All rights reserved. All other trademarks are the property of their respective owners. Sign In or Register. Sign In Register. September in GIAC. He's a very clear and concise instructor and the class rolls along at a good pace. It's a mid-sized class about 30 people but it's good stuff. Day One reviewed some basics for mebut otherwise it looks like it's going to get better as the days go by. Need to make up for it this time.
What's your favorite Sans course and why?
It's good to be back at Caesar's Palace. Brings back memories. September Are you facilitating? I thought about trying to go for that event but for one thing, I didn't feel like facilitating their largest event and two, my wife and I are wanting to go to Vegas for vacation for what would be our first visit there.
If you don't mind doing a mini review on the class that would be awesome. Very nice. Looking forward to the full review. I'm sticking to the minors for now. I'm looking forward to your updates. I'm not facilitating since this is an employer-sponsored trip. Day Two was mainly about NetFlow and while I already have some experience in this area, at the same time the material filled some gaps since publicly-available resources never answered all my questions on variations on implementations and use.
I also just came out of a great talk by Jason Fossen on Windows 10 and Server which went overtime. Lots of interesting things in the works by the folks at Redmond. Sounds awesome I can't wait for my employer to send me to my first SANS course. I look forward to this review. I eventually want to take this one too.
For a comprehensive guide on this entire subject you can visit this link:. Carbs versus EFI. In simple terms, there is fundamental calibration difference between carbs and EFI.
An EFI system can be programmed with exceptional accuracy, and this uncovers less-than-obvious moves toward greater output. In some of my writings I have made a direct dyno comparison between a 4-barrel carbureted engine and a similar-style EFI—equipped engine with a 4-barrel throttle body.
In every case, the car-bureted engine wins out in terms of WOT output. The primary reason for this appears to be that the carb introduces the fuel to the air at a more optimal point than does the usual EFI—port-injected setup.
But there are also other contributory factors, such as atomization, distribution within each individual runner, etc. With no boosters to inhibit airflow, this Dominator—style throttle body has the ability to flow about 2, cfm.
Couple that with a good race intake such as this Brodix version to realize a formula for high output. Carburetors can deliver very good results, as did this BLP —style carb on the street engine shown here. This unit used a Dart block, with heads and intake by Brodix. It was equipped with an Electromotive EFI system that sported a four-coil wasted-spark-style ignition system. After ace calibration specialist Scott Clark finished, this unit made a solid hp with a rpm idle.
In addition, we can draw on more than 60 years of development with Holley carbs and single-plane intakes. Considering all this evidence, why would anyone pay three to four times as much to get slightly less output? In practice, EFI has certain advantages over car-buretors. First, EFI has the capability to produce the best smooth and steady idle. Second, the ignition timing curve can be tailored precisely to each individual cylinder, so the engine can, and this is important, run more compression because it is the first cylinder to detonate that limits the use of a single, mean, best-torque timing.
For example, if one cylinder starts to detonate at 28 degrees but all the others make their best power at 30 degrees, the degree cylinder is the one that sets the limit. If you could set each cylinder separately, one would be at 28 degrees and seven would be at 30 degrees. Unfortunately, you cannot do this easily with a regular distributor and a carb. The engine would be stuck at one timing figure 28 degrees in this example for all cylinders so seven of the cylinders would be short of their best.
Third, with a port-injected sys-tem, the fuel curve for each cylinder can be tailored to suit. Finally, because an EFI system does not rely on intake manifold vacuum to atomize the fuel the drivability at small, street-use throttle openings is far better, as is the cold-start cycle.
On top of that, with expert calibrations, bore wear from cold starts is virtually eliminated. All of these factors mean that if you build from the outset to use EFI, you are in a position to have a streetable engine that makes more torque and horsepower along with having the potential of lower fuel consumption. EFI System Variations. Fundamentally, you have three main types of fuel-injection systems. Let me give you a brief overview of each of them.
This type of system uses an injector posi-tioned above the top of the throttle body.All rights reserved. All other trademarks are the property of their respective owners. Sign In or Register. Sign In Register. January in GIAC. Just like the title says, what's your favorite Sans course and why?
January So far? SANSvery interesting material, well rounded course. The anti-forensic methods of applies for offensive specialists too.
I've only done andhowever I'd vote for or just based on reading over the course descriptions on SANS' site. Plus Ed Skoudis is the best. Phone are not going anywhere in both corporate environments and personal. Learning how to break an Android app or doing packet captures through your iPhone can be very vital if you're just doing bug bounties or if you're trying to see if something is spying on you OR if your companies app is broadcasting your creds in the clear.
I would concur on I was lucky and got to do work study for mine that was taught by John Strand. John did a fantastic job and was very engaging, which is hard to do in a course with this level of material and the time it takes to teach it. This was the third SANS class I've done in person, and by the fourth or fifth day you can be really wiped out with brain overload.
John did a great job keeping the conversation on point, providing real world examples of the material application, and staying engaged with the participants.Advanced Network Forensics
I'm not diminishing the performance of my other instructors, just saying that John has been the best I've had so far, which made my favorite. May The best and most relevant class I have taken is FORGNFA certification holders have demonstrated an understanding of the fundamentals of network forensics, normal and abnormal conditions for common network protocols, processes and tools used to examine device and system logs, and wireless communication and encrypted protocols.
Note: GIAC reserves the right to change the specifications for each certification without notice. Click here for more information. GIAC certification attempts will be activated in your GIAC account after your application has been approved and according to the terms of your purchase. Details on delivery will be provided along with your registration confirmation upon payment. You will receive an email notification when your certification attempt has been activated in your account.
You will have days from the date of activation to complete your certification attempt. There are many sources of information available regarding the certification objectives' knowledge areas. Practical experience is an option; there are also numerous books on the market covering Computer Information Security. Another option is any relevant courses from training providers, including SANS. Interested in digitalforensics? The new GBFA certification [ Certifications Why Certify?
Register for Exam. Renew GNFA.A community dedicated towards the branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The field is the application of several information security principles and aims to provide for attribution and event reconstruction following forth from audit processes.
This subreddit is not limited to just the computers and encompasses all media that may also fall under digital forensics e. Topics include digital forensics, incident response, malware analysis, and more. Vote based on the quality of the content. Irrelvant submissions will be pruned in an effort towards tidiness. I have been working on the Sans FOR as a self study.
I am not doing network forensics regularly and it is a kick in the teeth. I will absolutely be finishing the course, but my employer will not pay for the cert exam. I don't anticipate network forensics becoming a central part of my work load, but I m really enjoying the cross-training. Those of you that hold the cert, would you recommend pursuing the cert especially if it means taking the exam more than once :?
I just took this course last month and it was awesome. If youve gone through the work, you might as well take the test. I heard it's tough though. I'm still making my way through all of the material notes and more practice with the labs but I will definitely be taking the cert.
Is there any reason why they won't pay for the exam having already I assume covered the cost of the training? It isn't that much more and it's great for your team which is maybe only you? If they won't pay for the cert, pay for it yourself, then use it to find a job that will pay for the next one. I have it. The test was by far the most difficult one I've taken. Command line out the yang for sure.Take your system-based forensic knowledge onto the wire.
Incorporate network evidence into your investigations, provide better findings, and get the job done faster. It is exceedingly rare to work any forensic investigation that doesn't have a network component. Endpoint forensics will always be a critical and foundational skill for this career but overlooking their network communications is akin to ignoring security camera footage of a crime as it was committed. Whether you handle an intrusion incident, data theft case, employee misuse scenario, or are engaged in proactive adversary discovery, the network often provides an unparalleled view of the incident.
Its evidence can provide the proof necessary to show intent, uncover attackers that have been active for months or longer, or may even prove useful in definitively proving a crime actually occurred. Many investigative teams are incorporating proactive threat hunting to their skills, in which existing evidence is used with newly-acquired threat intelligence to uncover evidence of previously-unidentified incidents.
Others focus on post-incident investigations and reporting. Still others engage with an adversary in real time, seeking to contain and eradicate the attacker from the victim's environment.
In these situations and more, the artifacts left behind from attackers' communications can provide an invaluable view into their intent, capabilities, successes, and failures.
In FOR, we focus on the knowledge necessary to examine and characterize communications that have occurred in the past or continue to occur. Even if the most skilled remote attacker compromised a system with an undetectable exploit, the system still has to communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero.
Put another way: Bad guys are talking - we'll teach you to listen. This course covers the tools, technology, and processes required to integrate network evidence sources into your investigations, with a focus on efficiency and effectiveness.
You will leave this week with a well-stocked toolbox and the knowledge to use it on your first day back on the job. We will cover the full spectrum of network evidence, including high--evel NetFlow analysis, low-level pcap-based dissection, ancillary network log examination, and more.
We cover how to leverage existing infrastructure devices that may contain months or years of valuable evidence as well as how to place new collection platforms while an incident is underway.
Whether you are a consultant responding to a client's site, a law enforcement professional assisting cybercrime victims and seeking prosecution of those responsible, an on-staff forensic practitioner, or a member of the growing ranks of threat hunters, this course offers hands-on experience with real-world scenarios that will help take your work to the next level.
Previous SANS SEC curriculum students and other network defenders will benefit from the FOR perspective on security operations as they take on more incident response and investigative responsibilities. SANS DFIR alumni can take their existing operating system or device knowledge and apply it directly to the network-based attacks that occur daily.
In FOR, we solve the same caliber of real-world problems without the use of disk or memory images.Take your system-based forensic knowledge onto the wire. Incorporate network evidence into your investigations, provide better findings, and get the job done faster.
It is exceedingly rare to work any forensic investigation that doesn't have a network component. Endpoint forensics will always be a critical and foundational skill for this career, but overlooking their network communications is akin to ignoring security camera footage of a crime as it was committed. Whether you handle an intrusion incident, data theft case, employee misuse scenario, or are engaged in proactive adversary discovery, the network often provides an unparalleled view of the incident.
Its evidence can provide the proof necessary to show intent, uncover attackers that have been active for months or longer, or may even prove useful in definitively proving a crime actually occurred. We focus on the knowledge necessary to expand the forensic mindset from residual data on the storage media from a system or device to the transient communications that occurred in the past or continue to occur.
Even if the most skilled remote attacker compromised a system with an undetectable exploit, the system still has to communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. Focus: Although many concepts of network forensics are similar to those of any other digital forensic investigation, the network presents many nuances that require special attention.
Today you will learn how to apply what you already know about digital forensics and incident response to network-based evidence. You will also become acclimated to the basic tools of the trade. Network data can be preserved, but only if captured directly from the wire. Whether tactical or strategic, packet capture methods are quite basic.
You will re-acquaint yourself with tcpdump and Wireshark, the most common tools used to capture and analyze network packets, respectively. However, since long-term full-packet capture is still uncommon in most environments, many artifacts that can tell us about what happened on the wire in the past come from devices that manage network functions. You will learn about what kinds of devices can provide valuable evidence and at what level of granularity. We will walk through collecting evidence from one of the most common sources of network evidence - a web proxy server - then go hands-on to find and extract stolen data from the proxy yourself.
The Linux SIFT virtual machine, which has been specifically loaded with a set of network forensic tools, will be your primary toolkit for the week.
We will cover several of these that are most likely to benefit the forensicator in typical casework, as well as several that help demonstrate analysis methods useful when facing new, undocumented, or proprietary protocols. By learning the "typical" behaviors of these protocols, we can more readily identify anomalies that may suggest an adversary is misusing that protocol for nefarious purposes.
These protocol artifacts and anomalies can be profiled through direct traffic analysis as well as through the log evidence created by systems that have control or purview of that traffic. While this affords the investigator with vast opportunities to analyze the network traffic, efficient analysis of large quantities of source data generally requires tools and methods designed to scale.
Knowing how protocols appear in their normal use is critical if investigators are expected to identify anomalous behaviors.
By looking at some of the more commonly-used network communication protocols, we will specifically focus on the ways in which they can be easily misused by an adversary or a malware author. While no one course could ever exhaustively cover the dizzying list of protocols used in a typical network environment, you will build the skills needed to learn whatever new protocols may come your way.
Cyber Security Certification: GNFA
The ability to "learn how to learn" is critical, as new protocols are being developed every day. Advanced adversaries develop their own protocols, too, and as you will see later in this class, successfully understanding and counteracting an adversary's undocumented protocol is a similar process to learning those you will see in this section. Log data is one of the unsung heroes in the realm of network forensics. While the near-perfect knowledge that comes with full-packet capture seems ideal, it suffers from several shortfalls.
It is often unavailable, as many organizations have not yet deployed or cannot deploy comprehensive collection systems. When they are in use, network capture systems quickly amass a huge volume of data, which is often difficult to process effectively and must be maintained in a rolling buffer covering just a few days or weeks. Understanding log data and how it can guide the investigative process is an important network forensicator skill.
Examining network-centric logs can also fill gaps left by an incomplete or nonexistent network capture. In this section, you will learn various logging mechanisms available to both endpoint and network transport devices. You will also learn how to consolidate log data from multiple sources, providing a broad corpus of evidence in one location. As the volume of log data increases, so does the need to consider automated analytic tools.
You'll use the SOF-ELK platform for post-incident log aggregation and analysis, bringing quick and decisive insight to a compromise investigation.
Focus: Network connection logging, commonly called NetFlow, may be the single most valuable source of evidence in network investigations. Many organizations have extensive archives of flow data due to its minimal storage requirements.