Annual Computer Security Applications Conference (ACSAC) 2012

Full Program »

TF2: Tracer FIRE – Adversarial-based, Defensive Forensics Situational Awareness Exercise

Tuesday, 4 December 2012
13:30 - 17:00


Tracer FIRE, (Forensic and Incident Response Exercise), is a program developed by Sandia and Los Alamos National Laboratories to educate and train cyber security incident responders (CSIRs) and analysts in critical skill areas, and to improve collaboration and teamwork among staff members. Under this program, several hundred CSIRs from the Department of Energy and other U.S. government agencies have been trained. In Tracer FIRE, attendees will learn about a variety of topics in the areas of incident response, forensic investigation and analysis, file systems, memory layout and malware analysis. Tracer FIRE includes a mixture of lecture, hands-on training, and competitive exercises designed to provide the attendees with the knowledge and practice to apply what they have learned in a real-world situation.

Both days of this professional development course are split into two sections. The morning, classroom portion, will consist of both lecture and hands-on training with forensic analysis tools. The training will focus on defensive forensics analysis by training the participants using adversarial-based analogies. By approaching forensic analysis from the mind of an advisory, the incident responder will gain better situational awareness. In the afternoon, attendees will be divided into teams and will participate in a competition that will require them to apply what they have learned during the classroom training. During this competition, the teams will solve cyber security challenges involving host forensic analysis while attempting to defend their computer system, and attacking the systems belonging to the other teams. This exercise will allow attendees to develop practice at maintaining network situational awareness and use of forensic tools, and hone their teaming and communication skills.

Note: Student scholarships are available to support undergraduate and graduate student participation in Tracer FIRE – please see

Day 1 Outline

  1.  Rapid Response Cyber Forensics. The need for "cyber triage". Tools and protocols used by CSIR teams to discover events. Methods to prioritize actionable events. Importance of updating defensive systems.
  2.  Introduction to EnCase Enterprise. Acquiring a remote forensic image. Difference between logical and physical images. Basic examination of forensic image. General functionality.
  3.  Disk and File Systems for Incident Responders. Low level details of the NT file system. Associated artifacts of the operating system. Windows registry, Master Boot Records, BIOS, and UEFI (firmware drivers).
  4.  Network Reverse Engineering for Incident Responders. Using Wireshark to quickly organize views of network events. Writing logic to dissect unknown network protocols using Python and Scapy.

Day 2 Outline

  1.  Memory Space: The Final Frontier. Issues with acquisition of a memory image from a live system. Layout of memory in Windows. Examination of memory contents. Use of Memorize and Audit Viewer. Hands-on memory acquisition. Analysis of memory image.
  2.  File Carving and PDF, Java, Flash, and Windows PE reverse engineering. Reasons for file carving. Discovery and reassembly of file fragments. Examination of PDF, Java, Flash, PE file format. Malicious PDF, Java, Flash, PE analysis.
  3.  Embedded Protocol Analysis & Attack Situational Awareness. Introduction to custom hardware protocols. Creative techniques for situational awareness from both an attacker and defender’s perspective.


Attendees will require a basic understanding of computer systems, networks and general cyber security concepts. Workstations and the EnCase Enterprise suite will be provided for the attendees – no personal hardware or software is required.

About the Instructors

Mr. Kevin Nauer is a member of technical staff at Sandia and has over ten years experience in conducting forensic analysis and leading a team of analysts to conduct incident response operations. Kevin has been leading a development effort for the past three years to develop a framework to support collaborative cyber security incident response operations. Kevin holds a B.S. and M.S in computer science, and he has also served as a Captain in the US Army Intelligence and Security Command where he helped form a new organization to support national intelligence operations integrating computer forensic analysis techniques.

Mr. Ben Anderson is a member of technical staff at Sandia and has conducted research in virtualization and SSD Forensics. He holds a master's degree in computer engineering from Iowa State University and previously served in the Marines Corps as a member of their Fleet Antiterrorism Security Team Co.

Mr. Theodore Reed is a member of technical staff at Sandia and has focused on red team assessments and high-fidelity modeling and simulation of cyber systems.



Powered by OpenConf®
Copyright©2002-2014 Zakon Group LLC