SANS - Computer Forensics - Course Description

Day 1 | Day 2 | Day 3 | Day 4 | Day 5 |

On the first morning, we'll investigate a rogue system administrator. His colleagues suspect he may be abusing his privileges. There doesn't seem to be any Web surfing activity at all associated with his computers. What could he be up to?

To solve the case, we embark together on an extensive analysis of DHCP logs, wireless traffic captures, tcpdump using BPF filters, Wireshark, and the DNS protocol. Along the way, we'll learn about DNS tunneling using iodine, methods of passive evidence acquisition, network taps, hubs, switches, and port mirroring.

We'll also use tools, such as ngrep, tcpxtract, and hex editors, to extract the data we need. Underlying all of our forensic procedures is a solid forensic methodology, which includes verification, acquisition, timeline creation, evidence recovery, and reconstruction.

Topics - Day 1:
- Case study: Data tunneling
  - DNS tunneling demo
  - The network-based investigative model
- The OSI model for network analysis
- DHCP and MAC address analysis
- Passive evidence acquisition
  - Hubs, Switches, and SPAN ports
  - Network TAPs
  - tcpdump for evidence acquisition
  - The Berkeley Packet Filter language
- Network evidence extraction and analysis
  - ngrep and tcpxtract
  - Wireshark and tshark

SECURITY 558 Upcoming Events
Event	Location	Dates	Delivery Method
Community SANS Forensics DC 2010	Alexandria, VA	Feb 22, 2010 - Feb 26, 2010	Community SANS
SANS 2010	Orlando, FL	Mar 06, 2010 - Mar 15, 2010	Live Event

GIAC Certification

"This is awsome! We're seeing details that most people don't even know exist" - John Wright, Info Tech, Inc.

"The class provided in-depth, real world, hands-on information" - Robert Dale Drollinger, General Dynamics

SANS Institute

SANS Institute

© 2008 - 2009 The SANS™ Institute

SANS Web Privacy Policy: www.sans.org/privacy.php - Web Contact: webmaster@sans.org

SANS Press Room: www.sans.org/press / Policy On SANS Trademark Usage