SANSFIRE Day3

It's 2:09 AM Wednesday morning, day four of SANSFIRE. Insomnia has sent in, so it's time to update my blog on the training event. Day 3 saw more excellent teaching in the FOR 558 class. This class is both a logical next step after SEC 503 (Intrusion Detection In Depth) and a different perspective from that track. Going beyond the role of intrusion analyst, it shows you how to become a forensics investigator into events from the network perspective. More than just incident response (identify, eradicate and recover), we're seeing how to take packet data found all over the network and pull the artifacts from the packets. Hex editors and protocol specific tools for SMTP, AIM, Squid and others as well as general packet parsing tools all combine to not just reconstruct the session and see what happened, but extract the data much like a traditional forensics investigator would from a hard drive. We're told day four will be the most hard core yet. From a survey of the book, looks like we're going into Netflow and wireless, as well as concepts in digital evidence.