[Dshield] Forensic Analysis Practical

Ginski, Richard rginski at co.pinellas.fl.us
Fri Mar 25 22:14:32 GMT 2005


I also like the idea of a journal. However, I feel, it wouldn't address
an important aspect of a student actually doing the practical. (Although
information sharing is definitely important.) There were some
exceptions, but the practicals weren't just about writing papers.  

For the students, the practicals were the only perceived avenue to prove
that you have acquired not only the knowledge but the _skills_ for that
given certification. The requirements of the practicals forced this to
occur.

For example, part 1 of 3 in my practical assignment was to:

1) Identify a given binary (renamed of course.)
2) Analyze how it affects the system when installed or run(ie:
processes, directory structure, etc)
3) Perform MAC Analysis
4) Locate the source code on the net, compile it, compare md5 hash
values with the binary we were given. Determine whether they matched. If
they didn't, determine why.

For 1-4 we had to include evidence, data, and results in our practical
to 
prove/substantiate our identification and analysis of its affect on the
system. 

There were two other parts to my practical. This was just one.
Practicals were more than just papers and, I feel, served a very
important purpose. 

-----Original Message-----
From: list at lists.dshield.org [mailto:list at lists.dshield.org] 
Sent: Friday, March 25, 2005 8:28 AM
To: list at lists.dshield.org; peteoutside at yahoo.com
Subject: Re: [Dshield] Forensic Analysis Practical

I'm not aware of any peer review in our community outside of the SANS
reading room.  In the pages of the few publications that concern
themselves with network security, all I see are articles on "best
security practices" and explaining security issues and requirements to
upper management.  So, inasmuch as network defense (especially the
analytic portions of it--intrusion analysis, log review, forensics) is
in many ways an empirical science, our community is WAY behind every
other scientific and engineering community out there.  I think this is a
great reason why IT security generates a lot of energy and noise and
very little seems to be changing in recent days.
 
Personally, I would like to see a publication along the lines of a
scientific journal, complete with serious peer review.  People could
write articles on analytical technique, reviews of tools, case studies,
and so forth.  I believe that there would be less pressure in this forum
than you might find in a GIAC practical assignment.
 
Thoughts?
 
Regards,
 
Pete

Kenton Smith <kenton at mail2techie.com> wrote:

>I will miss having my work published having been validated by the 
>industry. I will miss the chore that forces me to apply the entire 
>process and gain experience not able to be taught in the classroom. I 
>will miss Reading Room, where solutions can often be found having been 
>proven and vetted by other IT professionals (often with much better 
>instructions than vendor docs).


I don't think there is anything stopping you from submitting to the
Reading Room. It isn't just practicals. Maybe the reading room will be
turned into something else?

Kenton




_______________________________________________________________
Get the FREE email that has everyone talking at
http://www.mail2world.com

250MB & 2GB Email Accounts * POP3 * Calendar * SMS * Translator - Much
More!

-------------- Sponsor Message ------------------------------------
Join us at SANSFIRE 2005 in Atlanta!
The Internet Storm Center Conference.
Details: http://www.sans.org/sansfire2005

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription
options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


  
---------------------------------
Do you Yahoo!?
 Yahoo! Small Business - Try our new resources site! 
-------------- Sponsor Message ------------------------------------
Join us at SANSFIRE 2005 in Atlanta!
The Internet Storm Center Conference.
Details: http://www.sans.org/sansfire2005

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription
options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list