Tracer FIRE

This is the fourth year Tracer FIRE has been offered at ACSAC, but it is definitely not the same course that has been offered in the past, and we encourage past attendees to consider taking the course again. While the general topics of incident response, forensic investigation and analysis, file systems, memory layout and malware analysis haven't changed – the past year has seen a complete update of the course content and forensic challenges.

This year, students and professionals will:

  • Learn how to recognize and analyze SQL injection attacks
  • Observe, understand how named pipes can be used maliciously
  • Dissect a buffer overflow attack
  • Learn how Windows Active Directory can be compromised via token kidnapping and credential stealing

For those not familiar with this training: Tracer FIRE (Forensic and Incident Response Exercise) is a program developed by Sandia and Los Alamos National Laboratories to educate and train cyber security incident responders (CSIRs) and analysts in critical skill areas, and to improve collaboration and teamwork among staff members. Under this program, several hundred CSIRs from the Department of Energy, other U.S. government agencies, and critical infrastructure organizations have been trained.

Both days of this professional development course are split into two sections. The morning will consist of both lecture and hands-on training with forensic analysis tools. The training will focus on defensive forensics analysis by training the participants using adversarial-based analogies. The goal of approaching forensic analysis from the mind of an adversary is to improve the situational awareness of the incident responder.

In the afternoon, attendees will be divided into teams and will participate in a competition that will require them to apply what they have learned during the classroom training. During this competition, the teams will solve cyber security challenges involving a range of forensic analysis techniques. This exercise allows attendees to practice maintaining network situational awareness, use of forensic tools, and hone their teaming and communication skills. In addition, students will be required to present their understanding of the overall scenario, identifying key actors, events and actions to demonstrate their ability to understand the attacker's actions.

Day 1 Outline

  1. Rapid Response Cyber Forensics. The need for "cyber triage". Tools and protocols used by CSIR teams to discover events. Methods to prioritize actionable events. Importance of updating defensive systems.
  2. Introduction to Host Forensics. Difference between logical and physical images. Basic examination of a forensic image. Low level details of the NT file system. Associated artifacts of the operating system. Windows registry, Master Boot Records, BIOS, and UEFI (firmware drivers).
  3. Network Reverse Engineering for Incident Responders. Using Wireshark to quickly organize views of network events. Writing logic to dissect unknown network protocols using Python and Scapy.

Day 2 Outline

  1. Memory Analysis: Layout of memory in Windows. Examination of memory contents. Use of Memorize and Audit Viewer. Analysis of memory image.
  2. PDF Analysis: PDF file format and analysis of malicious PDF files.
  3. Embedded Protocol Analysis & Attack Situational Awareness. Introduction to custom hardware protocols. Creative techniques for situational awareness from both an attacker and defender's perspective.


Attendees will require a basic understanding of computer systems, networks and general cyber security concepts. It is strongly recommended that students view the training materials that will be provided prior to the exercise.

Laptops with all required software will be provided for the class – no personal hardware or software is required. Students that wish to utilize other software may do so, as long as they are properly licensed to use the software.

Additional ACSA Events:
NSPW – New Security Paradigms Workshop
LASER – Learning from Authoritative Security Experiment Results