SANSFIRE Days 1 and 2

Saturday began SANSFIRE for me with SEC 546:IPv6 Essentials. This was also Day 2 of the Security IPv6 Summit. The class was taught by Dr. Johannes Ullrich, a SANS senior instructor, Dean of Faculty and Chief Research Officer. If you're not familiar with IPv6 and the myriad of things to consider when preparing for migrating, I recommend you take this course (tell your boss you want to add it on to your five or six day course to help the security department prepare for IPv6). It was a huge amount of information packed into a one day course that will serve you well in any future discussion.


On Sunday, I began the FOR 558 course, which is network forensics. This is being taught by Jonathan Ham, an incredibly knowledgeable instructor, whose bio can be found here. This was my first class with Johnathan. The motto for FOR 558 is "No hard drive, no problem". As this suggests, the class is all about doing forensics analysis, not from the computer in question itself, but from the footprint (or fingerprint) it's network traffic has left. Day 1 took off at full bore after a quick review of networking essentials, using SNIFT, the FOR 558 equivalent of the SIFT tool used in the traditional forensics classes, to create and examine packet captures, examine them using tcpdump, Wireshark and a hex editor, and pulling data from the packets. It's not the ordinary course that has you carving graphics files with a hex editor out of bytes pulled from a pcap file. If you're an intrusion analyst, incident response team member or security investigator, you might want to look at this class. Though the class is called a forensics class, it's a perfect complement and next step to SEC 503:Intrusion In-Depth. If you have your GCIA and want to take your intrusion analysis skills a level higher, this is a great class to do so. Here's the details.