Learnt a whole lot from the FOR558 Network Forensics class conducted (by George Bakos, also a real hardcore Linux g33k!) this week, a real eye opener on what can (and should) be done regarding digital evidence from the network: (Manual!) DPI…reverse engineering custom network protocols/tunnels…reconstruction and correlating of network activities from logs/caches… Mad stuff, this is.
Whether or not there’ll be opportunities to put these into direct use in the (near) future, will start looking into doing some more network logging for my own analysis and practice. Perhaps some ideas/”research”/tools could come of it as a result?
<brag> On a side note, George gave me his SANS Lethal Forensicator Coin for participation in the class! Really surprised, heh </brag>
More interestingly is how this coin came about:
… in which many in the field call “Nintendo Forensics” where there is too much reliance on automated examinations vs. traditional analysis. The main argument is that too much reliance on automation produces poor reports. … The term Forensicator stuck and is being utilized in many computer forensics and incident response firms to describe individuals that essential perform the same type of work as “Forensicator Pro”.
Have to remember to keep things simple, but yet not to shun a method/technique just because the easiest way to do so is tough (which usually is the case).