Thursday, March 10, 2005


I haven't had many new ideas for blogging I thought I'd pose a question to the readers...

There are sites that offer up forensic or hacker challenges. Two of the most noteable are the HoneyNet Project, and Ed Skoudis' site, CounterHack. Both of these sites offer some really well thought out, well organized challenges. The results also offer quite an's interesting to read through several of the results, looking at both the commonalities, and the differences in approaches.

And then there are sites like Robert Hensing's blog, and "A Day in the life of an Information Security Investigator", that present a more tutorial-style approach...this is what we saw, this is what we did, and this is what we found out...walking through the entire scenario, start to finish.

From my own personal standpoint, I prefer the things I can work on myself, as I learn more that way. Sometimes the tutorial-style approaches don't have enough information for my tastes, and I don't get to manipulate things, try other things, to see what happens.

So, my question to you, the reader, is...which style do you prefer? Is there another style, one which you find more beneficial? What are some sites that you go to for these sorts of things?


Jesse said...

Well, Both! As much as I love doing the Scan of the Month challenge, it takes time and is not something I can do every morning. I can, however, scan through the Internet Storm Center or the other tutorial style blogs on the web and get a feel of what others are doing. It's not as good as doing it myself, but it's better than nothing!

Chris said...

I also would say a little of both. I like the SoTM but it does take many hours to complete. Something a little more bitsized would be nice. Perhaps taking a SoTM size project and break it down into four chunks finishing one each week, so people who get stuck would get a clue to get unstuck and can continue learning.

Brandon said...

I am in agreement with both Jesse and Chris. I really like the SOTM's because I can sit down over a weekend, think it out, and come up with a solution or wait out the results. Either way, I am doing the work for myself and taxing my own KB. But when I can't get one, I enjoy reading the solutions.

If Hensing used tools that I could relate to, I think I would get more out of his blog. Not to say that I haven't taken anything away from them, but it's not like I can go grab Wolf in the same fashion I can the WFIR.

Keep up the good work with whatever you decide.

Keydet89 said...

Great feedback, everyone!

Brandon, what are you referring to when you say "WFIR"?



Brandon said...

Woops, I looked over at the Windows Forensics and Incident Response book on my book rack, and acro'd it instead of the FSP.

Keydet89 said...


Do you use the FSP?

If so, would you care to post your fruc.ini file? ;-)