Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training this Year

The SANS DFIR Summit and Training 2018 is turning 11! The 2018 event marks 11 years since SANS started what is today the digital forensics and incident response event of the year, attended by forensicators time after time. Join us and enjoy the latest in-depth presentations from influential DFIR experts and the opportunity to take an array of hands-on SANS DFIR courses. You can also earn CPE credits and get the opportunity to win coveted DFIR course coins!

summit video pic

To commemorate the 11th annual DFIR Summit and Training 2018, here are 11 reasons why you should NOT miss the Summit this year:

1.     Save money! There are two ways to save on your DFIR Summit & Training registration (offers cannot be combined):

·       Register for a DFIR course by May 7 and get 50% off a Summit seat (discount automatically applied at registration), or

·       Pay by April 19 and save $400 on any 4-day or 6-day course, or up to $200 off of the Summit. Enter code “EarlyBird18” when registering.

2.     Check out our jam-packed DFIR Summit agenda!

·       The two-day Summit will kick off with a keynote presentation by Kim Zetter, an award-winning journalist who has provided the industry with the most in-depth and important investigative reporting on information security topics. Her research on such topical issues as Stuxnet and election security has brought critical technical issues to the public in a way that clearly shows why we must continue to push the security industry forward.

·       The Summit agenda will also include a presentation about the Shadow Brokers, the group that allegedly leaked National Security Agency cyber tools, leading to some of the most significant cybersecurity incidents of 2017. Jake Williams and Matt Suiche, who were among those targeted by the Shadow Brokers, will cover the history of the group and the implications of its actions.

·       All DFIR Summit speakers are industry experts who practice digital forensics, incident response, and threat hunting in their daily jobs. The Summit Advisory Board handpicked these professionals to provide you with highly technical presentations that will give you a brand-new perspective of how the industry is evolving to fight against even the toughest of adversaries. But don’t take our word for it, have a sneak peek, check out some of the past DFIR Summit talks.


Immerse yourself in six days of the best in SANS DFIR training. Here are the courses you can choose from:

·       FOR500 – Advanced Windows Forensics

·       FOR585 – Advanced Smartphone Forensics

·       FOR610 – Reverse-Engineering Malware

·       FOR508 – Digital Forensics, Incident Response & Threat Hunting

·       FOR572 – Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

·       FOR578 – Cyber Threat Intelligence

·       FOR526 – Memory Forensics In-Depth

·       FOR518 – Mac and iOS Forensic Analysis and Incident Response

·       MGT517 – Managing Security Operations: Detection, Response, and Intelligence

3.    All courses will be taught by SANS’s best DFIR instructors. Stay tuned for more information on the courses we’re offering at the conference in a future article post.

4.     Rub elbows and network with DFIR pros at evening events, including networking gatherings and receptions. On the first night of the Summit, we’re going to gather at one of Austin’s newest entertainment venues, SPiN, a ping pong restaurant and bar featuring 14 ping pong tables, lounges, great food, and drinks. Give your overloaded brain a break after class and join us at our SANS Community Night, Monday, June 9 at Speakeasy. We will have plenty of snacks and drinks to give you the opportunity to network with fellow students.

5.     Staying to take a DFIR course after the two-day Summit? Attend SANS@Night talks guaranteed to enrich your DFIR training experience with us. Want to know about threat detection on the cheap and other topics? As for cheap (and in this case, that doesn’t mean weak), there are actions you can take now to make threat detection more effective without breaking the bank. Attend this SANS@Night talk on Sunday evening to learn some baselines you should be measuring against and how to gain visibility into high-value actionable events that occur on your systems and networks.

6.     Celebrate this year’s Ken Johnson Scholarship Recipient, who will be announced at the Summit. This scholarship was created by the SANS Institute and KPMG LLP in honor of Ken Johnson, who passed away in 2016. Early in Ken’s digital forensics career, he submitted to a Call for Presentations and was accepted to present his findings at the 2012 SANS DFIR Summit. His networking at the Summit led to his job with KPMG.

7.     Prove you’ve mastered the DFIR arts by playing in the DFIR NetWars – Coin Slayer Tournament. Created by popular demand, this tournament will give you the chance to leave Austin with a motherlode of DFIR coinage! To win the new course coins, you must answer all questions correctly from all four levels of one or more of the six DFIR Domains: Windows Forensics & Incident Response, Smartphone Analysis, Mac Forensics, Memory Forensics, Advanced Network Forensics, and Malware Analysis. Take your pick or win them all!


8.     Enjoy updated DFIR NetWars levels with new challenges. See them first at the Summit! But not to worry, you will have the opportunity to train before the tournament. You’ll have access to a lot of updated posters that can serve as cheat sheets to help you conquer the new challenges, as well as the famous SIFT WorkStation that will arm you with the most powerful DFIR open-source tools available. You could also choose to do an hour of crash training on how to use some of our Summit sponsors’ tools prior to the tournament. That should help give you an edge, right? That new DFIR NetWars coin is as good as won!

9. The Forensic 4:cast Awards winners will be announced at the Summit. Help us text2985celebrate the achievements of digital forensic investigators around the world deemed worthy of the award by their peers. There is still time to cast your vote. (You may only submit one set of votes; any additional voting will be discounted). Voting will close at the end of the day on May 25, 2018.

10.  Come see the latest in tools offered by DFIR solution providers. Summit sponsors and exhibitors will showcase everything from managed services covering advanced threat detection, proactive threat hunting, and accredited incident response to tools that deliver rapid threat detection at scale, and reports that provide insights for identifying potential threats before they cause damage.

11.  Last but not least, who doesn’t want to go to Austin?!? When you think Austin, you think BBQ, right? This city isn’t just BBQ, Austin has amazing food everywhere and there’s no place like it when it comes to having a great time. The nightlife and music include the famous 6th Street – which, by the way, is just walking distance from the Summit venue. There are many other landmarks such as Red River, the Warehouse District, Downtown, and the Market District. You will find entertainment of all kinds no matter what you’re up for. Nothing wrong with some well-deserved play after days full of DFIR training, lectures, and networking!

As you can see, this is an event you do not want to miss! The SANS DFIR Summit and Training 2018 will be held at the Hilton Austin. The event features two days of in-depth digital forensics and incident response talks, nine SANS DFIR courses, two nights of DFIR NetWars, evening events, and SANS@Night talks.

The Summit will be held on June 7-8, and the training courses run from June 9-14.

We hope to see you there!

Coin Check: Win the challenge, join the elite list of lethal forensicators & take home a brand new DFIR challenge coin!

forensics_coin (1)Hundreds of SANS Institute digital forensics students have stepped up to the challenge and conquered. They’ve mastered the concepts and skills, beat out their classmates, and proven their prowess. These are the elite, the recipients of the SANS Lethal Forensicator Coin, an award given to a select portion of the thousands of students that have taken any of the SANS Institute Digital Forensics or Incident Response (DFIR) courses. Now, the institute is expanding the opportunity for students to earn these highly coveted tokens in each of the SANS DFIR courses.

Thanks to an effort led by curriculum lead Rob Lee & the SANS DFIR faculty, students can now win specific SANS Lethal Forensicator Coins designed to go with each of the DFIR course themes. These coins are tailored to be icons and the precious prizes to be won by students as a proof and symbol of their mastery in a specific digital forensics specialty.

New DFIR course challenge coins available now:

500FOR500: Windows Forensic Analysis

“Ex Umbra in Solem”: From the Shadows into the Light
In today’s digital world, forensics plays a critical role in uncovering the truth. Forensic examiners shine light on the facts of the case, making good decisions possible. And the forces of evil unceasingly develop new ways to hide their activities, forcing us to continually improve our skills to counter them.

508FOR508: Advanced Digital Forensics, Incident Response & Threat Hunting

“Non Potestis Celare”: You  cannot hide
The most successful incident response teams are evolving rapidly due to near-daily interaction with adversaries. New tools and techniques are being developed, providing better visibility and making the network more defensible. Adversaries can no longer hide.

610FOR610: Reverse-Engineering Malware

“R.E.M”: Reverse-Engineering Master

Today,  attackers are modifying their malware with increasing frequency to bypass antivirus and other endpoint controls. Through reverse-engineering Malware (R.E.M) Analysis Masters can isolate the most appropriate Indicators of Compromise (IOCs) to stop & identify malware.

585FOR585: Advanced Smartphone Forensics

“Omnis Tactus Vestigium Relinquit”:  Every contact leaves a trace
Knowing how to recover all of the data residing on the smartphone is now an expectation in the digital forensics field, and examiners must understand the fundamentals of smartphone handling, data recovery, accessing locked devices, and manually recovering data hiding in the background on the device. There are traces of evidence hiding on the device, and you know how to uncover them.

572FOR572: Advanced Network Forensics Analysis

“Malum Loquitur, Bonum Auscultat”: Evil must talk, so good must listen

Network Forensic professionals are hunters with great visibility, who can find a target among a mass of camouflaging data. Wisdom, experience, and stealth are all embodied by the owl’s watchful, unwavering eye, seeking its prey under the cover of darkness. No matter how crafty an adversary may be, their communications will allow the hunter to find, identify, and ultimately eliminate their presence.

518FOR518: Mac Forensics

“Impera magis. Aliter cogita”: Command more and think differently.

Apple users have always thought differently and that goes for Apple forensicators too. The analysts who hold this coin take command of their forensic analysis and appreciate looking at the raw data and interpreting it correctly without the necessity of superfluous tools. Knowing where you came from can help you move forward, this is where the hat tip to the original colored Apple logo comes in. New artifacts are presented to analysts in every OS update, the knowledge of historic elements may provide insight.

FOR578_coinFOR578: Cyber Threat Intelligence

“Hominem unius libri timeo”: I fear the man of one book.

FOR578 is all about developing analytical skills. To think critically and expand our views which is a skill that applies to any security profession. The quote is attributed to Thomas Aquinas and despite the common use of the phrase (which is meant to deride the person who is not well studied across multiple subjects) the original meaning was to state that a person who understood one good book well could defeat their opponent. Thus, this phrase can be interpreted two entirely different ways. Both are about self-education and broadening our views on the world.

FOR526_coinFOR526: Memory Forensics In-Depth

“Cur mihi oculi dolent?” Why do my eyes hurt?

Memory forensics reveals deeper insights into the state of a compromised system and stands as the best source for detection of malware and OS/process manipulation/subversion. These analysis methods reveal key evidence which may not be uncovered through querying the operating system or digging through network packets. This quote comes from the original Matrix movie, a question Neo asks of Morpheus when he first wakes from his life in the artificial reality created by sentient machines. It is this awakening and raw view of reality that we as forensic examiners/incident responders strive to achieve through deeper analysis of system memory.


Netwars DFIR Netwars

Staying up-to-date with the latest challenges in the digital forensics field demand analytical skills that cannot be gained by just reading a textbook. Just like firemen could never learn the skills of how to fight a fire by just studying theory, incident responders, threat hunters, and digital forensic investigators can test their skills with DFIR Netwars.

New DFIR Challenge coin back design:

BackThe challenges for each course are held on the last day. Students must successfully overcome a number of obstacles, directly compete against fellow students, and prove their proficiency during timed, hands-on incidents. The obstacles, competitions and hands-on scenarios have been created by SANS’ top instructors – digital forensics practitioners, subject matter experts, experienced teachers and professional leaders in their own right. At the end of the challenge, the instructor announces the winner(s) who are awarded the coins at the end of the 6th day of class and winners are later on listed on the SANS Institute’s virtual wall of Lethal Forensicator Coin Holders.


History of the SANS Challenge coins:

The coin – more precisely, Round Metal Object (RMO) – was initially created to recognize students who demonstrate exceptional talent, contributions, or who serve as leaders in the digital forensics profession and community. The coin is meant to be an honor; it is also intended to be rare. SANS Institute uses the coins to identify and honor those who excel at detecting and eradicating threats, understand the critical importance of cybersecurity and continually strive to further not only their knowledge but also the knowledge of the entire digital forensics field. They actively share their experience and encourage learning through participation in the community and are typically leaders in the digital forensics and incident response community.

Those who are awarded the Lethal Forensicator are also bestowed special privileges and recognition, including participation in the so-called and well-regarded “coin check” challenge and response.

“Coin check” Challenge:

Initiated by one coin holder to another, a coin check typically begins by a challenger holding his or her coin in the air or slamming it on a table and yelling “coin check!” All who are challenged must respond by showing their coins to the challenger within 10 seconds, and whoever fails to do so must buy everyone a round of drinks. If all the challenged coin holders do produce their coin, the challenger must by the round of drinks. (By the way, if you accidentally drop your coin and it makes an audible sound on impact, then you’ve “accidentally” initiated a coin check. And, there are no exceptions to the rules!)

Coin checks aside, there are other ways to win the DFIR Challenge coins besides being an exceptional DFIR student and winning the classroom challenges. Each GOLD GCFA, GREM, GCFE member that has written a published white paper that has furthered the field of research in the Digital Forensics field receives a coin, as do SANS Digital Forensics Blog authors who have written six published entries over a one-year span. In addition, speakers and panelists who participate at a SANS Digital Forensic Summit are awarded coins (vendors and vendor-related speakers are not eligible). Finally, any coin holder can nominate an individual in the digital forensics field who has contributed knowledge, tools or service.

For more information on our SANS DFIR courses, please visit our Forensics Courses list. And to read more about the coin and the history of the term “Forensicator,” check out our Community – Lethal Forensicator Coin page.

Using ProcDOT Plugins to Examine PCAP Files When Analyzing Malware

ProcDOT is a free tool for  analyzing the actions taken by malware when  infecting a laboratory system. ProcDOT  supports plugins, which could extend the tool’s built-in capabilities.  This article looks at  two plugins that help examine contents of the  network capture file loaded into ProcDOT.  If you’re not already familiar with ProcDOT,  review its documentation before proceeding.

As of this writing, the tool comes with the Servers List plugin. In addition, you can install the Extract Files Form PCAP plugin, mentioned below, from its Github repository.  If you’re using the REMnux distribution, you will find ProcDOT and these plugins already installed and configured (run the “update-remnux” command to get the latest versions).

The directory structure of ProcDOT files includes the “plugins” subdirectory. This is where you should  copy the files that implement the plugins. Once the plugins have been installed, they will be visible in the Plugins menu of ProcDOT.  However, you won’t be able to actually use the plugins until after you’ve loaded the data files that you want to analyze.


The Servers List plugin, written by ProcDOT’s author Christian Wojner,  generates a listing of hostnames and IP addresses from the loaded PCAP file, as shown below. It’s not an earth-shattering feature, but this can be handy if the network capture includes a lot of systems.


The plugin Extract Files Form PCAP  was  created by  Brian Maloney. It allows you to extract files transferred during the network session that was captured in the PCAP file. After asking you to specify the output directory, this plugin saves the carved files there.


Though standalone PCAP carving and mining tools exist, it’s convenient to perform    such tasks within ProcDOT if you’re already using the tool for examining other aspects of the infected system in your  malware analysis lab.

—  Lenny Zeltser

Lenny Zeltser teaches  malware analysis at SANS Institute and focuses on safeguarding customers’ IT operations at NCR Corp. He  is active on Twitter  and writes a security blog.

2015 DFIR Monterey Network Forensic Challenge Results

2015-03-04 UPDATE: I’ve added some thought process/methodology to the answers inline below.

Thanks to everyone that submitted or just played along with the SANS DFIR Network Forensic Challenge!  We had over 3,000 evidence downloads, and more than 500 submissions!  Per the rules, the winner must have answered four of the six questions correctly.  Then, by random selection among those submissions, the winner was selected.

We’re excited to announce that Henry van Jaarsveld is the winner for this challenge!  Congratulations, and we hope you enjoy your SANS OnDemand Course.  Great work, Henry!

Thanks for all the submissions and interest in this challenge.  If you enjoyed the questions – no matter how many questions you answered – you should check out FOR572: Advanced Network Forensics and Analysis. The class is available via OnDemand, as well as the following live and virtual SANS events:

More live and virtual/remote events are being added all the time, so keep checking the course page for additional offerings.

The challenge answers are listed below:

  1. At what time (UTC, including year) did the portscanning activity from IP address start?

Answer: Aug 29 2013 13:58:55 UTC

Portscanning activity is typically characterized by connection attempts to a range of ports. This is often repaid and originates from the same IP address. Some scanning utilities may or may not use the same source port or a small cluster of source ports. In this case, the following command get you started:

$ grep SRC= messages

The first result is below:

Aug 29 09:58:55 gw kernel: FW reject_input: IN=eth0 OUT= MAC=08:00:27:53:38:ee:08:00:27:1c:21:2b:08:00 SRC= DST= LEN=44 TOS=0x00 PREC=0x00 TTL=41 ID=35517 PROTO=TCP SPT=38553 DPT=3306 WINDOW=1024 RES=0x00 SYN URGP=0

However, we’ve asked for the time in UTC, which is the only recommended time zone to use for forensic reporting. To find the offset, examine the same “messages” file further. This isn’t often an explicitly logged value, so context is necessary. The following line shows the syslog time (system local time) and a corresponding UTC value. Therefore, it is reasonable to state that the system’s time zone is UTC-4 during the time the file was created.

Aug 29 07:07:40 gw kernel: rtc_cmos rtc_cmos: setting system clock to 2013-08-29 11:07:08 UTC (1377774428)

  1. What IP addresses were used by the system claiming the MAC Address 00:1f:f3:5a:77:9b?


This is an exercise in using Wireshark/tshark display filters. The following tshark command will answer the question quickly:

$ tshark -n -r nitroba.pcap -T fields -e 'ip.src' -Y 'eth.src == 00:1f:f3:5a:77:9b and ip' | sort | uniq

-n: suppress DNS lookups
-r nitroba.pcap: file to read
-T fields: use “fields” output format
-e ip.src: output just the “ip.src” field, as defined by the Wireshark/tshark parsers
-Y 'eth.src == 00:1f:f3:5a:77:9b and ip': display filter to limit results to the MAC address of interest and IP traffic, which would be the only traffic to include IP addresses
| sort | uniq: bash shell utilities to narrow results to only unique values

  1. What IP (source and destination) and TCP ports (source and destination) are used to transfer the “scenery-backgrounds-6.0.0-1.el6.noarch.rpm” file?

Answer: and, 30472 and 51851

Again, the tshark utility is your friend.  This is as a multiple-stage process.  First, get the frame number containing the desired request.  This command returns frame number 5846.

$ tshark -n -r ftp-example.pcap -Y 'ftp.request.arg == "scenery-backgrounds-6.0.0-1.el6.noarch.rpm"' -T fields -e frame.number

-n: suppress DNS lookups
-r ftp-example.pcap: file to read
-Y 'ftp.request.arg == "scenery-backgrounds-6.0.0-1.el6.noarch.rpm"': display filter to limit results to just FTP commands that included the argument of interest
-T fields: use “fields” output format
-e frame.number: Get the frame number containing the desired request

Next, find the immediately preceding “Passive Mode” response.

$ tshark -n -r ftp-example.pcap -Y 'ftp.response.code == 227 && frame.number < 5846' -T fields -e frame.number -e ftp.passive.ip -e ftp.passive.port | tail -n 1

-n: suppress DNS lookups
-r ftp-example.pcap: file to read
-Y 'ftp.response.code == 227 && frame.number < 5846'
: Display filter to limit results to just FTP response codes of “227” (Entering Passive Mode) and prior to the frame number containing the request of interest
-T fields: use “fields” output format
-e frame.number -e ftp.passive.ip -e ftp.passive.port: Get the values from the fields of interest
| tail -n 1: Just return the last result from the list

Finally, get IPs and ports from both ends of the data transfer.

$ tshark -n -r ftp-example.pcap -Y 'ip.addr == && tcp.port == 30472' -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport | sort | uniq

-n: suppress DNS lookups
-r ftp-example.pcap: file to read
-Y 'ip.addr == && tcp.port == 30472'
: Display filter to isolate TCP connection according to IP and port determined above
-T fields: use “fields” output format
-e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport: Get the values from the fields of interest
| sort | uniq: Only display unique lines

  1. How many IP addresses attempted to connect to destination IP address on the default SSH port?

Answer: 49

A connection attempt may or may not be successful, so we can simply limit our search to the high-level filtering provided by nfdump. You could use grep against the text file as well.
There are 55 total connections:

$ nfdump -q -O tstart -r nfcapd.201405230000 -o 'fmt:%sa' 'dst ip and dst port 22' | wc -l

-q: “quiet” output, which suppresses summary header/footer information
-O tstart: order output by “start time” of each record
-r nfcapd.201405230000: input file to read
-o 'fmt:%sa': only display the source IP address for each record
'dst ip and dst port 22': limit flows to those from the IP address of interest, to the default SSH port. You might also limit by TCP protocol by adding “and proto tcp
| wc -l: count the results

There were 49 unique IPs in this data set:

$ nfdump -q -O tstart -r nfcapd.201405230000 -o 'fmt:%sa' 'dst ip and dst port 22' | sort | uniq | wc -l

This is the identical command to that above, but uses the following shell command chain

| sort | uniq | wc -l: Count only unique lines from the nfdump command’s output

  1. What is the byte size for the file named “Researched Sub-Atomic Particles.xlsx”?

Answer: 13,625 bytes

To find the portion(s) of the input pcap that involve the filename of interest, use the “smb.file” field to find the TCP streams of interest.

$ tshark -n -r stark-20120403-full-smb_smb2.pcap -Y 'smb.file == "Researched Sub-Atomic Particles.xlsx"' -T fields -e

This is a large input pcap, so loading it directly to Wireshark is not advisable. Instead, isolate the TCP streams identified above to a new file:

$ tshark -n -r stark-20120403-full-smb_smb2.pcap -Y ' == 2104 or == 2207' -w tcpstreams_2104_2207.pcap
$ md5sum tcpstreams_2104_2207.pcap
fe9c5a388d0d70f74bb96913f120fc7a tcpstreams_2104_2207.pcap

This file is very feasible to open in Wireshark, as it’s a mere 18MB.

After opening the file, you must explore the SMB session – which is not at all a simple process. In the input file generated above, the message we’re interested in is the Trans2 Response message containing Standard File Info for the file of interest. This occurs in frame 749 (frame.time = Apr 5, 2012 14:21:50.574112000). By spelunking the available fields, you’ll find the “End of File” value, which is 13,625. This represents the number of bytes in the file. Note that the Wireshark status bar tells us that Wireshark knows this field by the name “smb.end_of_file”, which could be used to scale this process out via the tshark utility.

  1. The traffic in this Snort IDS pcap log contains traffic that is suspected to be a malware beaconing.  Identify the substring and offset for a common substring that would support a unique Indicator Of Compromise for this activity.

Answer: ULQENP2 at offset 4 (bytes 5-11 of the TCP data segment, zero-based)

There are a number of ways to approach this. The goal is to identify commonalities among the individual sessions, even though we are not (yet) sure what the bytes mean.
This evidence file is small enough to load into Wireshark, then visually explore the content – despite Wireshark not knowing the content is anything other than generic “Data”.
After visually inspecting these fields in the traffic the IDS logged, you should see that bytes 4-10 (zero-based, of course) seem consistent. This can be confirmed with the following display filter:[4-10] == 55:4c:51:45:4e:50:32

After applying this filter, you can quickly see that 100% of the packets in the IDS log file match. Expanding the filter one byte before or after this substring range results in a <100% match. Barring any additional knowledge of the custom protocol used for these communications, this substring and offset would be a good indicator of compromise.

  1. BONUS! Identify the meaning of the bytes that precede the substring above.

Answer: UNIX Timestamp

There is a no magic solution here – just trial and error combined with experience. The UNIX timestamp (number of seconds after Jan 1, 1970 at 00:00:00 UTC) fits into four bytes. Those with a keen eye for timestamps will see that after converting any given four byte sequence to a big-endian integer, then converting that to a timestamp, the Wireshark/tshark “frame.time” field value corresponds almost perfectly in every case. For example:

0x4fe6c278 == 1340523128
$ date -u -d @1340523128
Sun Jun 24 07:32:08 UTC 2012
Corresponding frame.time: Jun 24, 2012 07:32:08.273277000

Announcing the GIAC Network Forensic Analyst Certification – GNFA

A new security certification focused on the challenging field of network forensics 

BETHESDA, MD – October 7, 2014 – Global Information Assurance Certification (GIAC) is pleased to announce a new forensics certification, the  GIAC Network Forensic Analyst (GNFA). The GNFA validates that professionals who hold this credential are qualified to perform examinations employing network forensic artifact analysis and demonstrate an understanding of the fundamentals of network forensics, normal and abnormal conditions for common network protocols, the process and tools used to examine device and system logs, wireless communication and encryption protocols. The GNFA exam will be released November 3, 2014 and pre-registration is now available with the SANS  Advanced Network Forensics and Analysis  course.

A certification in the Network Forensics realm will help practitioners demonstrate they are building their investigative skill set to include one of the newest segments of the broader digital forensic spectrum. A sharply increasing number of cases include network evidence. By formally establishing a baseline of knowledge and investigative skills, employers will have a trusted means of ascertaining a candidate’s background in the network investigation area.

“The GNFA certification focuses heavily on the methods needed to investigate network-based evidence. A GNFA holder will be able to incorporate evidence from a wide variety of sources to improve the fidelity of their findings. This certification is designed to measure how the holder can analyze network data as a part of the investigation rather than focusing on a specific tool to do so,” stated Phil Hagen, SANS Author and Certified Instructor.

In large-scale or enterprise forensic engagements, incident response professionals are discovering it is increasingly difficult to perform comprehensive full disk or traditional data forensics due to the overwhelming volume of data. By examining the network traffic and log data from infrastructure devices, analysts may be able to determine the source of malicious events, recover important files and determine what the bad guys did while on the network. Performing network forensics is a critical and foundational skill for analysts as the evidence can provide the validation necessary to show intent, or even definitively prove that a malicious activity or a crime has occurred.

The SANS Institute has developed specific training material and courseware to teach students the techniques and tools to properly conduct network forensic examinations. The  Advanced Network Forensics and Analysis  course is part of the SANS Institute’s Digital Forensics curriculum that is comprised of cyber security courses designed specifically for professionals focused on digital forensics. This course will provide students with the tools and methods to conduct network investigations within environments of all sizes, using scenarios developed from real-world cases.

For any questions or help with registering for the GNFA certification exam, please email:

About GIAC
Global Information Assurance Certification (GIAC) is a certification body featuring over 27 hands-on, technical certifications in information security. GIAC has certified over 50,000 IT security professionals since it was founded in 1999. Eleven GIAC certifications are accredited under the IEC/ISO/ANSI 17024 quality standard for certifying bodies. GIAC is an affiliate of the SANS Institute. (

About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 50 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates employee qualifications via 27 hands-on, technical certifications in information security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master’s degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet’s early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (

SANS Media Contact:
Julie Dearing
JABB Communications

Winter 2012 Digital Forensic and Incident Response Community Events


FOR508 – ADVANCED FORENSICS AND IR-  SAN ANTONIO – Mon, Jan 30, 2012 – Sat, Feb 4, 2012

FOR408 WINDOWS FORENSICS – MIAMI –   Mon, Feb 6, 2012 – Sat, Feb 11, 2012

FOR408 – WINDOWS FORENSICS – LOS ANGELES – Mon, Feb 6, 2012 – Sat, Feb 11, 2012

FOR558 – NETWORK FORENSICS – ARLINGTON VA – Mon, Feb6, 2012 – Fri, Feb 10, 2012

FOR408 – WINDOWS FORENSICS – VAIL COLORADO – Mon, Mar 26, 2012 – Sat, Mar 31, 2012

Malware Analysis Challenge to Strengthen Your Skills

About a year ago I collaborated with the folks at Lake Missoula Group to create a malware-themed network forensics puzzle. That contest is now over; however, I would like to provide an opportunity to learn from the scenario defined in that puzzle to strengthen your malware analysis skills. If this sounds interesting, I suggest you proceed as follows:

  1. Read the scenario described in the original puzzle: Ms. Moneymany’s Mysterious Malware.
  2. Obtain the PCAP file containing malicious artifacts from the original puzzle page linked above.
  3. Consider answering the 7 questions in the original puzzle to strengthen your network forensics skills
  4. Consider reviewing the winning and finalist answers to the original puzzle.
  5. Answer the 7 follow-up questions below.
  6. Post your solutions on-line and add a comment to this blog post with a link to it.

Important: The answers to this follow-up challenge will not be graded and there is no prize. This is simply an opportunity to strengthen your malware analysis skills and to help others learn from your experience. I will post the correct answers to the follow-up questions about a month after this blog post is published. Also, be careful when analyzing the malicious files referenced above: you will infect your system with real malware if you’re not careful about handling them in an isolated malware lab.

The follow-up questions for this challenge are below. They refer to the malicious executable and other artifacts you need to first extract from the referenced PCAP file.

  1. When the malicious Windows executable runs on the infected system, it creates a hidden directory where it stores two files. What is the name of this directory?
  2. The malicious Windows executable creates a hidden registry key to make sure the executable runs whenever the victim reboots and logs into the Windows system. What is the full path of that registry key?
  3. The malicious webpage that the user’s browser loaded used JavaScript obfuscation to protect some of its contents. The deobfuscated page included an “iframe” HTML element. What was the URL referenced by this “iframe”?
  4. One of the Java applets downloaded by the user’s browser targeted a vulnerability in the Java Runtime Environment (JRE). What was the name of the file that directly implemented the exploit?
  5. The malicious Windows executable attempts to inject code into several processes. Which functions in WININET.dll does the executable hook to interfere with normal operations of the infected system?
  6. The malicious Windows executable attempts to delete files on the infected system. What file categories does the executable attempt to delete?
  7. What other interesting characteristics does the malicious Windows executable possess? This is a somewhat open-ended question. It is designed to help those who have answered the other questions to stand out.

When sharing your answers, please provide an explanation for how you arrived and the answers, so we can all learn from your approach.

If you’re new to malware analysis, here are a few resources to help you get started:

Lenny Zeltser focuses on safeguarding customers’ IT operations at NCR Corp. He also teaches how to  analyze malware at SANS Institute. Lenny is active  on Twitter and writes a security blog.

Digital Forensics Case Leads: Ann’s Aurora Edition

We won! We won! We WON!  Okay. Breathe. Now that I’ve gotten than out…

On behalf of all of the contributors to the SANS Computer Forensic Investigations and Incident Response Blog, I want to thank everyone who voted for us as Best Digital Forensics Blog in this year’s Forensic 4cast awards. We are all deeply grateful to know that our work is recognized and appreciated by our peers in the Security and Forensics professions. And we are also grateful for the community that continues to grow around this blog. The amount of feedback we’ve received from readers has increased in the past few months, and we thank you for helping to make this a lively and thought-provoking site to visit.

In keeping with that spirit,  if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, please send it to

I also want to congratulate Dave Hull, who will receive the Forensic 4cast award on our behalf  and give it a good home. [Hopefully Dave won’t throttle me after this ;-) ]. Dave does a lot to keep this blog humming along on a day-to-day basis, not the least of which is serving as the Case Leads cat-herder and making sure we get this series off the ground each week. Congratulations Dave! (please don’t beat me)

Finally, thanks again to Lee Whitfield and Disklabs for bringing us the Forensic 4cast Awards. It’s a great joy to be honored, and a great service that you’ve done for the community by creating a way to recognize outstanding contribution to the field.

Since we’re just coming down from the SANS Forensics and Incident Response Summit, this week’s edition is named in honor of the recently completed SANS Digital Forensics and Incident Response Challenege. A great many interesting tools and solutions rose out of that challenge, a few of which I’ve mentioned here. There have also been some interesting writings on Advanced Persistent Threat (APT) of late that are worth noting. So, without further ado…


  • Congratulations to Wesley McGrew, winner of the SANS Digital Forensics and Incident Response Challenege. As part of his winning submission, Wesley introduced a cool new tool called This Python script parses packet captures stored in PCAP format, then generates an HTML report that summarizes the flows contained in the specified packet capture. This report allows the analyst to drill down into each flow as needed. Also be sure to check out Wesley’s blog for more information.
  • Thanks in part to the Ann’s Aurora Challenge, Finalist Erik Hjelmvik released an update to his popular NetworkMiner Network Forensic Analysis Tool. “Erik noticed that Network Miner was not properly detecting the HTML transfers at the beginning of the pcap file, because the TCP handshake was missing. He added functionality so that Network Miner more intelligently figures out which host is the server, and which is the client, when the TCP handshake is missing.”
  • Lenny Zeltser recently released REMnux, which he describes as “a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software.” This isn’t my area of expertise, so I’ll leave you to read Lenny’s write-up, but it sounds quite cool.
  • Kristinn Gudjonsson released log2timeline v0.50 on June 30. This release contains a number of improvements. One of the most exciting is the ability to specify which modules timescanner uses to perform its recursive scan for time-stamped artifacts.
  • The Sleuth Kit v3.1.3 was released on July 2. It contains several bug fixes.

Good Reads:

  • Our friends over at Network Forensics Puzzle Contest have the answers to the Ann’s Aurora Challenge, as well as more information on the various submissions. There’s some very cool and educational stuff here, so be sure to check out the details.
  • Richard Bejtlich earns the cover of this month’s Information Security magazine with his article Understanding the Advanced Persistent Threat. Richard’s article answers the question “What Is the Advanced Persistent Threat?” It provides some historical perspective, then briefly discusses what defenders should do to counter APT. This last section on countering APT seems a bit thin to me. It calls for employing “trained and knowledgeable information security analyst[s]” and “building visibility in to one’s organization.” These things are both necessary and true, but the article leaves me hungry for details. If I were to put on my management cap (which I don’t actually own), for example, I might like to see this section answer the question “What can I do and where can I look to get my existing staff sufficiently trained?” Other questions would likely come to mind if I were to try on different hats. But that’s not really the point. I’m sure Richard was constrained by word-count or some similar limitation when composing the article. So Richard,  if you’re reading this, I’d love to see you elaborate on that section elsewhere.
  • A while back, over on Forensic Incident Response, hogfly posted some fun and interesting musings on metaphors. Go take a look at what Chess, Ants, and APT have in common.


  • Did you ever think the world of Digital Forensics needed its own set of Gods?  Happy as a Monkey did, and offered up a few ideas.
  • If that weren’t enough, Girlie Geek suggests that the language of Computer Forensics become even more specialized and arguably incomprehensible. So she takes a cue from the Cockney dialect and gives us “Fockney.”

Coming Events:

Digital Forensics Case Leads for 20100715 was compiled by Gregory Pendergast, incident handler and digital forensicator at Virginia Commonwealth University. If you have an article to suggest for case leads please email it to

Digital SANS Forensics and IR Summit 2010: Network Forensics Panel Questions Released!

The 2010 Digital Forensics and Incident Response Summit’s focus this year is examining and advancing the digital forensic professional to deal with advanced threats such as the APT and organized crime. Understanding how many of these crimes take place is crucial to creating lethal forensicators armed with the knowledge and skills to analyze complex cases. REGISTER NOW!!

Network Forensics Panel

Panelists will tell you the challenges faced by properly collecting and analyzing network based evidence.  It is critical in investigations.  Data collected from intrusion detection systems, firewalls, routers, proxies, and access points all end up telling unique stories that could be critical to solving your case. Learn the latest techniques thata re utilized in reacting to real attacks that these experts have responded to.  This panel includes some of the best minds for the future of Network Forensics.  Listen to what they have to say.  Network Forensics:  No Hard Drive?  No Problem.


Questions/Topic Areas

  1. Describe some interesting cases you’ve had which couldn’t have been solved without corroboration with network-based sources of forensic evidence. What saved the day?
  2. Why has network forensics suddenly extremely relevant.  This isn’t exactly new.  What changed?
  3. How has the APT changed the way we approach network forensics?
  4. Is IDS enough? Do we need to use more network correlation to help investigate major incidents?
  5. What is the biggest mistake organizations make regarding network based analysis?
  6. What factors currently limit the number of intrusions detected and investigated via the network?
  7. Many attackers such as the APT are using http/https as a path for outbound C2 channels.  How can you detect and analyze this traffic effectively?
  8. If you were designing a C2 channel that is hard to analyze on the network.  What would it look like?  Why would it be hard to analyze?
  9. Many organizations are just beginning to think about building network forensics capabilities into their infrastructure. What recommendations do you have for implementing and configuring particular tools for network forensics in the enterprise BEFORE the compromise?
  10. Can we leverage network monitoring to build comprehensive situational awareness of our operating environments in a way that scales well? How could such an awareness allow us to find anomalous and malicious behavior?


Fingerprinting Systems with Firewall Logs

By Jonathan Ham

How can you investigate a computer that isn’t there any more?

A lot has been written about methods for “fingerprinting” systems with active scanning methods (eg. nmap). These of course require that the system be actively reachable, and that you don’t mind totally giving away your position with a very noisy scan (sort of like shooting a shotgun directly at a suspect to see if you can get him to look at you, in hopes that you’ll catch a glimpse of his face).

A lot has also been written about more covert ways of achieving the same goal, based on packets surreptitiously captured from the host of interest (a la p0f). This is certainly very cool, and can be inordinately useful…if you happen to have packet captures from the host of interest, or can begin to get them. (Either you were capturing its packets to begin with, or it’s still around to get packets from.)

But what if the system is long gone, never to return? Or what if you’re lucky enough to see it again, but for technological/logistical/legal reasons you can’t grab its packets? As we see in Sec558, all hope is not lost…

While most firewalls report only sparse information about the packets that they see (and perhaps reject), many of them at least include such information as the Time To Live (TTL) field. What a lot of forensic analysts don’t realize is that different operating systems choose different initial values for the TTL field. For example, current versions of Linux start with 64, and Windows with 128. So if you see a packet logged by a firewall with a TTL of 61, it’s a pretty good guess that it came from a Linux system 3 hops from the firewall. Of course it could be a Windows system 67 hops away, but which is more likely?

TTLs can be, and sometimes are, crafted. But when dealing with the 99% of packets whose headers aren’t crafted, this works like a charm. You can also correlate TTLs with other aspects of the network traffic logged by a firewall, such as source and destination port numbers, IP ID sequences, and such.

Here are three lines from an iptables firewall log. Can you guess what OS the client is running?  How about the manufacturer?

Mar 24 12:13:13 kernel: [  915.256256] FIREWALL:BLOCKEDIN=eth3 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:70:4d:4f:ae:08:00 SRC= DST= LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=61495 PROTO=UDP SPT=137 DPT=137 LEN=76
Mar 24 12:13:14 kernel: [  916.006952] FIREWALL:BLOCKEDIN=eth3 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:70:4d:4f:ae:08:00 SRC= DST= LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=61496 PROTO=UDP SPT=137 DPT=137 LEN=76
Mar 24 12:13:14 kernel: [  916.764653] FIREWALL:BLOCKEDIN=eth3 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:70:4d:4f:ae:08:00 SRC= DST= LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=61497 PROTO=UDP SPT=137 DPT=137 LEN=76


With a TTL of 128, this is probably a Windows system 0 hops away (meaning it has not traversed a router, so it is on the local segment). This is further supported by the UDP port 137 (NETBIOS) traffic, which is very common for Windows systems. The sequential IP IDs tend to corroborate this as well.

Based on the first three bytes of the MAC address (“00:21:70”), it’s probably a Dell. :-)

If you want to learn more about collecting and analyzing network evidence, check out Sec558: Network Forensics.
“No harddrive? No problem!”

Jonathan Ham is an independent security consultant and a SANS Certified Instructor, who teaches forensics and other tracks. When he goes to sleep at night, he counts packets as they leap through firewalls.