On 10-12 June 2013, a Windows Forensic Analysis and Registry Analysis
combo course will be hosted at the Santa Cruz PD training facility.
Course descriptions and other info on the courses is available here. Pricing information for the combo course will be available on the ASI training page shortly.
If you are interested in registering for a seat in the training, please contact me here. As the date of the course approaches, information regarding parking, what to bring, etc., will be provided.
Do you teach log2timeline in your Timeline Analysis training?
ReplyDeleteNo, sir.
ReplyDeleteThis post covers, in a good bit of detail, what's in the course. The objective is to provide analysts with an understanding of what artifacts are available and how they can be used to provide detail and context for exams. The idea of the course is to demonstrate how powerful timelines can be as an analysis methodology, and allow the analyst to determine which tools are best for the job.
ReplyDeleteSo if you are tool neutral, do you only teach your own timeline tools then? What if I wanted to use log2timeline instead, would your class still be applicable or useful?
ReplyDeleteGreg,
ReplyDeleteAgain, the objective of the course is to provide analysts with an understanding of what artifacts are available, and how they can be used to provide detail, context, and increased relative confidence in the data. I use my own tools solely for the purpose of demonstrating the data that is available and how it can be used. My hope is that by engaging, I can help analysts develop an understanding of the data that is available, so that they can better use the tools of their choice. I don't want analysts to run a tool and accept the output...rather, it's better for analysts to understand what *should* be there, so that they can recognize when something *isn't* there that should be.
If that would be useful to you, then the answer to your question would be, "yes".
However, there are some tools for which we don't go into depth, in part because the licenses specifically state that they can't be used for commercial purposes.
If you want to use l2t, that's fine. It's a great tool. I happen to incorporate a great deal of Registry, Jump List, and now *.idx file metadata into my timelines, where appropriate.
Greg,
ReplyDeleteAgain, the objective of the course is to provide analysts with an understanding of what artifacts are available, and how they can be used to provide detail, context, and increased relative confidence in the data. I use my own tools solely for the purpose of demonstrating the data that is available and how it can be used. My hope is that by engaging, I can help analysts develop an understanding of the data that is available, so that they can better use the tools of their choice. I don't want analysts to run a tool and accept the output...rather, it's better for analysts to understand what *should* be there, so that they can recognize when something *isn't* there that should be.
If that would be useful to you, then the answer to your question would be, "yes".
However, there are some tools for which we don't go into depth, in part because the licenses specifically state that they can't be used for commercial purposes.
If you want to use l2t, that's fine. It's a great tool. I happen to incorporate a great deal of Registry, Jump List, and now *.idx file metadata into my timelines, where appropriate.
Which tools are you not allowed to go in-depth due to their licenses?
ReplyDeleteThose with the licenses that state that they cannot be used for commercial purposes.
ReplyDeleteFor example, TZWorks includes this information in their license agreement:
"... is for non-commercial personal use ONLY."
I know a lot of people ignore this stuff, but as I read it, teaching a course or giving a presentation for which I get paid is not personal, but commercial use.
Jumping into the conversation as you bring up a very valid point.
ReplyDeleteTotally agree with you Harlan -- it would be an integrity issue to use something that you didn't pay for if you are charging for it.
The nice folks at TZWorks gave SANS permission to use it in our training courses as demonstration of artifacts and allow the students to work with their software so that the students can evaluate it.
We have a similar relationship with Magnet Forensics (IEF), AccessData (FTK), and Guidance Software (EnCase). We also demonstrate, in most cases, an open source or freeware option as well so the student will be able to make a decision on their own.
Perhaps, if you think the tool is valuable you might reach out to the vendor and ask permission. The vendors usually like the exposure during a class. The students like testing which capability seems to work the best.
Anyway... just a thought.
Best,
Rob
Just to be clear, TZWorks has not denied any course the use of their tools to be used as part of the curriculum, when it is for educational purposes. All you need to do is ask, so we are aware.
ReplyDeleteDave,
ReplyDeleteThanks. I was simply honoring your license agreement, as it is stated. A training course is a commercial effort.
Thanks.