SANS classes have long been the holy grail of DFIR training in my mind, so I was immensely excited to be chosen to be a facilitator for the FOR408 class. When approaching my boss about going, he did raise some concerns that the 408 class could be a bit elementary. As he pointed out, perhaps rightly, I already have multiple certifications under my belt and am not new to the field. (Training is highly valued, as long as the training constitutes new material.) To his credit, my protestations that it would be of value were listened to and I signed up for the epic 10 day journey to the SANS FOR408 and DFIR Summit.
The SANS FOR408 class consists of six days in which everything from the basics of imaging to gleaning data out of important artifacts are covered. Hands-on experience is a large portion of the class, and each day had the participants actually trying out equipment or software. The experience level of the participants varied from those almost brand new to the field to those that had years of experience. And as the class moved forward each day, it was clear that people of all experience and skill levels were getting information of immense value. While I was glad I had the knowledge that allowed me to step up as the facilitator to answer some questions, I was amazed at how much I did learn. Yes, I would like to think of myself as someone who stays up on much of the new tools available to the DFIR community, and who tries to stay abreast of new artifacts. But each day I came away with multiple new tools or tracks of analysis. Honestly, the Windows SIFT Workstation itself is worth its weight in gold.
|Yep, I have one of these!|
I've wanted one for so long -
it's still a huge thrill.
Recommendations: Okay, coming up with recommendations is awfully hard for a class of this caliber. But in an effort to show people that I really am trying to approach this objectively*, I thought I'd include a few recommendations. Tell your instructors to boss around the facilitators. Seriously, Chad, I wanted to give you water and cookies**! The first day was one where those who had more experience in the field had less to learn. I'm not even sure if this is possible, but having a bunch of different laptops/desktops, etc with different ways of getting to the drives could be a fun way of having people get that coveted "hands on" experience. If I've learned anything from collections, it's that no two are the same. And the problem solving we use on pulling digital evidence could work as well toward the problem solving of getting to a hard drive***.
*Note: You can still be objective and still ABSOLUTELY love something.
** Okay, kidding. Chad was wonderful. He shouldn't have changed anything. He's just so nice, at one point I think he asked if he could get me cookies. Sheesh! There goes my chance at pretending this was "Devil-Forensicator Wears Prada."
*** To be fair, it was mentioned multiple times that this step should be done at home, so it probably shouldn't even be included in my recommendations. I'm trying to find something here! It really was fabulous.
|OMG! It's Hal and Cindy!|
The Summit. Where should I even begin? I well remember just last year watching the live feed and following Twitter with envy, and then this year I got to experience it for myself. There have already been many a blog post here, here, here and here about what it was like and some of the content shared. (And even now I know I am missing many.) I have been to a couple of DF/IR conferences before, but this was far and away the one where I felt the biggest sense of community. From book authors to blog writers, many of the people who have helped me on the path to becoming a better analyst were there. It was a pleasure to not only learn from, but meet and mingle with these great minds. (Note: my reaction is captured to the right)
A huge thanks goes out to Rob Lee and SANS for putting together such a great event. As a facilitator, I was able to glimpse just a portion of the work that goes into an event like this, and I am overwhelmed by the dedication and exertion necessary. Here's to an event just a good, if not better (if that is even possible!), next year!