I thought I would take a few minutes to share my thoughts regarding DFIR NetWars that SANS offers and a DFIRSummit prelude. For more information on DFIR NetWars visit http://www.sans.org/netwars
This week I am in Austin, Tx taking FOR 408 with Rob Lee. We are having a good week and have a good class. What I always enjoy most about attending a SANS course or event, is the plethora of talent in the DFIR community that attend these events and courses. Ovie, Rob, and Chad have put a lot into FOR 408. This course is NOT an introduction to Digital Forensics. It requires a core knowledge of Windows forensics. I have completed several courses in the SANS DFIR curriculum. When I first completed 508 six (6) years ago, 408 did not exist and focuses on core Windows forensic analysis. Just as David Cowen points out in this week's Forensic Lunch, there is so many Windows artifacts that still require further testing and research. No matter if you are a veteran forensic examiner or new to the DFIR field, you will learn a lot from the FOR 408 course.
Day 1 of DFIRNetWars was earlier this evening and just a few quick comments. This experience was an eye opening experience for me and others that I spoke to afterwards...many of whom were competing in DFIRNetWars for the first time, including myself. After Day 1, @CdtDelta is leading the competition (good job Tom). DFIRNetWars is a fun, challenging competition that covers hosted-based forensics, network forensics, malware, and memory analysis. Early on in the competition, game stress got the best of me and I dropped out of the top 10 (it's a marathon, not a sprint). I found out quickly that I needed to slow down and get in my zone. Even if you have been doing forensics for years, competing in a cyber competition (like DFIRNetWars and others) is a great way to grade your current skill-set and get an idea of what you need to do to improve your forensic and IR processes. Smooth is fast...fast is smooth.
The SANS @ Night talks have also been great. I plan on completing a review in the form of a blog post and will share it right here.