Re: Opinions on SANS 508 Course and their VMware based Forensic analysis workstation

[Jerry Sell <Jerry_Sell () BYU EDU>]

SANS forensic workstation is built on Linux. Linux has the ability to mount a raw disk image into the file system in 
read-only mode. This means that no changes can be made to the image. If you want to boot the image, I would recommend 
that you boot from a copy of the image. This way you can make any changes you want and still have a hashed copy of the 
image that is forensically sound.

If you are using a Windows forensic tool such as hexedit, you can purchase a write blocker that sits between the drive 
and the forensic workstation. This puts the disk in read-only mode at the hardware level. I always make it a point to 
get a raw image of the disk in read-only mode. Then I hash the original disk and the image and make sure they are 
equal. Then I do my forensic work on a copy of the image and has frequently to make sure it has not changed.

I have taken the SANS course and one other. The two were very similar and the SANS course will prepare you to be a 
forensics specialist.

Thank you,

Jerry Sell, CISSP
Security Analyst
Brigham Young University
(801)422-2730
Jerry_Sell () byu edu<mailto:Jerry_Sell () byu edu>


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James 
Moore
Sent: Tuesday, July 28, 2009 12:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Opinions on SANS 508 Course and their VMware based Forensic analysis workstation

I need to get better at capture of information from a live system as part of incident response.  There are a number of 
tools out there that help (Helix3Pro, Rapier, MIR-ROR), and Harlan Carvey's tools.  I haven't had time to determine how 
all of the tools change the system.  I am also doing more with VMWare, mainly restoring forensic images to virtual 
disks, and then running some of the commercial A/V and malware detection tools (but I know that the A/V vendors are 
getting overwhelmed.  The other thing is that, if I make it to where I can boot an image restored from a forensic 
image, then I can install tools that disrupt the state of the machine, as long as I do it in clones, pr with 
non-persist mode enabled.

I am looking for 1 week of training for this year which can focus on incident response, and has decent coverage of live 
tools (and an accurate description of their effects on machine state), and something about ways to use virtual machines 
(we use VMWare Workstation) in the incident response environment.

So far, I have looked at training from SANS, Mandiant, and E-Fense training, but I only have experience with SANS (and 
that was 8 years ago when they taught a course for the first time).  Advice & recommendations are appreciated.

Jim


- - - -
Jim Moore, CISSP, IAM
Senior Information Security Forensic Investigator
Rochester Institute of Technology
151 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 255-0809 (Cell - Incident Reporting & Emergencies)
(585) 475-7920 (fax)


If you consciously try to thwart opponents, you are already late.  Miyamoto Musashi, Japanese philosopher/samurai, 1645


Risk comes from not knowing what you're doing. -Warren Buffet

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity 
to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, 
dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other 
than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any 
copies of this information