Windows incident response basic skillz, pt ii gasco abu dhabi location


Okay, so that’s a really good start. Figure out what is common across all specialties, and come up with a core set of skills that are independent of OS, platform, etc., in order to determine what constitutes a "Basic DF Practitioner". These skills will need to be able to be tested and verified; some will likely be "you took a test and achieved a score", while other skills be pass/fail, or verification of the fact that you were able to demonstrate the skill to some degree. Yes, this will be more subjective that a written test, but there are some skills (often referred to as "soft skills") that while important, one may not be able to put their finger on to the point of having a written test to verify that skill.

Brigs had some great thoughts as far as a break down of skill sets goes, although when I read his comment, I have to admit that in my head, I read it in my Napolean Dynamite voice. 😉 Taking this a step further, however, I wanted to address @mattnotmax’s comments, as I think they provide a really good means to walk through the thought process.

What constitutes "properly"? The terms "forensics" and "evidence" bring a legal perspective to the forefront in discussions on this topic, and while I fully believe that there should be one standard to which we all strive to operate, the simple fact is that business processes and requirements very often prevent us from relying on one single standard. electricity usage by state While it would be great to be able to cleanly shut a system down and extract the hard drive(s) for acquisition, there are plenty of times we cannot do so. I’ve seen systems with RAID configurations shut down and the individual drives acquired, but the order of the drives and the RAID configuration itself was never documented; as such, we had all those disk images that were useless. On the other hand, I’ve acquired images from live systems with USB 1.0 connections by mapping a drive (an ext HDD) to another system on the network that had USB 2.0 connections.

I get that the point here is the integrity of the imaging process itself, as well as maintaining and verifying the integrity of the acquired image. However, if your only option for collecting data is to acquire it from a live system, and you cannot acquire a complete copy of the data, can we agree that what is important here is (a) documentation, and (b) understanding image integrity as it applies to the process being used (and documented)?

If you’ve followed the #DFIR industry for any period of time, you’ll see that there are varying opinions as to how reporting should be done. I’ve included my thoughts as to report writing both here in this blog, as well as in one of my books (i.e., ch 9 of WFA 4/e). While the concepts and techniques for writing DFIR reports may remain fairly consistent across the industry, I know that a lot of folks have asked for templates, and those may vary based on personal preference, etc.

For a training/educational program, I’d highly recommend exercises that follow a building block approach. For example, start by having students document something that they did over the weekend; say, attending an event or going to a restaurant or movie. Have them document what they did, then share it, giving them the opportunity to begin speaking in public. Then have them trade their documentation with someone else in the class, and have that person attempt to complete the same task, based on the documentation. Then, that person reviews the "work product", providing feedback.

Another approach is to give the students a goal, or set of goals, and have them develop a plan for achieving the goals. Have them implement the plan, or trade plans such that someone else has to implement the plan. Then conduct a "lessons learned" review; what went well, what could have gone better, and what did we learn from this that we can use in the future?

Just a note on "specialization" – this doesn’t mean that anyone is pigeon-holed into one area; rather, it refers to the training. This means that skill sets are identified, training is provided, and skills are achieved and measured such that they can be documented. In this way, someone that achieves "MacOSX analyst level 2" is known to have completed training and passed testing for a specific set of skills that they can then demonstrate. The same would true with other specialized areas.

The next phase might be one in which basic techniques for data acquisition are understood. I can see this as being a fantastic area for "fam fires"; that is, opportunities for the students to get hands-on time with various techniques. Some of these, such as using write blockers, etc., should be done in the classroom, particularly at the early stages.

In this class, you could also get into memory acquisition techniques, with homework assignments to collect memory from systems using various techniques, documenting the entire process. zyklon b gas canister for sale Then students will provide their "reports" to other students to review. This provides other opportunities for evaluation, as well; for example, have a student with, say, a Mac system provide their documentation to another student with a Mac, and see if the process returns similar results.

I think that beginning this topic as part of the basic skill set is not only important, but a good segue into areas of specialization. This is a great place to reiterate the foundational concepts; determine goals, develop a plan, document throughout, and conduct a review (i.e., "lessons learned"). With some basic labs and skills development exercises, an instructor can begin including things such as how those "lessons learned" might be implemented. electricity research centre For example, a Yara rule, or a grep statement for parsing logs or packet captures. But again, this is high-level, so detailed/expert knowledge of writing a Yara rule or grep expression isn’t required; the fact that one can learn from experiences, and share that knowledge with others should be the point.

We all learn different ways. Some learn through auditory means, others visually, and others by doing. Yes, at a young age, I sat in a classroom and heard how to put on MOPP NBC protective gear. However, I really learned by going out to the field and doing it, and I learned even more about the equipment by having to move through thick bush, wearing all of equipment, in Quantico, in July.

I once worked for a CIO who said that our analysts needed to be able to pick up a basic skill through reading books, etc., as we just could not afford to send everyone to intro-level training for everything. I thought that made perfect sense. When I got to a larger team, there were analysts who came right out and said that they could not learn something new unless they were sitting in a classroom and someone was teaching it to them. At first, I was aghast…but then I realized that what they were saying was that, during the normal work day, there were too many other things going on…booking travel, submitting expenses, performing analysis and report writing…such that they didn’t feel that they had the time to learn anything. Being in a room with an instructor took them out of the day-to-day chaos, allowed them to focus on that topic, to understand, and ask questions. Well, that’s the theory, anyway. 😉

We begin learning a new skill by developing a foundational understanding, and then practicing the skill based on repeating a "recipe". Initial learning begins with imitation. In this way, we learn to follow a process, and as our understanding develops, we begin to move into asking questions. This helps us develop a further understanding of the process, from which we can then begin making decisions what new situations arise. However, developing new skills doesn’t mean we relinquish old ones, so when a new situation arises, we still have to document our justification for deviation from the process.

Second, something else that needs to be considered from the very beginning of the program is specificity of language. Things are called specific names, and this provides as means by which we can clearly communicate with other analysts, as well as non-technical people. For example, I’ve read malware write-ups from vendors, including MS, that state that malware will create a Registry "entry"; well, what kind of entry? A key or a value? Some folks I’ve worked with in the past have told me that I’m pedantic for saying this, but it makes a difference; a key is not a value, nor vice versa. They each have different structures and properties, and as such, should be referred to as what they are, correctly.

Third, to Brett’s point, vendor-specific training has its place, but should not be considered foundational. In 1999, I attended EnCase v3 Intro training; during the course, I was the only person in the room who did not have a gun and a badge. The course was both taught and attended by sworn law enforcement officers. electricity in salt water At one point during the training, the instructor briefly mentioned MD5 hashes, and then proceeded on with the material. I asked if he could go back and say a few words about what a hash was and why it was important, and in response, he offered me the honor and opportunity of doing so. electricity sources in canada My point is the same as Brett’s…it’s not incumbent upon a vendor to provide foundational training, but that training (and the subsequent knowledge and skills) is, indeed, foundational (or should be) to the industry.

For example, there isn’t really a proper method of collecting evidence (for the most part). Collecting evidence falls under a ‘reasonableness’ standard, in that a reasonable method is acceptable when attempting to collect best evidence. I mean this to mean physically (as in how to physically bag-and-tag physical evidence) and electronically (duplication and verification).

Point being, there is a ‘proper’ method, but in the legal arena, collection only needs to fit a ‘reasonable’standard. Dragging an injured person out of a car by his feet would be unreasonable, unless the car was about to explode and the only thing you can grab is his feet. Then it’s reasonable. Same with collecting evidence. What is reasonable in one situation may not be in another. A basic understanding of ‘what is reasonable evidence collection’ gives everyone a foundation of what is proper with flexibility to fit the totality of the circumstance at the time.

Another point on the basics is the depth. I once fired a TOW missile for familiarization. I didn’t even hit the target (fell way short!). But, I learned what it was, its intended purpose, and when to employ it (at least basically). The same can be said when demonstrating mobile device acquisition to someone working in DF or IR who may never see a mobile device in their specific career. Teaching the basics is not teaching to master a specific sub-topic, but for familiarization. It is to master the basics as a concept of familiarization, in that everyone knows what the basics are; it’s not to master the TOW missile, but to know what it is and how it is used.

Fair points re: ‘proper’ and looking back the wording isn’t perhaps as clear on a second/third reading. I guess my intention was ‘according to the circumstances and your policies’. Which Brett puts much more succinctly. As you, Harlan, point out there are clear differences between how you might collect electronic evidence. And yes, a mobile phone will be completely different to a dead drive but both will have procedures to ensure that its collection is lawful (mostly relating to notes!)

Re: verifying tools. I think this is important to ensure that a beginner understands that a tool is just a tool. n gas in paris lyrics We want to avoid a Nintendo Forensics mentality. This can work for memory collection, drive imaging or mobile phones. ‘How’ does it collect, what impact does it have on the system (even a dead drive can be impacted, SSDs etc.), what is it not collecting?

People talk about the paint drip in skills (I am not professing to know more than I am writing here), whereby there is a basic set of skills (for a profession) and then a subset that goes deeper to various degrees, like differing drips of paint from a line. This is probably where I see DFIR as once the basic skills are developed, your jobs/roles/interests will determine your paint drips.