Wednesday, October 15, 2008

SANS Forensic Summit

The SANS Forensic Summit, a first-of-its-kind event for incident responders and forensic analysts, is over and I have to give a hearty and whole-hearted thanks to Rob Lee for chairing the event and bringing everyone...consultants, practitioners, and yes, even vendors...into such a unique forum. The combination panel and presentation format provided a great opportunity for attendees to interact with speakers in ways other than just listening to their presentations.

Speaking of which, there were a number of exceptional presentations throughout the two days. Rob talked about using TSK's fls and ils to generate file system timelines, which led me to think that it wouldn't be too great a stretch to add the same sort of capability to RegRipper, and have the Registry data included in the timeline information. The guys from Verizon gave a great presentation on their incident statistics, and the Mandiant presentation illustrated some interesting artifacts from a real-world examination.

One prevalent theme throughout the summit was that there was a lot of folks "calling the baby ugly". As humorous as that may sound, that was the euphemism for being up-front and letting folks know, yes, we have a problem. At least one of the issues identified that both Richard Bejtlich and I (and others) seemed to agree on was that the need to protect data is no longer the driver for incident response...if it ever truly was. Currently, legislation (state notification laws) and regulatory oversight (PCI, HIPAA, etc.) are the drivers for incident response.

Also, a common thread from the consultants to the admins in the audience seemed to be, help us help you. At one point during a panel, Rob Lee asked something along the lines of, how soon should someone who's been breached call for help, and my response was "before it happens." Seriously. Get someone on-site before you have find a breach, and have them look at your response plan and capabilities, and help you bring them in line with what's needed for your business. Think of the first folks to deal with a breach or some other incident as EMTs and folks like me as doctors and surgeons...if you find someone who needs help, are you going to stand around and watch the guy die, or do you want to know what you can do to (at the very least) contain the issue until you can someone with a greater skillset on-site to assist?

All in all, it was a great event, very beneficial to attendees and speakers alike. Rob did a great job pulling together talent such as Richard Bejtlich of GE and TaoSecurity fame, AAron Walters, Mike Poor and Tom Liston of InGuardians, Lance Mueller, Eoghan Casey, Bret Padres and Ovie Carroll, as well as Kris Harms, Wendi Rafferty and Ken Bradley from Mandiant, and Monty McDougal. Jennifer Kolde was there representing the FBI, as was Matt Shannon...F-Response is and was a huge hit. I was talking with a couple of folks who attended the summit and when the topic of F-Response came up, you could see the light come on in their eyes as they realized the potential that could be realized through a product like this.

It was also great to be able to talk with folks like Jeff Caplan, and (me being really bad with names) Doug and the guy from Ford.

One of the big take-aways that I got from the summit is the fact that folks like the speakers (consultants, in most cases) and attendees (admins, etc.) face a lot of the same problems with respect to incident response...namely, how to preview and triage systems, and how to do so in an enterprise environment.

I'm hoping to be invited to and be able to attend the next SANS Forensic Summit, in July 2009!

See what others thought:
Matt from F-Response


cpldbc said...


It was cool to meet you after reading your works. Enjoyed the discussion on working regXP into a timeline analysis script.

I for one am looking forward to you releasing that tool out to the masses. Since I'm still at the SANS event for four more days, I took the time to start writing an Enscript last night.

Doug C.

sham said...

Doing the timeline for registry is really valuable. I'm currently doing that in an IR tool I am working on.
It collects via WMI, processes, software installs, file system, prefetch and registry etc etc. On analysis it puts all these into one timeline so you can see registry changes, process start ups, reboot times, security event log entries, prefetch creation, and i now even include external firewall entries. Makes pinning down an issue incredibly quick because the validation from multiple independent sources is there in one place.

H. Carvey said...


Any chance of getting that, or some part of it posted somewhere?

hogfly said...

Will you be making your presentation available anywhere?

H. Carvey said...

I'll see what I can's not mine to's IBMs...

Cory said...

I was hoping you would all get dysentery or something and be miserable since I was unable to attend.

Sorry to hear you had such a good time.

H. Carvey said...

I was still miserable b/c you weren't there, CoreE.

Anonymous said...

I met with AAron Walters afterward to discuss my desire to create a time-stamp timeline, my idea was that it be perhaps Web-based, like a language translator--paste the text and hit a button that translates your time-stamps into a visual timeline. Aaron suggested I contact/read Florian Buchholz' work on Zeitline. Let me know if you'd like to work together, as I'd be starting from scratch.

H. Carvey said...

Who is "Darren"?

sham said...

Darren is the guy that got the job of cleaning up Cory's old documentation ;)
You can find me on #volatility

I'm pushing to be able to release what I have at the moment, but I'm trying to merge my analysis framework into something sensible like pyflag so I can avoid a lot of the heavy lifting they have solved.
The current stuff converts everything into a mactime-esque format and then allows working with the results.

Zeitline looks good, it offends my C/python sensibilities, but I guess can get past that :)

Anonymous said...

nice post

Anonymous said...

ur blog Is very nice

Small business website design

Anonymous said...

Thanks for this nice post.