I recently passed the GIAC Certified Forensic Analyst exam. This is the exam for the SANS FOR 508: Advance Incident Response, Threat Hunting, and Digital Forensics. So I was thinking why not to write a bit about the course and about the exam.
First off, I think I need to address the elephant in the room. Many people in the security community dislike SANS courses, I assume because they are too corporate and not cool enough. And it is true, they are corporate and they are not as cool as doing a class on an underground hacking conf. On the other hand they are very professional and there is a lot of quality assurance going on in the background. Of course there are some awesome independent (not SANS) classes created by awesome people out there, but there are also crappy independent classes and you might only find that out once you have already taken the class. SANS classes might not be perfect, but they are really good, and my point is… that they are always really good. Now that we cleared that up, let’s talk about FOR 508.
My instructor was Eric Zimmerman and he was great. I especially liked the fact that he did this work at the FBI, so he had a really good perspective from a law enforcement point of view. He also writes a bunch of forensic tools worth checking out.
The course — the other side of infosec
I have always worked on the offensive side of security, but I decided to gather some knowledge from the defense side to make my knowledge and skills more balanced. That is why I chose the FOR 508. I wanted something technical and advanced. I think I got what I expected. FOR 508 gives thorough knowledge about incident response, threat hunting , and forensics.
Let’s see the content a little. I won’t go through each days topics because it is on the SANS web site, but here are a few topics that were covered during the course:
- Incident response vs threat hunting
- How to acquire memory and disk images: what tools to use to collect these images and what can they provide you. How to collect memory if it is virtual machine and what can be done with hyberfil.sys or the page file if the machine was turned off.
- Analysing memory images with volatility: it goes pretty deep into the various volatility plugins and how they work. For instance why pslist won’t find rootkits but psscan might.
- File system analysis: various file systems are introduced but it goes really deep into how NTFS works and what kind of data is stored about files and how. This can be useful when the attacker used anti-forensic tools to cover his tracks on the file system.
- Event logs: although I find looking at logs super boring, I must admit that it is a very good way of collecting evidence about what happened.
- Evidence collection: how to collect evidence of various actions on the machine, such as evidence of execution, file creation, download etc.
- Timeline creation: how to put all collected artifacts (both from file system and memory) into one timeline that allows analysing the whole context of the attack and how it was executed. For me this was the closest to a real investigation where you take all the evidence and put together what happened.
How to hack the exam — Indexing
Regarding the exam, I don’t find SANS exams super difficult, because they are open book. They are as practice oriented as possible with multiple choice exams, but it is not like an OSCP. For me the preparation usually goes like this: reading through all the books twice, trying a practice exam after each, and doing the exercises. This time I had to skip doing the exercises, because I was preparing right after my son was born.
The key for SANS exams is the index one creates. My strategy is the following:
Create the index while reading the books, this time I actually started during the class. I usually have an excel sheet in the cloud so that I can add to it from my phone where ever I read the books.
I usually do the following columns:
- Chapter: just the title of the chapter
- Topic: pretty much the title of the slide
- Tool: name of the tools used on that slide
- Keywords: anything interesting
- Page number
Then I print this index as many time as many columns I have, each ordered by a different column. So if on the exam there is a question about a tool, then I can just pick the index ordered by the tools and look it up there.
Use the small post it to mark every 10th page of each book. This way once you looked up the page number in the index you can quickly open it at the closest bookmark.
This indexing allows a really fast search during the exam. Usually I do the practice exams without books and I usually pass with more or less 73% and on the real exams with the book I tend to achieve around 93%. So that 20% must be the books.
Long story short, I liked the FOR 508. It was the perfect level for me to learn about forensics. It was technical enough, challenging enough, but not too much to overwhelm. I feel like I could do a forensic investigation right now, but I am obviously not comparable to people with real world experience.
If you have any experience with SANS courses you could comment below.