Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:21 PM
John H. Sawyer
John H. Sawyer

DIY Forensics & Incident Response Lab

Continuing with the do-it-yourself lab theme, let's turn to the areas of incident response (IR) and forensics, and how they can benefit from an in-house security training lab. The most detrimental attitude I've run into is, "Oh, I've been to training on product X, so I'm prepared." WRONG!

Continuing with the do-it-yourself lab theme, let's turn to the areas of incident response (IR) and forensics, and how they can benefit from an in-house security training lab. The most detrimental attitude I've run into is, "Oh, I've been to training on product X, so I'm prepared." WRONG!As I mentioned in last week's Tech Insight and yesterday's pen-testing lab blog, the purpose of having a lab is to complement training that has already been attended or help supplement an organization's training budget that has been slashed during these tough economic times. With that in mind, many of my suggestions will center around freely available tools and using existing resources.

Deciding what to focus on first shouldn't be too difficult, but determining the depth is important. For example, IR is really just the first stages of forensics; essentially, it's the same as surveying a crime scene and collecting initial evidence. What's generally referred to as digital forensics is the deep dive into the guts of the incident, just like a crime scene investigator and coroner trying to figure out what happened.

Similar to deciding on the depth, a determination needs to be made about the scope of the lab. Is the focus just on host forensics, or will it branch out into other areas, such as network, log, and database forensics? Knowing those things will help determine the necesssary hardware and software, and what can be virtualized. For example, several different hard drives should be on hand for training on forensic drive acquisition. Firewalls, databases, and syslog servers may also need to be built for the different areas of focus.

Like I said yesterday, setting up a similar testing lab environment to your production environment is important to a pen-testing lab, but not so much in forensics and IR. Typically, having a VM or machine with each operating system from your environment represented is enough. It's also good to have example installs of critical software systems, like your database servers, to understand how to respond and investigate them should sensitive data be exposed.

The Web offers quite a few free resources for practicing forensic skills. Harlan Carvey, whose eagerly anticipated 2nd edition of "Windows Forensic Analysis" comes out in June, has put together a great list of free forensic and IR tools, which includes an Images/Analysis Challenges section, where you can get started.

The other option besides using prebuilt analysis challenges is to create your own. It's something I've been planning to do for our team, thinking that we'd each take turns "hacking up" a machine in some way. It could be a malicious insider stealing data, malware-infected machine, or remote compromise.

Regarding forensic software, so much is alrady out there, both free and commercial. If you're just getting started, take a look at Harlan's list and try out the Caine forensic and IR LiveCD, which contains all you need to get your feet wet. IT shops that have already purchased forensic packages, like FTK and Encase, can easily install it in the lab at no additional cost provided they use their existing licensing dongle when not in use for an actual case.

As you can see, all of the information and options I've laid out can be done with minimal costs and resources, but will provide invaluable training resources that could determine the success or failure of an investigation. And, if you're anything like me, it's a great playground for testing the latest forensic and IR tools.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-06
An SSRF issue in Open Distro for Elasticsearch (ODFE) before allows an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Alerting plugin's intended scope.
PUBLISHED: 2021-05-06
Arbitrary File Deletion vulnerability in puppyCMS v5.1 allows remote malicious attackers to delete the file/folder via /admin/functions.php.
PUBLISHED: 2021-05-06
Rmote Code Execution (RCE) vulnerability in puppyCMS v5.1 due to insecure permissions, which could let a remote malicious user getshell via /admin/functions.php.
PUBLISHED: 2021-05-06
An issue exists on NightOwl WDB-20-V2 WDB-20-V2_20190314 devices that allows an unauthenticated user to gain access to snapshots and video streams from the doorbell. The binary app offers a web server on port 80 that allows an unauthenticated user to take a snapshot from the doorbell camera via the ...
PUBLISHED: 2021-05-06
An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a syst...