SANS Institute
SANS - Computer Forensics and e-Discovery with Rob LeeSECURITY 558SECURITY 558
Course PDF
Course PDF
We'll begin with covert ICMP and DNS tunnels. You'll extract tunneled TCP and IP packets from DNS NULL records and use active evidence collection methods to uncover the rogue system administrator's secret plot!
By the afternoon, we'll conduct hands-on active evidence acquisition. You'll inspect router ARP tables and firewall logs. Volatility and collection methods vary depending on configuration, manufacturer, and the environment. We'll also cover ways that investigators can compensate for less-than-ideal network environments, using publicly available forensic evidence acquisition tools.
- Topics - Day 2:
- Data tunneling in depth
- ICMP & DNS tunnels
- Revisiting the case study: Examining and extracting tunneled Data
- A formal network-based investigative methodology
- Active and interactive evidence acquisition
- Understanding ARP and routing tables
- Understanding firewalls
- Configuration and logging
- Modifications for evidence acquisition
- Data tunneling in depth
| SECURITY 558 Upcoming Events | |||
| Event | Location | Dates | Delivery Method |
| Community SANS Forensics DC 2010 | Alexandria, VA | Feb 22, 2010 - Feb 26, 2010 | Community SANS |
| SANS 2010 | Orlando, FL | Mar 06, 2010 - Mar 15, 2010 | Live Event |
GIAC Certification
"This is awsome! We're seeing details that most people don't even know exist" - John Wright, Info Tech, Inc.
"The class provided in-depth, real world, hands-on information" - Robert Dale Drollinger, General Dynamics
SANS Institute