December 5–9, 2011 | Buena Vista Palace Hotel & Spa | Orlando, Florida, USA

• Venue
• Program
•   –   Courses / Tutorials
•   –   FISMA Training
•   –   GTIP Workshop
•   –   LAW Workshop
• Print Proceedings
• Sponsorships & Exhibits
• Committees
• Call for Participation

• About ACSAC
• Past ACSACs
• Mailing List
• Security Bookshelf
• FAQs

2011 Annual Computer Security Applications Conference

TF1 – Tracer FIRE – A Forensic and Incident Response Exercise – Part 1

Kevin Nauer and Benjamin Anderson, Sandia National Laboratory

Monday, December 5th, Full Day

Tracer FIRE, (Forensic and Incident Response Exercise), is a program developed by Sandia and Los Alamos National Laboratories to educate and train cyber security incident responders (CSIRs) and analysts in critical skill areas, and to improve collaboration and teamwork among staff members. Under this program, several hundred CSIRs from the Department of Energy and other U.S. government agencies have been trained. In Tracer FIRE, attendees will learn about a variety of topics in the areas of incident response, forensic investigation and analysis, file systems, memory layout and malware analysis. Tracer FIRE includes a mixture of lecture, hands-on training, and competitive exercises designed to provide the attendees with the knowledge and practice to apply what they have learned in a real-world situation.

This full-day professional development course is split into two sections. The morning, classroom portion, will consist of both lecture and hands-on training with forensic analysis tools. After this classroom training, attendees will be familiar with the difficulties facing CSIR Teams in performing "cyber triage" of incidents, and many of the methods used to quickly identify important events on the network. In addition, students will receive hands-on training in forensic search, collection and analysis of NT file systems using the EnCase Enterprise forensic tool suite, the leading computer forensic solution in use by government agencies and corporations.

In the afternoon, attendees will be divided into teams and will participate in a competition that will require them to apply what they have learned during the classroom training. During this competition, the teams will solve cyber security challenges involving host forensic analysis while attempting to defend their computer system, and attacking the systems belonging to the other teams. This exercise will allow attendees to develop practice at maintaining network situational awareness and use of forensic tools, and hone their teaming and communication skills.

Note: This course is Part 1 of a two-part course. Attendees are encouraged to enroll in TF1 (Part 1) and TF2 (Part 2). A discounted combination rate is provided for those attending both days. Student scholarships may be available – please see http://www.acsac.org/2011/cfp/students/.

Outline

1. Rapid Response Cyber Forensics. The need for "cyber triage". Tools and protocols used by CSIR teams to discover events. Methods to prioritize actionable events. Importance of updating defensive systems.
2. Introduction to EnCase Enterprise. Acquiring a remote forensic image. Difference between logical and physical images. Basic examination of forensic image. General functionality.
3. File Systems for Incident Responders. Low level details of the NT file system. Associated artifacts of the operating system. Windows registry.

Prerequisites

Attendees will require a basic understanding of computer systems, networks and general cyber security concepts. Workstations and the EnCase Enterprise suite will be provided for the attendees – no personal hardware or software is required.

About the Instructors

Mr. Kevin Nauer is a member of technical staff at Sandia and has over ten years experience in conducting forensic analysis and leading a team of analysts to conduct incident response operations. Kevin has been leading a development effort for the past three years to develop a framework to support collaborative cyber security incident response operations. Kevin holds a B.S. and M.S in computer science, and he has also served as a Captain in the US Army Intelligence and Security Command where he helped form a new organization to support national intelligence operations integrating computer forensic analysis techniques.

Mr. Ben Anderson is a member of technical staff at Sandia and has conducted research in virtualization and SSD Forensics. He holds a master's degree in computer engineering from Iowa State University and previously served in the Marines Corps as a member of their Fleet Antiterrorism Security Team Co.

Home | Mailing List | FAQs | Privacy Policy | Contact Us

Copyright © 2011 ACSAC