SANS Digital Forensics and Incident Response Blog

Digital SANS Forensics and IR Summit 2010: Network Forensics Panel Questions Released!

The 2010 Digital Forensics and Incident Response Summit's focus this year is examining and advancing the digital forensic professional to deal with advanced threats such as the APT and organized crime. Understanding how many of these crimes take place is crucial to creating lethal forensicators armed with the knowledge and skills to analyze complex cases. REGISTER NOW!!

Network Forensics Panel

Panelists will tell you the challenges faced by properly collecting and analyzing network based evidence. It is critical in investigations. Data collected from intrusion detection systems, firewalls, routers, proxies, and access points all end up telling unique stories that could be critical to solving your case. Learn the latest techniques thata re utilized in reacting to real attacks that these experts have responded to. This panel includes some of the best minds for the future of Network Forensics. Listen to what they have to say. Network Forensics: No Hard Drive? No Problem.


Questions/Topic Areas

  1. Describe some interesting cases you've had which couldn't have been solved without corroboration with network-based sources of forensic evidence. What saved the day?
  2. Why has network forensics suddenly extremely relevant. This isn't exactly new. What changed?
  3. How has the APT changed the way we approach network forensics?
  4. Is IDS enough? Do we need to use more network correlation to help investigate major incidents?
  5. What is the biggest mistake organizations make regarding network based analysis?
  6. What factors currently limit the number of intrusions detected and investigated via the network?
  7. Many attackers such as the APT are using http/https as a path for outbound C2 channels. How can you detect and analyze this traffic effectively?
  8. If you were designing a C2 channel that is hard to analyze on the network. What would it look like? Why would it be hard to analyze?
  9. Many organizations are just beginning to think about building network forensics capabilities into their infrastructure. What recommendations do you have for implementing and configuring particular tools for network forensics in the enterprise BEFORE the compromise?
  10. Can we leverage network monitoring to build comprehensive situational awareness of our operating environments in a way that scales well? How could such an awareness allow us to find anomalous and malicious behavior?