Super Timeline Analysis, Web Browser Analysis, & Community Building with SANS

The SANS Institute is one of the pillars of the network security and digital forensics community, so the two labs they are offering as part of their sponsorship really excite us. On Tuesday, September 13, they’ll offer two chances to attend each 90-minute lab: “Super Timeline Analysis and Case Studies” and “Intermediate Web Browser Analysis – Beyond History Analysis.”

The advanced bring-your-own-laptop labs are “definitely for the geek digital forensics/incident response folks out there,” says Rob Lee, who will be instructing both.

Super Timeline Analysis and Case Studies

Temporal data is located everywhere on a computer system, regardless of operating system or software applications. File system MAC times, log files, network data, registry data, Internet history files and file metadata all contain time data that can be correlated into critical analysis to successfully solve cases.

Last year in Atlanta, Dave Hull taught a single 90-minute lecture on Super Timeline Analysis. This year, says Lee, the course will be updated with more examples from different cases. It will also incorporate some of the new analysis methods utilized in 2010-2011, along with other advances. By the end of the course, Lee anticipates that participants will be able to create and analyze their own timelines.

“Timeline analysis is not well understood within the community,” says Lee. “It requires many skills to master.  From filesystem details, artifact analysis, and registry data, it is very overwhelming.  It is utilized in very specific situations, not in cases where it is a guess where data might be.

“Timeline analysis is [also] not widely understood as none of the major forensic products incorporate a timeline analysis feature set in their products.  They obfuscate too much of the raw data and it makes it near impossible for someone by hand to create.

“As a result, without the exposure, there is a general lack of appreciation what a timeline will be able to generate for you.  As Henry Ford once said, ‘If I’d asked customers what they wanted, they would have said faster horses.’”

Intermediate Web Browser Analysis – Beyond History Analysis

As browsers continue to add functionality to make users’ experiences better, they inevitably leave even more browser artifacts for the forensic investigator to find.  From Private Browsing to Session Restore Points, browser forensics has become more complex that simply examining a history file.

Where are the key file locations, what is stored in them, how can examiners recover and examine these items? What is the difference between residue left by a Flash Cookie and a Super Cookie? How can you recover critical items if a user utilizes Private Browsing mode?

These key questions and many more will be detailed in this advanced session discussing the latest in browser analysis technology.  Participants will explore the latest artifacts that Internet Explorer and Firefox leave on a workstation.

Both labs require participants to download the SIFT Workstation and participants should have some artifact (LNK files, registry, USBkey, EXIF data, etc.) analysis skills, along with some filesystem knowledge.

Chapter Leader Breakfast

On Tuesday morning before the labs, Rob Lee together with Deanna Boyden, Director of Community SANS, will host a breakfast buffet for HTCIA chapter presidents and 1st vice presidents. There they’ll present the SANS Community of Interest in Network Security (COINS) program.

A localized outreach program, COINS enables SANS to support chapters with speakers and training topics. “We know the chapter leaders are volunteers with day jobs, so our goal is to provide speakers and SANS content for their monthly training,” Boyden says. “We also want them to have continuity since we know their offices change from year to year.”

Under COINS, chapter members also receive discounts to SANS events in the area, and leaders have the opportunity to talk briefly during events about the chapter, its activities and member benefits. “We also host a COINS Evening that provides both free CPEs from an instructor presentation,” says Boyden, “and networking among chapter members from ISSA, Infragard, HTCIA, WITI, and other nearby associations.”

In short, the Chapter Leaders’ Breakfast will show what what is available to chapters from SANS, and how SANS works with associations overall to bring everyone together for better relationships within the community.

Both lab and breakfast registration will be posted at a later date. Meanwhile, reserve your space in Indian Wells today! 


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: