Byte-sized Training


Contemplating regular training exercises that are brief and relevant to our environment, I found David Cowen’s tweet about his third iteration of building an internal digital forensics and incident response training insightful. In summary, Cowen wrote:

  1. Don’t expect new hires to know your systems and processes. Make training accessible.
  2. Don’t rely on external training.
  3. Vary how training is delivered to include live/virtual classes to work together and solve problems.
  4. Set up environments for the team to learn and make mistakes.

Being mostly remote, I was interested in experimenting how topics are delivered and we interacted as a team. A small-scale table-top exercise was developed to:

  1. Verify a team member has a go-bag equipped to collect RAM from a target computer on-site within our environment.
  2. Verify a team member has some familiarity using tools like Volatility and a hex editor.
  3. Collectively test our processes, and modify as necessary. Are we able to execute as intended? What mistakes, if any, were made?

Making a mistake is uncomfortable. With the right mindset and a supporting environment, mistakes become an opportunity to make impactful changes before our expertise is needed the most. I wanted the exercise to support that, as well.

Vulnerability is the birthplace of innovation, creativity and change.

Brené Brown at TED2012

Main Course

The format of the exercise I used earlier this month was simple:

Exercise: Collect and analyze RAM from a target computer.
Prerequisites: Go-bag, including external USB storage media loaded with tools. A laptop loaded with appropriate tools.
Expected outcome: Verified team members have a go-bag equipped to collect RAM from a target computer. Gaps are evaluated and remediated as a team.
Scenario: Participants are employees at “ACME Co.” The exercise is divided into three tasks. I found it helpful to structure the tasks as job instructions, but they are simply summarized below:

  • Task 1 (estimated time, 15 minutes): Collect RAM from an enterprise device at “ACME Co.”
  • Task 2 (estimated time, 15 minutes): Identify arbitrary processes and process IDs for a given executable (based on the SANS DFIR Find Evil – Know Normal poster). Points are awarded for completing elements of this task.
  • Task 3 (estimated time, 10 minutes): Identify arbitrary text described as a shopping list (I was hungry) from a memory sample staged for this task. Points are awarded for completing elements of this task.

Discussion: Reflect. What went well and didn’t.

To add variation, I took a hint from Black Hills information Security’s incident response card game, Backdoors & Breaches, and used a 20-sided die. The die was used to determine which RAM capture tool was used – knowing how to use our backup tools is as important as knowing how to use our primary tools.

  • Any value 5 and 15, participant choose the tool.
  • Any value 16 and 20, a spectator chooses the tool.
  • A value of 4 = FTK Imager, 3 = WinPmem, 2 = Magnet RAM Capture, 1 = Belkasoft RAM Capturer.

The arbitrary text in the memory sample was a shopping list. It was created on a Windows 10 OS using notepad.exe, not saved to disk. It was expected the participant identify a keyword from the scenario and search that keyword using a hex editor with the appropriate code page (UTF-16).

Shopping list:
1) scallions
2) beef short rib
3) tofu
4) brown sugar
5) sake
6) banana
7) yogurt
8) avocado
9) broccoli
10) eggs

DFIR Cooking Hint: My favorite beef short rib recipe.

Committed to the theme, and inspired by Lee Whitefield‘s video on how he creates the Forensic 4:cast awards, I made this small token of glory. It was awarded to the individual with the most points from tasks 2 and 3.



This was my attempt at developing a brief table-top exercise. Not only was it intended to be engaging and interactive, it was also verify we can perform a specific task. The entire exercise was executed in about 2 hours. After reflecting what went well and didn’t, we agreed on appropriate changes to improve the process. The exercise was a success.

I have a new appreciation of the time it takes to research and develop a single exercise – hats off to the digital forensic instructors, course developers, capture-the-flag organizers, and other individuals of their respective teams.


The plethora of external training resources is amazing – paid and free. I’m curious, however. How are others reinforcing those lessons with an internal team? Chris Crowley shared a video on training effectively that I will be taking notes from.

Additionally – here are a couple of relevant blog posts from Brett Shavers I saved you might also find interesting:


One thought on “Byte-sized Training

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.