Things I Learned (TIL) FOR508 Review 2024

As part of my overly ambitious professional development plan for 2024** I took advantage of a SANS program to review (and not re-test!) FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics from SANS Institute in the OnDemand delivery method (video streaming, labs on my system)

Content

• Generally FOR508 is a detailed tour of how to investigate intrusions on Windows systems, focused on the host data available on those Windows workstations and servers. It feeds the GIAC Certified Forensic Analyst (GCFA) certification. Contrast: the Windows forensics examination course and cert FOR500 & GCFE.
  • It’s expected you have some background in incident handling and Windows system forensics.
  • It’s set in a APT-style intrusion conducted by expert pentesters against a real network set up just for the course: Stark Research Labs.
  • The sister class FOR572 / GNFA covers the network data angle and works the same case.
• Chad Tilbury, course co-author and experienced incident responder for US Gov’t, Mandiant, and Crowdstrike, presents the lecture and labs in OnDemand. He ties the concepts in the course to his own career and cites many cases to help explain when the various techniques can be key in finding the answer to challenging questions.
• It’s hard to put into words all of the ways this course has improved since I took it ( enjoyed and learned so much from it) several years past and got my GCFA.
  • One obvious point is the fantastic electronic notebook for labs, now standard for SANS courses
  • Another highlight is the inclusion and recognition of cybersecurity threat intelligence (CTI) frameworks including Mitre(tm) ATT&CK(r)
    • The course uses a broad definition of indicator that aligns well with the original (?) definition in the Lockheed Martin “Intel driven CND” paper while de-emphasing atomic indicators as being less useful.

Deltas

What did I learn or catchup on by reviewing this course?

• Windows 10,11 artifacts and Chromium data updates
• New and notable DFIR tools:
  • Eric Zimmerman tools especially Timeline Explorer, Arsenal Image Mounter, memprocfs
• Plus enhancements to existing tools like Volatility (2 and 3), Velociraptor

Meta: LoE, media

• This class material is very detailed and the labs are rich with data and rabbit holes.
  • I really enjoyed exploring the investigation that runs throughout the labs and the challenge day.
  • I miss working cases or at least the kind where there’s so much data to analyse…
  • I spent an hour or more in just about every lab, which would not be possible in a live class without falling behind the group.
• This course version is almost 100 GiB to download across three ISOs and includes two tools VMs (Windows and SIFT) and significant data collections from the Stark Research Labs environment used in labs and challenge.
  • You will need an AMD64 system for the VMs and will get the best results with VMWare Workstation or Fusion Pro.
    • Just underlining this: You can’t do these labs on a M1/M2/M3 Mac or other ARM system.
    • the VMs ran under Virtualbox (on amd64) but performed better on VMWare
    • Give the VMs more RAM :)

** https://www.dfirnotes.net/development_planning_2024/ should get another update in November