Educause Security Discussion mailing list archives
Opinions on SANS 508 Course and their VMware based Forensic analysis workstation
From: James Moore <jhmiso () RIT EDU>
Date: Tue, 28 Jul 2009 14:01:07 -0400
I need to get better at capture of information from a live system as part of incident response. There are a number of tools out there that help (Helix3Pro, Rapier, MIR-ROR), and Harlan Carvey's tools. I haven't had time to determine how all of the tools change the system. I am also doing more with VMWare, mainly restoring forensic images to virtual disks, and then running some of the commercial A/V and malware detection tools (but I know that the A/V vendors are getting overwhelmed. The other thing is that, if I make it to where I can boot an image restored from a forensic image, then I can install tools that disrupt the state of the machine, as long as I do it in clones, pr with non-persist mode enabled. I am looking for 1 week of training for this year which can focus on incident response, and has decent coverage of live tools (and an accurate description of their effects on machine state), and something about ways to use virtual machines (we use VMWare Workstation) in the incident response environment. So far, I have looked at training from SANS, Mandiant, and E-Fense training, but I only have experience with SANS (and that was 8 years ago when they taught a course for the first time). Advice & recommendations are appreciated. Jim - - - - Jim Moore, CISSP, IAM Senior Information Security Forensic Investigator Rochester Institute of Technology 151 Lomb Memorial Drive Rochester, NY 14623-5603 (585) 475-5406 (office) (585) 255-0809 (Cell - Incident Reporting & Emergencies) (585) 475-7920 (fax) If you consciously try to thwart opponents, you are already late. Miyamoto Musashi, Japanese philosopher/samurai, 1645 Risk comes from not knowing what you're doing. -Warren Buffet CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information
Attachment:
Jim Moore (jhmiso@rit.edu).vcf
Description: Jim Moore (jhmiso@rit.edu).vcf
Current thread:
- Opinions on SANS 508 Course and their VMware based Forensic analysis workstation James Moore (Jul 28)
- <Possible follow-ups>
- Re: Opinions on SANS 508 Course and their VMware based Forensic analysis workstation Beechey, Jim (Jul 28)
- Re: Opinions on SANS 508 Course and their VMware based Forensic analysis workstation Jerry Sell (Jul 28)