Monday, July 2, 2012

Austin and DFIRSummit and 408, Oh My!

It's been a while since posting, but that is because I have been through a whirlwind of Digital Forensic goodness down in the furiously hot, furiously fun Austin, TX.  My time in Austin was lengthened because I was lucky enough to be a part of both a class and the Summit itself.  This post is extra long in an attempt to catch up with all the DFIR experiences down in Austin...


SANS classes have long been the holy grail of DFIR training in my mind, so I was immensely excited to be chosen to be a facilitator for the FOR408 class.  When approaching my boss about going, he did raise some concerns that the 408 class could be a bit elementary.  As he pointed out, perhaps rightly, I already have multiple certifications under my belt and am not new to the field.  (Training is highly valued, as long as the training constitutes new material.)  To his credit, my protestations that it would be of value were listened to and I signed up for the epic 10 day journey to the SANS FOR408 and DFIR Summit.

The SANS FOR408 class consists of six days in which everything from the basics of imaging to gleaning data out of important artifacts are covered.  Hands-on experience is a large portion of the class, and each day had the participants actually trying out equipment or software.  The experience level of the participants varied from those almost brand new to the field to those that had years of experience.  And as the class moved forward each day, it was clear that people of all experience and skill levels were getting information of immense value.  While I was glad I had the knowledge that allowed me to step up as the facilitator to answer some questions, I was amazed at how much I did learn.  Yes, I would like to think of myself as someone who stays up on much of the new tools available to the DFIR community, and who tries to stay abreast of new artifacts.  But each day I came away with multiple new tools or tracks of analysis.  Honestly, the Windows SIFT Workstation itself is worth its weight in gold.

Yep, I have one of these!
I've wanted one for so long -
it's still a huge thrill.
Our instructor mentioned a few times that the goal of this class was to train people beyond "push button forensics."  This idea was brought home on the final day when we did the Challenge.  For those who are not familiar with the Challenge, it involves an image, a scenario, and the trial of performing a digital forensic exam in few precious hours.  The digital evidence in the Challenge is well put together, and does a fantastic job of demonstrating how much evidence of potential value is found outside of the larger forensics suites.  I was lucky enough to be able to not only participate in the challenge, but to have a fantastic group working with me.  After performing the exam and putting together a (kick-a$#!) presentation, my group was voted as the winners of the challenge.

Recommendations:  Okay, coming up with recommendations is awfully hard for a class of this caliber.  But in an effort to show people that I really am trying to approach this objectively*, I thought I'd include a few recommendations.  Tell your instructors to boss around the facilitators.  Seriously, Chad, I wanted to give you water and cookies**!  The first day was one where those who had more experience in the field had less to learn.  I'm not even sure if this is possible, but having a bunch of different laptops/desktops, etc with different ways of getting to the drives could be a fun way of having people get that coveted "hands on" experience.  If I've learned anything from collections, it's that no two are the same.  And the problem solving we use on pulling digital evidence could work as well toward the problem solving of getting to a hard drive***.

*Note:  You can still be objective and still ABSOLUTELY love something.
**  Okay, kidding.  Chad was wonderful.  He shouldn't have changed anything.  He's just so nice, at one point I think he asked if he could get me cookies.  Sheesh!  There goes my chance at pretending this was "Devil-Forensicator Wears Prada."
*** To be fair, it was mentioned multiple times that this step should be done at home, so it probably shouldn't even be included in my recommendations.  I'm trying to find something here!  It really was fabulous.

OMG!  It's Hal and Cindy!
SANS Summit

The Summit.  Where should I even begin?  I well remember just last year watching the live feed and following Twitter with envy, and then this year I got to experience it for myself.  There have already been many a blog post here, here, here and here about what it was like and some of the content shared.  (And even now I know I am missing many.)  I have been to a couple of DF/IR conferences before, but this was far and away the one where I felt the biggest sense of community.  From book authors to blog writers, many of the people who have helped me on the path to becoming a better analyst were there.  It was a pleasure to not only learn from, but meet and mingle with these great minds.  (Note:  my reaction is captured to the right)  

A huge thanks goes out to Rob Lee and SANS for putting together such a great event.  As a facilitator, I was able to glimpse just a portion of the work that goes into an event like this, and I am overwhelmed by the dedication and exertion necessary.  Here's to an event just a good, if not better (if that is even possible!), next year!


  1. Congratulations on earning your coin! Having witnessed the presentation, I can attest that it was well deserved.

    1. Thank you, Chad! It really was a pleasure to experience the class. If you ever do the Heavy Metal DFIR Utah get-together, I expect an invite. :)

  2. You were such a great help and your presentation was fantastic! We all enjoyed having you!

    1. I don't think I could really express how exciting it all was. I only got an idea of how much work goes into such a fun time - you guys are amazing. Thanks for having me!

  3. Congrats on earning your coin!

    1. Thank you! It was great having you in the class. Good times with Jenga!

  4. Yeah, that was an amazing presentation. Thanks for helping with the class!