I recently attended SANS Security 508 at SANS 2010-Orlando. When I told Harlan Carvey that I was going to attend this training he was concerned that I would not be exposed to anything I had not already exposed myself to through work and personal effort. When I arrived on-site I got the same feeling from Rob Lee although his concerned seemed to be more centered around the value added by the course to more experienced incident response professionals. Well, although their concerns were valid, I have to say that attending this class was a very valuable experience from the networking I accomplished, to the new (to me) concepts about how file systems work, to the concerns about how some applications leverage that information to produce system artifacts.
I am not going to delve into too much about the topics covered in the class. It is outlined for you on SANS’ website and, well, Rob and his crew worked very hard on pulling all of the concepts together. For that you should attended the course or purchase the course material if you would like a deeper understanding. However, there are a bunch of priceless illustrations that help the students understand some of the complex topics that can be confusing when first exposed to the information. The ones that popped out to me the most were the images covering the Forensic Investigation Methodology, Date/Time correlations, and the Filesystem/Sleuthkit Review. Each of them, at a glance provides excellent clarification.
So, to alleviate the concerns of Harlan and Rob, I learned a lot by attending the course. I guess I am just one of those people. I will admit that I was not as challenged as when I attended some of the other SANS trainings I have attended. Certainly it was a fire hose for most of the attendees. I just figure that this means that for the past two years I have been approaching incident response properly. Rob’s class most validated the processes I have formed surrounding my acquisition and initial analysis techniques. A lot of this came to me via Harlan’s training both professionally, individually, and via reading his blog and books. Some of these concepts were also developed via the experiences of Chris Pogue. His Sniper Forensics talk is a direct representation of many of the concepts I employ. (It was good to finally meet him after two years.)
Since I am not going to go too deep into the concepts covered by the class (although they should shape some of the future content here) I will provide you with some of the notable quotes that came from Rob.
“…training the new breed of incident responder.”
Absolutely, SEC508 provides a sound foundation. It exposes incident responders to the basics of the field. Starting with a sound foundation is what is necessary. (Tangent Alert!) It also takes incident response and digital forensics out of the court room and back into the data center. Which is important because the data center changes much faster than the court room. By letting the court room lead our incident response processes we are limiting our capabilities to adapt to new threats and attack methodologies. Let the court room keep up with us.
“…EMTs do not worry about adjusting evidence …”
Another statement enforcing the point I just made. Of course, what should be noted is that EMTs approach an incident with a specific methodology. They have a plan and they execute it. When necessary, they deviate from that plan. But familiarization and continuous training around the basics of that plan make it second nature to them. This means that their actions can be accounted for and justified when evidence is necessary.
“Evidence integrity goes to the weight of what the evidence can be used for….”
Basically, be more concerned about the actions you have taken to gather information. Once again, following your plan, knowing the basics, and documenting deviations. Just because there is or is not a hash does not mean that, if necessary, the information will not be admissible during a court case. But court cases should not be your major concern. Consistent and repeatable process should be your concern. This is necessary in case there is a need to repeat the data analysis in a court room, for a Board of Directors, or for a team of auditors.
“Tools do not have to be validated. The output, what was found, is more important than the tool that was used to interpret the data.”
This is one of the first concepts that Harlan explained to me when I started working with him. Different tools display information better than other tools (which is why we have a wide variety of them). But just because a tools presents the data in a certain way, or has been doing so for X number of years, does not mean it is doing so correctly. Other methods may be necessary to validate tool output. This concept holds true for a perl/python script that was written last night by a kid in Poughkeepsie, NY or a long standing data analysis tool such as EnCase or FTK.
The forensic industry “is not a fad. Organizations are spinning up internal teams to handle incident response and investigations.”
This is nothing new but it is a great validation. Rob is exposed to a wide range of people from many different operational backgrounds. This statement is also supported by the explosion of process and tool development in the digital forensic and incident response field.
I will end with a personal favorite of mine. The following quote validates a realization I recently came to while cleaning up after an incident response. If you have a weak heart, and hold onto old concepts dearly, you may want to skip the following quote. (I am paraphrasing because I just realized I didn’t write it down.)
“How many passes does it take to destroy data so that forensic analysis tools cannot recover it? One, yes you are correct.”
Yes, you read that right. Only one pass is necessary. Wow, that will save a lot of time not to mention a lot of energy related to processor intensive multiple writes using random data. I am not going to track down all of the links that support this statement. Basically, once information has been overwritten it cannot be accessed by the tools we typcially deploy. Even advanced tools can only guess at the former state of a bit. The cool thing is that since there are multiple layers to the file systems, there is a chance that a tool or process did not correctly overwrite the information. This is a key concept covered by SEC508. And as incident responders we also realize that just because data was destroyed in one location that it is not stored in some other location. Which is why our processes include involving an organization’s network, workstation, server, and application administrators as well as management. These people will understand where residual data resides within the organization.
So, to wrap this up, I highly recommend SEC508 to new and experienced incident response and digital forensic professionals. You are going to learn something you did not know. You are going to make contacts that will be invaluable in the future. And, if you obtain the GIAC certification, you are going to have a valuable certification in a growing and increasingly important field that is having global impact.
Go forth and do good things,
Don C. Weber
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.