Educause Security Discussion mailing list archives

Opinions on SANS 508 Course and their VMware based Forensic analysis workstation

From: James Moore <jhmiso () RIT EDU>
Date: Tue, 28 Jul 2009 14:01:07 -0400

I need to get better at capture of information from a live system as
part of incident response.  There are a number of tools out there that
help (Helix3Pro, Rapier, MIR-ROR), and Harlan Carvey's tools.  I haven't
had time to determine how all of the tools change the system.  I am also
doing more with VMWare, mainly restoring forensic images to virtual
disks, and then running some of the commercial A/V and malware detection
tools (but I know that the A/V vendors are getting overwhelmed.  The
other thing is that, if I make it to where I can boot an image restored
from a forensic image, then I can install tools that disrupt the state
of the machine, as long as I do it in clones, pr with non-persist mode
enabled.  

 

I am looking for 1 week of training for this year which can focus on
incident response, and has decent coverage of live tools (and an
accurate description of their effects on machine state), and something
about ways to use virtual machines (we use VMWare Workstation) in the
incident response environment.

 

So far, I have looked at training from SANS, Mandiant, and E-Fense
training, but I only have experience with SANS (and that was 8 years ago
when they taught a course for the first time).  Advice & recommendations
are appreciated.  

Jim


- - - -
Jim Moore, CISSP, IAM
Senior Information Security Forensic Investigator
Rochester Institute of Technology
151 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 255-0809 (Cell - Incident Reporting & Emergencies)
(585) 475-7920 (fax)


If you consciously try to thwart opponents, you are already late.
Miyamoto Musashi, Japanese philosopher/samurai, 1645


Risk comes from not knowing what you're doing. -Warren Buffet

CONFIDENTIALITY NOTE: The information transmitted, including
attachments, is intended only for the person(s) or entity to which it is
addressed and may contain confidential and/or privileged material. Any
review, retransmission, dissemination or other use of, or taking of any
action in reliance upon this information by persons or entities other
than the intended recipient is prohibited. If you received this in
error, please contact the sender and destroy any copies of this
information

Attachment: Jim Moore (jhmiso@rit.edu).vcf
Description: Jim Moore (jhmiso@rit.edu).vcf

Current thread:

Opinions on SANS 508 Course and their VMware based Forensic analysis workstation James Moore (Jul 28)
- <Possible follow-ups>
- Re: Opinions on SANS 508 Course and their VMware based Forensic analysis workstation Beechey, Jim (Jul 28)
- Re: Opinions on SANS 508 Course and their VMware based Forensic analysis workstation Jerry Sell (Jul 28)