Educause Security Discussion mailing list archives
Re: Opinions on SANS 508 Course and their VMware based Forensic analysis workstation
From: Jerry Sell <Jerry_Sell () BYU EDU>
Date: Tue, 28 Jul 2009 12:45:06 -0600
SANS forensic workstation is built on Linux. Linux has the ability to mount a raw disk image into the file system in read-only mode. This means that no changes can be made to the image. If you want to boot the image, I would recommend that you boot from a copy of the image. This way you can make any changes you want and still have a hashed copy of the image that is forensically sound. If you are using a Windows forensic tool such as hexedit, you can purchase a write blocker that sits between the drive and the forensic workstation. This puts the disk in read-only mode at the hardware level. I always make it a point to get a raw image of the disk in read-only mode. Then I hash the original disk and the image and make sure they are equal. Then I do my forensic work on a copy of the image and has frequently to make sure it has not changed. I have taken the SANS course and one other. The two were very similar and the SANS course will prepare you to be a forensics specialist. Thank you, Jerry Sell, CISSP Security Analyst Brigham Young University (801)422-2730 Jerry_Sell () byu edu<mailto:Jerry_Sell () byu edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James Moore Sent: Tuesday, July 28, 2009 12:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Opinions on SANS 508 Course and their VMware based Forensic analysis workstation I need to get better at capture of information from a live system as part of incident response. There are a number of tools out there that help (Helix3Pro, Rapier, MIR-ROR), and Harlan Carvey's tools. I haven't had time to determine how all of the tools change the system. I am also doing more with VMWare, mainly restoring forensic images to virtual disks, and then running some of the commercial A/V and malware detection tools (but I know that the A/V vendors are getting overwhelmed. The other thing is that, if I make it to where I can boot an image restored from a forensic image, then I can install tools that disrupt the state of the machine, as long as I do it in clones, pr with non-persist mode enabled. I am looking for 1 week of training for this year which can focus on incident response, and has decent coverage of live tools (and an accurate description of their effects on machine state), and something about ways to use virtual machines (we use VMWare Workstation) in the incident response environment. So far, I have looked at training from SANS, Mandiant, and E-Fense training, but I only have experience with SANS (and that was 8 years ago when they taught a course for the first time). Advice & recommendations are appreciated. Jim - - - - Jim Moore, CISSP, IAM Senior Information Security Forensic Investigator Rochester Institute of Technology 151 Lomb Memorial Drive Rochester, NY 14623-5603 (585) 475-5406 (office) (585) 255-0809 (Cell - Incident Reporting & Emergencies) (585) 475-7920 (fax) If you consciously try to thwart opponents, you are already late. Miyamoto Musashi, Japanese philosopher/samurai, 1645 Risk comes from not knowing what you're doing. -Warren Buffet CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information
Current thread:
- Opinions on SANS 508 Course and their VMware based Forensic analysis workstation James Moore (Jul 28)
- <Possible follow-ups>
- Re: Opinions on SANS 508 Course and their VMware based Forensic analysis workstation Beechey, Jim (Jul 28)
- Re: Opinions on SANS 508 Course and their VMware based Forensic analysis workstation Jerry Sell (Jul 28)