In de tweede week van november begint SANS Amsterdam 2006. Een week lang is het bekend SANS Institute in Nederland om allerlei cursussen te geven, waaronder System Forensics, Investigation & Response. Wij interviewden cursusleider Jess Garcia over wat deelnemers aan de cursus kunnen verwachten en IT forensics in het algemeen. Aangezien de cursus ook in het Engels is, hebben we het interview niet vertaald.

Who is the target audience for this course?

Garcia: The target audience for this course is very broad: from sysadmins and security staff who want to develop the knowledge on how to find exactly what happened when an incident occurs, to consultants specialized in Forensics and Incident Response, not forgetting Law Enforcement and Computer Emergency Response Teams.

What can participants expect?

Garcia: They can expect to develop an in-depth knowledge of the different technologies (e.g. filesystems, network traffic, etc.) from a forensics point of view, of the tools and techniques that can be used in order to investigate an incident and, to a certain extent, to develop the investigative instintcs we all have.

In the course description it says that various tools are used such as the Sleuthkit, Autopsy Forensic Browser and the Windows Forensic Toolchest. If i'm familiar with these tools, is there still a reason to go?

Garcia: Absolutely. The main attractive of this course is specially to learn how things work at the low level, independently from the particular tools you use. Many people use the tools without actually knowing what they are doing, and that obviously often yields poor results. We teach why the tools do what they do, what are their capabilities and limitations, and what is really happening behind the scenes.

When I’ve finished the course what kind of certificate will I get, and what is the added value of this certification

Garcia: By simply finishing the course you will get a certificate of completion. If you are interested in working a little more, you can opt for the GIAC Silver certification, by studying and passing the exams. If you are really willing to work hard and do some research, you can opt for the GIAC Gold Certification, the top of the technical certifications these days.

The description also states: "education into legal challenges". Law and regulation differ from country to country. Did you adjust the course for the Dutch audience?

Garcia: I'm glad to share with you that there is a European Law book under writing at this very precise moment. Officially it is not scheduled to teach this material in the Amsterdam conference, but we are doing our best to have it finished in time so we can offer it as an extra free addition to our Forensics course attendees.

Why do people follow SANS Courses, is it because of the content of because of the certification?

Garcia: The truth is that a huge percentage of the people who come to a SANS course comes back (and it's not me saying this, it's the statistics). I believe at this point the main reasons reside in a combination of highly-technical cutting-edge material and top-rated instructors, followed by the possibility of getting a GIAC certification. As of today, the GIAC certification is not as popular in Europe as in the USA, but we are working on fixing that.

How can you teach computer forensics in a tool-independent manner? especially IT-forensics is hard to do without tools.

Garcia: Every technology has two faces: the theory and the practice. If you know the inner working of things you will be able to use whatever tool you want or, why not, even write your own (I do that often). We obviously need tools to do the job, and for our classes we use open source tools. Is it possible to use some other tools? Absolutely! I don't know of any of our students that has had the slightest problem using other tools, including the commercial ones, once they understand what is going on behind the scenes.

In what way do Intrusion Detection skills help with forensics?

Garcia: Intrusion Detection, specifically Network Intrusion Detection, is very close to what we call "Network Forensics", so if you are a NID analyst Network Forensics will be no mystery for you. There is an effort from several vendors to integrate IDS and Forensics technologies, which makes a lot of sense as the are complementary blocks of the Detection-Reaction strategy.

How do you make a forensic fingerprint from a live machine

Garcia: Very carefully I would say :) The key is not to spoil evidence that might be useful at a later stage. There are procedures and tools that minimize the impact of a Forensics analysis in a live server. However, as soon as it has been determined that we actually are in the presence of a real incident the recommended way to act (if the business needs allow it) is to halt the system and do a dead analysis after properly capturing the volatile evidence (memory, processes, network connections, etc.). Tailored malware (e.g. kernel level rootkits) can conceal information from a live system.

What tools do you use when you're investigating an incident?

Garcia: There are lots of possible incidents and there are literally dozens of tools, big and small, commercial and free, that solve particular problems. My personal forensics arsenal is loaded with all the tools that fall in my hands. They tend to be useful sooner or later.

In what way does encryption hinder IT forensics?

Garcia: Encryption is indeed a big issue in many different fields ranging from filesystems to malicious code. If you are lucky and careful enough you may find a way around it (encrypted things need to be decrypted at some point in order for them to be used). But never forget that IT forensics is only a part of the whole Forensics investigation, and sometimes other things such as human testimony can come to your help.

What books can you recommend to people who want get into IT forensics?

Garcia: There are a good number of Forensics-related books, some deal with the Forensics process, some with technical aspects of it. I don't want to do propaganda of any particular book here, but people that have been playing in the forensics field for quite some time like Brian Carrier, Eoghan Casey, Wietse Venema & Dan Farmer, Keith Jones or Richard Bejtlich have authored a number of good books that you can easily find in your favorite online book shop. I keep a list of some of those books in my personal website (http://www.jessland.net/JISK/Forensics/Books.php)

Some forensic experts say that increasing storage capacities are the new computer forensics dilemma. Can you explain?

Garcia: Doing forensics when you have 5 Terabytes of data is obviously a challenging task. You cannot do a brute-force analysis of those data but you will have to know what you are looking for and try to find it. Unfortunately most of (if not all) today's tools choke when dealing with amounts of data of that caliber, and the investigation becomes a nightmare. As of today, a good Forensics analyst with the right skills and intuition is the only way around it. We will have to think of developing new techniques and tools in order to solve this new paradigm.

Forensic tools are getting more complex. How can you verify and guarantee that the results from these programs are correct?

You should never trust one single tool, no matter how widespread or accepted it is. Tools have bugs, and I may say that Forensics tools have a lot of bugs. If you are going to Court with the results of your investigation you definitely want to make sure that what you are going to show is as error free as possible. Correlating your findings with at least two different tools is imperative.