Sneak Preview: FOR572 on PaulDotCom June 12, 2013

You might have noticed that we recently posted the course description for the upcoming all-new course, FOR572: Advanced Network Forensics and Analysis.  FOR572 will go include a lot of tcpdump and Wireshark work, but also goes beyond that, using a “big picture” approach that incorporates evidence and methods covering all kinds of network-based systems and devices.  Since every device that handles a network communication can provide a unique and valuable “witness’s view” of an incident, these skills are critical to conducting a comprehensive investigation.  However, with so many sources and formats of evidence, analysis quickly becomes a challenge.  Mo’ evidence, mo’ problems…

Although the course is still under heavy development, we wanted to provide a sneak preview of some features that you’ll see in the classroom, but that you can also put to use immediately.  On this week’s PaulDotCom Security Weekly show, I will be giving a brief primer on Logstash.  You’ve certainly heard about the value that tools like Splunk and ELSA can provide.  Although Logstash is a similar tool, the incredibly robust filtering engine combined with dozens of inputs and output plugins makes it an ideal choice in many situations.  Oh – it’s completely free and open-source, and can ingest tens of thousands of events per second.  Interested yet?

FOR572 will include a pre-built VMware image containing a just-drop-in-your-data Logstash installation, with a web-based frontend for quick and efficient queries.

Join me this Thursday, as I talk with Paul and the crew about how you can use Logstash to improve your investigations today.  Then, get psyched up for FOR572, where you’ll use it to attack real-world investigative scenarios and gain skills you’ll use the first day back on the job.