SANS Digital Forensics and Incident Response Blog

Sneak Preview: FOR572 on PaulDotCom June 12, 2013

You might have noticed that we recently posted the course description for the upcoming all-new course, FOR572: Advanced Network Forensics and Analysis. FOR572 will go include a lot of tcpdump and Wireshark work, but also goes beyond that, using a "big picture" approach that incorporates evidence and methods covering all kinds of network-based systems and devices. Since every device that handles a network communication can provide a unique and valuable "witness's view" of an incident, these skills are critical to conducting a comprehensive investigation. However, with so many sources and formats of evidence, analysis quickly becomes a challenge. Mo' evidence, mo' problems...

Although the course is still under heavy development, we wanted to provide a sneak preview of some features that you'll see in the classroom, but that you can also put to use immediately. On this week's PaulDotCom Security Weekly show, I will be giving a brief primer on Logstash. You've certainly heard about the value that tools like Splunk and ELSA can provide. Although Logstash is a similar tool, the incredibly robust filtering engine combined with dozens of inputs and output plugins makes it an ideal choice in many situations. Oh - it's completely free and open-source, and can ingest tens of thousands of events per second. Interested yet?

FOR572 will include a pre-built VMware image containing a just-drop-in-your-data Logstash installation, with a web-based frontend for quick and efficient queries.

Join me this Thursday, as I talk with Paul and the crew about how you can use Logstash to improve your investigations today. Then, get psyched up for FOR572, where you'll use it to attack real-world investigative scenarios and gain skills you'll use the first day back on the job.