Deciding what to focus on first shouldn't be too difficult, but determining the depth is important. For example, IR is really just the first stages of forensics; essentially, it's the same as surveying a crime scene and collecting initial evidence. What's generally referred to as digital forensics is the deep dive into the guts of the incident, just like a crime scene investigator and coroner trying to figure out what happened.
Similar to deciding on the depth, a determination needs to be made about the scope of the lab. Is the focus just on host forensics, or will it branch out into other areas, such as network, log, and database forensics? Knowing those things will help determine the necesssary hardware and software, and what can be virtualized. For example, several different hard drives should be on hand for training on forensic drive acquisition. Firewalls, databases, and syslog servers may also need to be built for the different areas of focus.
Like I said yesterday, setting up a similar testing lab environment to your production environment is important to a pen-testing lab, but not so much in forensics and IR. Typically, having a VM or machine with each operating system from your environment represented is enough. It's also good to have example installs of critical software systems, like your database servers, to understand how to respond and investigate them should sensitive data be exposed.
The Web offers quite a few free resources for practicing forensic skills. Harlan Carvey, whose eagerly anticipated 2nd edition of "Windows Forensic Analysis" comes out in June, has put together a great list of free forensic and IR tools, which includes an Images/Analysis Challenges section, where you can get started.
The other option besides using prebuilt analysis challenges is to create your own. It's something I've been planning to do for our team, thinking that we'd each take turns "hacking up" a machine in some way. It could be a malicious insider stealing data, malware-infected machine, or remote compromise.
Regarding forensic software, so much is alrady out there, both free and commercial. If you're just getting started, take a look at Harlan's list and try out the Caine forensic and IR LiveCD, which contains all you need to get your feet wet. IT shops that have already purchased forensic packages, like FTK and Encase, can easily install it in the lab at no additional cost provided they use their existing licensing dongle when not in use for an actual case.
As you can see, all of the information and options I've laid out can be done with minimal costs and resources, but will provide invaluable training resources that could determine the success or failure of an investigation. And, if you're anything like me, it's a great playground for testing the latest forensic and IR tools.
John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.