TF2 – Tracer FIRE – A Forensic and Incident Response Exercise – Part 2

Kevin Nauer and Benjamin Anderson, Sandia National Laboratory

Tuesday, December 6th, Full Day

Tracer FIRE, (Forensic and Incident Response Exercise), is a program developed by Sandia and Los Alamos National Laboratories to educate and train cyber security incident responders (CSIRs) and analysts in critical skill areas, and to improve collaboration and teamwork among staff members. Under this program, several hundred CSIRs from the Department of Energy and other U.S. government agencies have been trained. In Tracer FIRE, attendees will learn about a variety of topics in the areas of incident response, forensic investigation and analysis, file systems, memory layout and malware analysis. Tracer FIRE includes a mixture of lecture, hands-on training, and competitive exercises designed to provide the attendees with the knowledge and practice to apply what they have learned in a real-world situation.

This full-day professional development course is designed for professionals and graduate students studying computer forensics, or as an extension of the Part 1 of the Tracer FIRE course (Day 1 – TF1). The morning, classroom portion, will consist of both lecture and hands-on training in specialized forensic areas. After this training, attendees will be familiar with the layout of Windows memory, and how to acquire memory contents of a live system. In addition, attendees will practice file carving to recover "lost" data, increasing their ability to retrieve evidence; and PDF dissection and analysis to identify and analyze malware utilizing this infection vector, increasing their ability to mitigate and prevent future intrusions.

In the afternoon, attendees will be divided into teams and will participate in a competition that will require them to apply what they have learned during the classroom training. During this competition, the teams will solve cyber security challenges involving memory analysis and malware discover while attempting to defend their computer system, and attacking the systems belonging to the other teams. This exercise will allow attendees to develop practice at maintaining network situational awareness and use of forensic tools, and hone their teaming and communication skills.

Note: This course is Part 2 of a two-part course. Attendees are encouraged to enroll in TF1 (Part 1) and TF2 (Part 2). A discounted combination rate is provided for those attending both days. Student scholarships may be available – please see http://www.acsac.org/2011/cfp/students/.

Outline

  1. Rapid Response Cyber Forensics Review. A review of topics from the first day tutorial. Serves as an introduction to the topic area for those attending only this tutorial, and not both days.
  2. Memory Space: The Final Frontier. Issues with acquisition of a memory image from a live system. Layout of memory in Windows. Examination of memory contents.
  3. Forensic Memory Acquisition and Analysis. Use of Memorize and Audit Viewer. Hands-on memory acquisition. Analysis of memory image.
  4. File Carving and PDF Dissecting. Reasons for file carving. Discovery and reassembly of file fragments. Examination of PDF file format. Malicious PDF analysis.

Prerequisites

Attendees will require a basic understanding of computer systems, networks and general cyber security concepts. Workstations and the EnCase Enterprise suite will be provided for the attendees – no personal hardware or software is required.

About the Instructors

Mr. Kevin Nauer is a member of technical staff at Sandia and has over ten years experience in conducting forensic analysis and leading a team of analysts to conduct incident response operations. Kevin has been leading a development effort for the past three years to develop a framework to support collaborative cyber security incident response operations. Kevin holds a B.S. and M.S in computer science, and he has also served as a Captain in the US Army Intelligence and Security Command where he helped form a new organization to support national intelligence operations integrating computer forensic analysis techniques.

Mr. Ben Anderson is a member of technical staff at Sandia and has conducted research in virtualization and SSD Forensics. He holds a master's degree in computer engineering from Iowa State University and previously served in the Marines Corps as a member of their Fleet Antiterrorism Security Team Co.