I’ve always had an interest in digital forensics. The idea of being able to investigate $whatever_happened and prove it, always fascinated me. The last week of July, I was able to finally participate in some top notch digital forensics training at SANS Fire 2017 FOR500 – Windows Forensics Analysis.
First off, the material was great. Who doesn’t like getting a 128 Gb USB key with a lot of goodies? The SIFT workstation was loaded with a great amount of tools (many to which I hadn’t heard of, many I’d always been curious of).
The extra cases seem like they’ve got potentially interesting things to dive into as well.
Day 1 was all about Advanced Data Triage. The “What? When? Where? How?” of any investigation is where the data triage starts. The concept put forth on day was spot on and a great place to start. “Analysis” is one thing, “proper analysis” is a whole complete different thing. This gives a good foundation to get you in the “proper analysis” mindset.
Data extraction, file carving and registry forensics was also on tap for the day. These were all presented in an easily understandable way with some exercises building off of the original scope of the “investigation”.
Day 2 was a serious deep dive into the Windows Registry. I knew you could tell A LOT about what has happened (many of the things covered I had recognized between classes I took and just “poking around”) but, there were many things as well that were completely new to me. (I suspect part of it has to do with the advancements from Windows 7 to Windows 10.)
Day 3 was all about Shell Items and I’ll admit, I struggled here. This was the first time going THIS deep…. And it was good. I am going to rereview (and potentially rerereview this section).
My head still hurts and I think by now, I’m ready to start the “resaturation” process.
When I found out I could participate in this, I was pretty pumped. I made sure to register and start downloading the material as soon as I knew where to go.
Netwars is essentially SANS version of CTF and this would be my first DFIR focused/related CTF.
So, I download… and I download…
AND I JUST FOUND THE DUMBEST WAY TO SUCCEED AT DROPBOX DOWNLOADING OF HUGE FILES (and not just “Right click, Save As)..……
DISCLAIMER: This could be an issue with my ISP (but I’ve never EVER had a problem downloading before this) or this could be an issue with Dropbox.
There were at least 3 files bigger than 8Gb that were part of the Netwars Dropbox share for various things (virtual machine, .e01 image, 7zip of an Android image).
Whenever I tried downloading, it bombed out around 8 to 9Gb.
The one file (win7-c-drive.E01 to be precise) is 9.7Gb (again… 9689019743 bytes to be precise).
It was an important file. A file needed to reiterate the knowledge I gained through this training.
But alas, Dropbox, you failed me.
After 5 tries over a 2 day period, it became a point of principal to download this.
Default, out of the box, you get 2Gb on a free account. Through various promotions and such, I’m up to 8.25 GB.
I say this because when you download a file from Dropbox you have two options:
- Direct Download
- Save to My Dropbox
Knowing I had less than 9Gb, I knew Save to My Dropbox wasn’t an option.
Or was it……….? (More on that in a moment…)
Being the fact that I’m on a Debian laptop, I thought “if anyone knew how to resume a failed download or ensure a complete download, it would be the Linux community”.
I couldn’t find anything obvious.
I installed the Dropbox client with the theory of, could I link someone else’s folder and download it that way? (You’re close…. Keep trying….)
So, just when I think I give up, I choose “Save to My Dropbox” WITH THE LINUX CLIENT RUNNING… (FWIW, I suspect the same would hold true for those who have a Windows OS)
Let me guess your first thought…. “How can this fool save to his Dropbox when his account doesn’t have enough space? 8.25 Gb < 9.7Gb! Don’t he know how to math?!”
I thought the same thing.
Then I saw…. The client…. Downloading the file.
So I tried this method 4 other times and it worked successfully 4 other times.
- 9.2 GB (9156831212 bytes)
- 9.4 GB (9432995952 bytes)
- 15.6 GB (15571648976 bytes)
- 9.7 GB (9689019743 bytes) ← The original headache
There is one (obvious) catch.
When you exceed the space you have alloted on your account, you can’t add anymore files….. but it doesn’t mean you can’t download. 😉
SOOOOOOOOOOOO…. Due to back issues and download issues, I couldn’t do much, but I did land 51st place (hey… that’s only an hour of being able to do any of the challenges… and cursing the one file that would never come in time).
Day 4, Email retrieval/analysis was extremely interesting. The additional artifacts was extremely fascinating as the “picture” you’re trying to paint with the overall analysis, I dare speculate that in the Windows search, Thumbnail analysis, Recycle Bin, Event Log and Windows Prefetch analysis, the real finer details emerge in this section.
Day 5 was all about Internet Browsers. Again, this section was very interesting and I definitely gained some new knowledge.
Day 6 was the “project”/”challenge” day. I initially wanted to participate so I could apply what I had learned, but counting the fact I was on Simulcast/”GoToMeeting”, that communications between those on the same team.
Unfortunately (fortunately?) I appeared to be the only one from the Simulcast folks who was interested in doing the challenge that day. Most everyone else was going to do the challenge in their leisure time.
By about this time, my brain was already burnt and I was overdue to hang out with my family. So, we went to an arcade (and my 5 year old son “beat me” at Mario Kart…. Twice… ).
Overall, I’m very pleased with the class and the experience. The GoToMeeting/Simulcast was a great platform to use to attend this training. I’d highly recommend FOR500 (or any other SANS class) as the training is up to date and very relevant. It’s not the “print hello world” style of learning, which I despise. I want to get elbow deep and learn the concepts and real world examples. The overall basis of the investigation the whole five days was centered on could easily be a scenario anyone could run across in the real world.
Counting this was my first Simulcast SANS training, I thought I’d share some of the observations I made during this week.
- Make sure to get plenty of sleep. My 5 year old has a habit of working every angle possible to stretch out bed time. Couple that with my particular mindset (one to where if I get really into something, it can cut into my sleep) and Wednesday I was jonesing for some carbs in a big way!
- Have a comfortable seat. Nothing makes the concentration break more than getting uncomfortable in your seat.
- If your personal laptop is a Linux one, make sure to have a second laptop or a tablet handy since GoToMeeting apparently doesn’t like Linux.
- Be prepared to feel like you’re drinking like this
- Don’t be afraid to ask for some help.