Contemplating regular training exercises that are brief and relevant to our environment, I found David Cowen’s tweet about his third iteration of building an internal digital forensics and incident response training insightful. In summary, Cowen wrote:
- Don’t expect new hires to know your systems and processes. Make training accessible.
- Don’t rely on external training.
- Vary how training is delivered to include live/virtual classes to work together and solve problems.
- Set up environments for the team to learn and make mistakes.
Being mostly remote, I was interested in experimenting how topics are delivered and we interacted as a team. A small-scale table-top exercise was developed to:
- Verify a team member has a go-bag equipped to collect RAM from a target computer on-site within our environment.
- Verify a team member has some familiarity using tools like Volatility and a hex editor.
- Collectively test our processes, and modify as necessary. Are we able to execute as intended? What mistakes, if any, were made?
Making a mistake is uncomfortable. With the right mindset and a supporting environment, mistakes become an opportunity to make impactful changes before our expertise is needed the most. I wanted the exercise to support that, as well.
Vulnerability is the birthplace of innovation, creativity and change.Brené Brown at TED2012
The format of the exercise I used earlier this month was simple:
Exercise: Collect and analyze RAM from a target computer.
Prerequisites: Go-bag, including external USB storage media loaded with tools. A laptop loaded with appropriate tools.
Expected outcome: Verified team members have a go-bag equipped to collect RAM from a target computer. Gaps are evaluated and remediated as a team.
Scenario: Participants are employees at “ACME Co.” The exercise is divided into three tasks. I found it helpful to structure the tasks as job instructions, but they are simply summarized below:
- Task 1 (estimated time, 15 minutes): Collect RAM from an enterprise device at “ACME Co.”
- Task 2 (estimated time, 15 minutes): Identify arbitrary processes and process IDs for a given executable (based on the SANS DFIR Find Evil – Know Normal poster). Points are awarded for completing elements of this task.
- Task 3 (estimated time, 10 minutes): Identify arbitrary text described as a shopping list (I was hungry) from a memory sample staged for this task. Points are awarded for completing elements of this task.
Discussion: Reflect. What went well and didn’t.
To add variation, I took a hint from Black Hills information Security’s incident response card game, Backdoors & Breaches, and used a 20-sided die. The die was used to determine which RAM capture tool was used – knowing how to use our backup tools is as important as knowing how to use our primary tools.
- Any value ≥5 and ≤15, participant choose the tool.
- Any value ≥16 and ≤20, a spectator chooses the tool.
- A value of 4 = FTK Imager, 3 = WinPmem, 2 = Magnet RAM Capture, 1 = Belkasoft RAM Capturer.
The arbitrary text in the memory sample was a shopping list. It was created on a Windows 10 OS using notepad.exe, not saved to disk. It was expected the participant identify a keyword from the scenario and search that keyword using a hex editor with the appropriate code page (UTF-16).
Shopping list: 1) scallions 2) beef short rib 3) tofu 4) brown sugar 5) sake 6) banana 7) yogurt 8) avocado 9) broccoli 10) eggs
DFIR Cooking Hint: My favorite beef short rib recipe.
Committed to the theme, and inspired by Lee Whitefield‘s video on how he creates the Forensic 4:cast awards, I made this small token of glory. It was awarded to the individual with the most points from tasks 2 and 3.
This was my attempt at developing a brief table-top exercise. Not only was it intended to be engaging and interactive, it was also verify we can perform a specific task. The entire exercise was executed in about 2 hours. After reflecting what went well and didn’t, we agreed on appropriate changes to improve the process. The exercise was a success.
I have a new appreciation of the time it takes to research and develop a single exercise – hats off to the digital forensic instructors, course developers, capture-the-flag organizers, and other individuals of their respective teams.
The plethora of external training resources is amazing – paid and free. I’m curious, however. How are others reinforcing those lessons with an internal team? Chris Crowley shared a video on training effectively that I will be taking notes from.
Additionally – here are a couple of relevant blog posts from Brett Shavers I saved you might also find interesting: