitlocker recovery key, mount the Bitlocker module, and extract some data.

Day 4
Discussion started with email Forensics. It opened by discussing headers and antiforensics techniques that could be used in headers to throw off investigators. We also touched on web-base email and Outlook/Exchange details. Lots of info on this area. Next topic was Windows artifacts such as thumbs.db, prefect file analysis, and recycle bin details. The last section was related to event log analysis. Labs focused on analyzing logs with different tools as well as using the Nuix suite for email analysis. Another useful lab was searching for evidence of time manipulation within Windows.

Day 5
This day is all about browser forensics. All three major browsers are discussed in detail. Artifacts that can be recovered from each one are discussed and details were provided on where to find every valuable piece of information. We parsed the DBs for Firefox and Chrome to gather forensic evidence. I particularly liked a section on dissecting Google Analytics cookies. There was also a good discussion on InPrivate or equivalent modes including how we can get artifacts from those sessions. The labs covered all of this.

On this day we were given a fresh image that we would use the next day for the challenge exercise. I spent an hour or so at night peeking through this image to see what the case could be about. I thought I had a good idea of what was going on but boy was I missing more than half of the story!

Day 6
Challenge time! We opened the day by discussing briefly the anatomy of a forensic findings report. This was just the barebones, nothing particularly detailed, but still useful. After that we dug into the exercise. The premise is that we are given some background information on a case completely unrelated to the insider trading we worked throughout the week, but still featuring similar logistics where we need to figure out what happened based on the forensic artifacts we recover. As I mentioned above I took a peek into the image the night before and though I knew what was going on. Turns out the course creator made sure there was more than meets the eye. When the instructor passed out the instructions I realized I only had half of the story and it had more holes in it than a colander.

The class was divided in five groups of 3-4 people each. Now, the idea was to work the evidence, present it in front of the group, and then everyone would vote for the group they thought presented their case best. Kind of a mini-trial where you are presenting the findings in front of the court. Out of five groups one decided that they wouldn't compete and would only work the evidence as a lab. Fine by me, less competition icon_smile.gif

As background, let me tell you that two years ago I lost the SEC504 coin for a mere 30 seconds. Another group beat us because we took too long with a steganography component. Back then the person we asked to document findings did a fatal job which cost a lot of time going in circles around stuff the we never documented. That scarred me big time and I was determined to get the forensics coin this time. I took the lead of the group and decided to document the timeline myself. That was a great decision as I was able to identify holes connecting the dots and assigned to different member specific plot holes to work on. We banged at this for 5 hours straight. When the instructor signaled it was 5 minutes to "hands off the keyboard" moment, we panicked as we didn't even have the PowerPoint ready. We hustled and put it together. Once all groups presented we were excited because some of the very important artifacts we found were not discovered by any other group.

And the best part: my team won the challenge and we got the LETHAL FORENSICATOR Ccoin!!!


Final thoughts
One the best aspects of this course is that it shows you how to get artifacts both manually and through the use of tools. The only problem that I found is that most tools they focus on are commercial and there's very little open source in the laundry list of tools discussed. Since many are doing forensics on a shoestring budget I think there’s a lot of value on integrating more open source tools. Another thing missing that I was expecting was perhaps more discussion on the forensics process itself along the lines of NIST 800-66.

I definitely recommend this class for those tasked with performing forensics on Windows systems.

Now on to study for the GCFE.


  • NetworkNewbNetworkNewb Member Posts: 3,298 ■■■■■■■■■□
    Nice write up! and gratz on the coin! icon_thumright.gif
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    Congrats on getting the coin and thanks for the write up! Even though I don't do forensics as a primary duty, there's still a lot in this course that would be beneficial in knowing.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • EngRobEngRob Member Posts: 247 ■■■□□□□□□□
    Great write up! I did the work study for 408 back in February and Mike taught it. He's a very knowledgable instructor. Good luck with 508.
  • RobicusRobicus Member Posts: 144 ■■■□□□□□□□
    Awesome write-up! Thank you for sharing your experiences and providing insights into facilitating.

    Oh, and of course, congratulations on the coin!
    What's Next? eLearnSecurity's eCIR

  • ramrunner800ramrunner800 Member Posts: 238
    I was in your class! Glad to be running into other TE members out there, even if unknowingly.
    Currently Studying For: GXPN
  • Danielm7Danielm7 Member Posts: 2,310 ■■■■■■■■□□
    I've been doing this same course on OnDemand, I really wish I could have done the in person training. So hard to block off huge amounts of time to get all the training done in a reasonable time frame.
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    cyberguypr wrote: »
    I just came back from SANS Crystal City 2015 where I facilitated the FOR408 class with Instructor Mike Pilkington. This is my 4th year in a row facilitating for SANS. I was told close to 40 people applied to facilitate for this class so that gives you an idea how fierce the competition is.

    Day 0
    This day is basically the same for all small events. We started by going over what facilitating involves, what is expected etc.

    I was there, you probably handed me my books. I have a question, how many people actually work for SANS? Between the instructors and facilitators, does anyone actually work for SANS, or do you take directions from a mysterious masked stranger that gives you instructions via webcam. icon_confused.gif:
    Still searching for the corner in a round room.
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    For this particular event there were two event coordinators who handled logistics.
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    cyberguypr wrote: »
    I just came back from SANS Crystal City 2015 where I facilitated the FOR408 class with Instructor Mike Pilkington.

    Did you find yourself being pull away from class at all to support other activities? What about breaks, I read that you were not suppose to leave the class unattended, do you pack you lunch and eat in class? Any issue running out for a bathroom break during class?

    You mentioned an event for SANS 504, so the last day of class your running through an incident response challenge?
    Still searching for the corner in a round room.
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    Bathroom breaks for facilitators are prohibited by SANS. Just kidding! icon_smile.gif

    From what others have posted here you may miss more of the class at bigger events. I've been to 4 small events (6-8 classes) and they are all super relaxed, other than setup day and registration the first day. If I was ever out of class it was for a short period of time to go report that the A/C was too high, too low, projector needed focus (can't touch it because of unions), etc. It was never disruptive to the learning experience. Most I've been out was in SEC 504 when I had to run to the hotel lobby and pick up food that the instructor bought for the whole class because he were running behind. Free food, so can't complain. Even if you miss something remember that most classes have MP3s and OnDemand, both things that you will get access after the class is over. In FOR 408 Mike never ate lunch so he was always in the room looking which left me more time to go eat.

    SANS does a good job warning everyone that no one should be leaving stuff in the classroom and if they do they are assuming all risk. For classes with lab gear you wouldn't want to leave it unattended and then figure no one can do labs because there's a switch missing. The instructor or one of the SANS peeps will gladly keep an eye at the gear while you go grab food.

    The SEC 504 CTF was fun. Cool exercise to apply the stuff you learned throughout the course. Winners get the coveted SANS coin. The SANS page for 504 lists the stuff covered in the exercise:
    - Nmap port scanner
    - Nessus vulnerability scanner
    - Network mapping
    - Netcat: File transfer, backdoors, and relays
    - More Metasploit
    - Exploitation using built in OS commands
    - Privilege escalation
    - Advanced pivoting techniques

    To close off, SANS understand work study is a symbiotic relationship and both parts benefit. If you work with them, they will work with you.
  • E Double UE Double U Member Posts: 2,229 ■■■■■■■■■■
    Great write-up! Congratulations!
    Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, CompTIA, AWS
  • krusnikkrusnik Registered Users Posts: 1 ■□□□□□□□□□
    Thanks for the write-up of the experience. When you take part in the FOR408 as a facilitator, is there any material that a participant gets and not you? As a reference, the FOR408 course states that you receive the following:

    Windows 10 version of the SIFT Workstation Virtual Machine with over 200 commercial, open-source, and freeware Digital Forensics and Incident Response tools prebuilt into the environment
    Windows 10 Standard License and Key for the Windows SIFT Workstation
    Full version licenses for 90 days:
    AccessData FTK
    Magnet Forensics Internet Evidence Finder
    TZWorks Toolset
    128 GB USB Key with real-world cases to examine during and after class
    FOR408 Detailed exercise workbook with detailed step-by-step instructions
    Wiebetech Forensic Ultradock v5 Write Blocker Kit
    IDE and SATA Cable Connectors
    Three FireWire Ports
    USB 3.0 Port
    MP3 audio files of the complete course lecture

    I know this thread is more than a year older, but I have not been able to find an answer anywhere else, hope you can help.
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    Everyone gets the same stuff. The only thing a facilitator gets is the chance to prep everyone's books, count shirts, tally evaluation sheets and joke around with the SANS staff.
  • quogue66quogue66 Member Posts: 193 ■■■■□□□□□□
    I facilitated FOR408 in March and I did not get anything extra.
  • bigdogzbigdogz Member Posts: 881 ■■■■■■■■□□
    You received a huge discount on the class and put in some sweat equity and assisted the instructor when needed in return.

    That;s how it works.
Sign In or Register to comment.