Tuesday, June 15, 2010


This post is about SANS and last week’s SANSFIRE 2010.  It also contains a review of the SEC563 Mobile Device Forensics course that I attended at the conference.
Full Disclosure: I’m a member of the GIAC Advisory Board and an advisor to the GIAC Ethics Council.
Fuller Disclosure: I’m a SANS independent contractor who is writing test questions for the GCFE (GIAC Certified Forensic Examiner) certification. This is the certification that will be linked to the SEC408 Computer Forensics Fundamentals course. SANS is nice enough to pay people who do this work a little bit of money for their work.  Don’t tell SANS, but I’d do it for free.
Fullest Disclosure: I’m an unrepentant SANS cheerleader.

I Heart SANS

My first SANS experience was in 2004 when I took SEC504 Hacker Techniques, Exploits and Incident Handling from Ed “Skodo Baggins” Skoudis at a smaller SANS event that was held in Phoenix.   I had no idea who Ed was before taking the class, but I certainly knew who he was after the class.  SEC504 with Ed was one of the finest training experiences that I’ve ever attended and I cherish the experience to this day.  I consider it a transformational experience because it opened my eyes to all of the possibilities in information security world.  Ed essentially acted as Virgil to my Dante.  Not only was the course content fascinating, but I was amazed at what an incredible instructor Ed was.  Since that course, Ed has been an example to me of just how good an instructor can and should be. 

When I took this course with Ed, it was in the days of the old certification model where certification GCIH candidates were required to complete a white paper before they were allowed to attempt to take the two tests that were necessary to pass the  certification process.  Incident handling was new to me, but I somehow managed to successfully complete the paper and then was faced with the two tests.  The first test covered the incident handling process and I scored somewhere in the 80s on that test and passed.  The second test dealt with the technical aspects of the course and I think my score was 78.  I remember it was in the 70s and I was very glad to have achieved that score.  It was a long and difficult process, but completing it was more than worth it.

I recertified over a year ago and scored well on that test.  Because I scored over 90, I was invited to join the GIAC Advisory Board.  After I did so, I had more of the SANS world opened up to me because I could see the SANS staff interacting with the rest of the Advisory Board through the Board’s email list.  This was a very educational experience because it allowed me to observe Stephen Northcutt and some of the other SANS leadership in action.  Additionally, I recently had the opportunity to serve with Stephen with project that we are both involved in.  Stephen is the face of SANS since he is the CEO of SANS, holds a position on the GIAC Board (I can’t remember if he’s the chair of the board or not. I’m sure he told me last week, but my brain can only hold so much new information while being soaked with the SANS knowledge fire hose) and is the President of the SANS Technology Institute.

The best I can tell is that Stephen is the person who the Dos Equis people modeled their most recent advertising campaign on. Stephen has got to be a contender for the information security version of the Most Interesting Man in the World(tm). When he’s not traveling around the globe leading his merry band of SANS people, he does things like write, pontificate, snorkel, sail and live in Hawaii.

SANSFIRE 2010 Review

Last week’s SANSFIRE was my first major SANS conference.  As you can tell from the tone of this post so far, I was not disappointed.  SANS does a great job putting on these conferences and there is a lot of attention to detail.  There were legions of helpful work study facilitators who made everything run smoothly.  The major SANS conferences are a great experience because not only do you get to attend training with the top SANS instructors, but there are a whole host of networking opportunities available to you. These conferences are attended by a large number people with very diverse information security backgrounds.  There were plenty of after hour events to attend such as the very popular SANS @Night presentations where industry experts gave talks that could be attended by anyone at the conference.  SANS also provided snacks and drinks during the morning and afternoon breaks that kept everyone going.  During one of the evenings early in the conference, they provided free food (very nice hot dogs and pretzels this time) along with a live band and several cash bars. Day 5 was ice cream day where the afternoon snack was all sorts of frozen goodies.  One of the nice touches is that they had a cash bar available during the initial registration on Sunday evening and even provided a free drink ticket with the registration packet.  That’s right.  We got a free beer on SANS after we picked up our registration information.  It was a nice touch after more than three hours of slogging through East Coast traffic to get to Baltimore. 

One of the things I found was that the SANS instructors are very approachable even if you aren’t taking their class.  I was able to meet a lot of the instructors who I have met through various electronic methods, but never in person such as James Tarala, Chad Tilbury and Paul Henry.  I was also able talk to Ed Skoudis in person after corresponding with him for many years.  I’ve recently started presenting on digital forensics in conference settings and Ed is always good for a great teaching tip or two. The SANS staff (both the instructors and the support staff) earn their pay during these conferences because they always have to be “on” in case they run across someone like me after class.

SANS SEC 563 Mobile Device Forensics Review

The class that I was at SANSFIRE to attend was SEC563 Mobile Device Forensics.  Eoghan Casey and Terry Maguire from cmdLabs taught the class. Eoghan has been the primary person behind the course since it’s inception.  Thus, those of us who took the class had the benefit of being taught by two very accomplished digital forensic examiners and instructors.  If I had only one word to describe what I thought of this course, I would pick the following word: Bacon.  Not turkey bacon.  That’s undead zombie pseudo-bacon. We’re talking thick cut smoked bacon.  I like bacon and I liked SEC563.

Putting together a five day mobile device class is a pretty tall order given the current fluid state of the tools and methods. There isn’t a lot of standardization in the mobile device world given all of the different phones, carriers, operating systems and third party applications.  The computer forensics world is relatively static and mature at least to the extent that we deal only with relatively small number of operating and file systems.
The course struck a very even balance between lecture content and hands on exercises for the students.  Students are introduced to a wealth of different forensic tools and many of them are used during the practical exercises.  Because there is so much hands on work, the class is limited to no more than 25 students.  

The class was an overview of the mobile device forensics world and provided students the fundamental knowledge to get started by exposing them to the wide variety of tools and methods that are available.  I took this class because I am relatively new to mobile device forensics and I found that I learned an immense amount.  I wish I would have taken this class earlier in my studies because it would have made tool selection and process development much easier.  I came out of the course with a fundamental understanding of how to examine SIM cards, CDMA and GSM phones.  I can’t call myself an expert in mobile device forensics and it would have been unreasonable to think that even with instructors like Eoghan and Terry that I could be brought up to their level in just week.  However, taking this course is one of the most efficient ways to gain the fundamentals that an examiner would need to pursue mastery of the subject.

This course reinforced my initial impression that mobile device forensics is basically the wild, wild west right now.  There are some useful tools out there, but the state of the tools and methods aren’t nearly as mature as they are in computer forensics.  Eoghan and Terry stressed the need to validate results and to not put all of your faith into one tool.   Manual review of mobile devices is still very necessary in some cases and validation has to be a key concern of an examiner. 

So the bad news is that the state of mobile device forensics is very fluid and complicated.  A lot of hex level examination still needs to be done in cases where tools won’t do the parsing for you. To me, this is also the good news.  I know some examiners hate it, but I enjoy working at the hex level.  It’s not practical to do it as a primary method of examination, but there’s just something I find really fulfilling when I pull a bit of useful evidence out with a hex editor.  If you like this sort of thing, you’re going to love both mobile device forensics and this class.


  1. Way cool bro. I'm learning more and more everyday from just following you and all my other new friends from CEIC. You are giving me the SANS fever..

  2. Excellent write-up, Eric. Also, I'm a SANS fanboy too. Maybe we could start a club, like maybe the SANS Fans ;-)