Using freeware tool...
 
Notifications
Clear all

Using freeware tools to teach IR/CF

19 Posts
7 Users
0 Likes
1,001 Views
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Having finished my book, and started down back down the road of research and discovery, one of the things that occurs to me is that there's a great deal of freeware that can be used to teach IR/CF skills. Sure, having systems and storage space may be problematic as there is some cost involved, but beyond that, a number of scenarios can be set up in such a way to challenge and engage students.

Part of what I see in current curriculums is a focus on general skills, and when the student graduates, they don't have any real experience. Worse, there is a dependence on specific tools without understanding the underlying dynamics of a situation or incident. When the students interview for a position following graduation, they may be asked to describe how they would address a situation.

One thought I had was this…break a class into teams, and present them each with an actual situation. Have them develop their own toolkits and "show up" on scene. Have them investigate the issue and present their findings to the rest of the class, answering questions from the other students and the instructor. If the length of the course permits, have them go to another "station" or situation (that's been modified) and repeat the process, but with a different team leader.

If this sounds familiar to anyone, I got the idea in part from my own experiences with the Leadership Reaction Course during Officer Candidate School in the Marine Corps, from the summer of '88.

Thoughts?

 
Posted : 31/03/2007 7:55 pm
cfprof
(@cfprof)
Posts: 80
Trusted Member
 

Speaking as a professor at a university that has a computer forensics degree, our problem isn't time. It is a lack of interesting "evidence" to investigate. We are currently using the EnCase demo disk with its packaged evidence files, but they are not the most realistic. Some of the images don't even include the registry.

Everyone says "make your own", but it isn't as easy as it sounds when you think of all of the points you want to include.

I am very open to suggestions.

Our students have told us that they feel like they need more practical experience too. I'm proud of them for recognizing their (our?) own weaknesses.

I hope I'm not dragging the discussion too far off course.

 
Posted : 02/04/2007 5:55 am
(@armresl)
Posts: 1011
Noble Member
 

"It is a lack of interesting "evidence" to investigate."

It is really not that hard to create images for students to look at.

IMHO if a college that is offering a degree program in CF doesn't have images for RL situations, then they are doing a great disservice to any students in the class or program.

 
Posted : 02/04/2007 6:07 am
 ddow
(@ddow)
Posts: 278
Reputable Member
 

It is really not that hard to create images for students to look at.

Gee, I'm sure open to suggestions than. To build the box, get the time line realistic, all the artifacts in place that I want, strip out the copyrighted files and get the file count below 5000, I have a fair amount of time invested in a case. Then to write the assignement and supporting info is more time. So far, I'd say I run 8 hours development for 1 hour of student lab time.

 
Posted : 02/04/2007 6:51 am
hogfly
(@hogfly)
Posts: 287
Reputable Member
 

CFProf,
Why not run a honeynet? They're great learning tools, for students and professionals. You'll get loads of data from them.

 
Posted : 02/04/2007 9:47 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

> …I believe the main point of your post was to test students by putting them
> into an unknown environment as they would see in the field.

Not "test" them, but present them with real-world challenges that they have to think through. Yes, one example is when you forget something, or when you rely on the client to be completely forthcoming. For example, "I need you to image 6 IDE drives" becomes 3 SCSI, 2 SATA, and one iPod-sized 1.8" HDD. Or the "server with one HDD" becomes a RAID 1 or 5 system that you can't take down.

> From what I have seen looking for training, the lack of practical
> exercises is usually due to time constraints.

As someone who produces training (and has done so in the past) the usual issue with this sort of thing is, in fact, time. Also, lack of interest from those attending the training…sometimes people simply do not want to do anything themselves, which makes it difficult.

CfProf,

> It is a lack of interesting "evidence" to investigate.

You're kidding, right? Some of the simplest things you can do are to install netcat as "inetinfo.exe" and bind it to port 80, or install it as "svchost.exe" and bind it to another port. Remote compromises include accessing the system with RDP, installing VNC and using that, etc. Other examples include installing anyone of a number of freeware P2P clients (LimeWire, eMule, etc.) and as the students to determine what was downloaded/uploaded, etc.

Another option is to set up some systems for a pen testing class to "break into"…then use those images on the forensic analysis side.

I'd suggest things like this because they are controlled in some respects. By having the students investigate an incident that is known by someone, you can walk them through finding everything, and guide them down the right path in their analysis with leading questions, etc. The issue with using a honeypot is that they exploit may not be entirely known by the instructor, and a less-stringent investigation methodology will leave certain artifacts uncovered.

While honeypots are great tools, like any tool, they have to be monitored and managed. In fact, in some ways, I'd say that honeypots (their theory and application) should be an entire class by themselves, with Lance Spitzner invited to speak! 😉

Either way, my point is that there are a lot of freeware tools you can use to perform live response, as well as image acquisition and analysis. I could see this as a multi-semester course, easily, as you'd have to build a foundation on which the students could rely, and then progress on to the more "real-world"-centric aspects.

Harlan

 
Posted : 02/04/2007 3:36 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

CfProf…

If you want some input or ideas regarding setting up cases to be imaged, based on real-world examples, please feel free to contact me offline at keydet89 at yahoo dot com.

Thanks,

H

 
Posted : 02/04/2007 4:18 pm
 ddow
(@ddow)
Posts: 278
Reputable Member
 

. . . simplest things you can do are to install netcat as "inetinfo.exe" and bind it to port 80, or. . .

I guess here we have a mis-communication. You're refering to the Incident Response side of the business. I (and I suspect CFProf) are refering to the corporate/LE forensic side of it. But I like your approach and will use it for other classes. )

Keep it coming Harlen, you're a wealth of info.

 
Posted : 02/04/2007 8:11 pm
hawkwind
(@hawkwind)
Posts: 26
Eminent Member
 

As a student I use the Encase demo disk and the demo version of FTK which is provided by my University and it is hard to feel you are gaining any valuable experience, but I also look at this in a positive way because while other students complain at the lack of resources and experience they are gaining I choose to learn my self extra curricularly by using freely available tools.

FTK Imager
Encase network acquisition disk
Helix
Back Track2
FTK Demo version
The downloads section of this forum

Hopefully giving me the edge in graduate job interviews wink

Keydet as a student nearing the end of his course, I would have appreciated some method of gaining experience in the academic environment as you have mentioned.

(Perhaps you could write a book that is aimed at teaching Forensics skills with a list of the free tools available and how to use them)
I'm sure a resource like this would be welcomed by a lot of lecturers, and from what I have been reading, more and more University's are seeing this as an important course, so it should sell well.

Please can I go in the thanks to section if you do write it )

 
Posted : 02/04/2007 8:30 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Demmis,

Actually, I'm referring to both sides…both IR and CF.

The netcat example I gave is great for IR, of course, but also for CF. Things you can do when setting up the scenario include

1. Use auditpol.exe to disable auditing and clear the Event Logs. Then when the analysis is complete, ask the students how the Event Logs could have been configured to help provide greater detail.

2. Use auditpol.exe to enable process tracking before you launch the process, which will leave an artifact in the Event Logs.

3. Use other tools to "touch" the executable file after you copy it over to the system, so that it's not obvious from a simple search/sort of files on the system that the file was recently added.

4. Install the executable as a service using any of the available Resource Kit tools for this, or just by adding it directly to the Registry via the API…

There's a great deal you can do, and without using a great deal of imagination. Just use any of the techniques that folks are seeing in their own cases…

H

 
Posted : 02/04/2007 8:36 pm
Page 1 / 2
Share: