Tweet
CANCELED:
URL=https://training.defcon.org/products...ab-rat-edition
URL=https://training.defcon.org/products...ab-rat-edition
Originally posted by URL
Name of Training:
Cloud Forensics Workshop and CTF Challenge: Lab Rat Edition
Description: (covers)
How the Cloud has evolved from large-scale virtual servers to smaller containers.
How small board computers or IoT devices can extend beyond the logical boundary of a Cloud.
How to mirror and capture valuable packet data within a virtual environment.
How to obtain and analyze a forensic image, memory capture, and metadata from a virtual instance.
How to obtain and analyze a forensic image from a container and from a small-board computer.
How to analyze logged API calls, storage access logs, metrics, traffic flows, and server logs look for evidence of suspicious activity.
Key similarities and differences between the three major Cloud Service Providers.
Recommended best practices for writing the after-action reports.
Finally, contest where students apply their knowledge.
Training description:
Now in its sixth iteration since its initial launch at BSides DC in October 2017, the Cloud Forensics Workshop and CTF Challenge have been a regular feature at multiple security conferences across the country where security professionals learn the core concepts of digital forensics and incident response in a Cloud computing environment. The newest version of this training session takes place over the course of two days, with Day Zero focusing on topics including how the Cloud has evolved from large-scale virtual servers to smaller, more scalable Docker or Kubernetes containers; how small board computers or IoT devices can extend beyond the logical boundary of a Cloud to gather and analyze critical data such as room temperature, humidity levels, or power levels from attached sensors before relaying the information back to the Cloud; how to mirror and capture valuable packet data within a virtual environment; how to obtain and analyze a forensic image, memory capture, and metadata from a virtual instance; how to obtain and analyze a forensic image from a container and from a small-board computer; how to analyze logged API calls, storage access logs, metrics, traffic flows, and server logs look for evidence of suspicious activity; recommended vendor and industry best practices for locking down a compromised Cloud environment; key similarities and differences between the three major Cloud Service Providers; and recommended best practices for writing the after-action reports. Day Zero will also feature plenty of hands-on lab exercises for students where they will gain practical experience on common open-source tools and techniques used in the field.
Day One will be the "capstone" where students will form teams and take on the CTF Challenge itself - an all-day competition where students can expect to be tested on not only what they learned from the day before, but combine it with their own experiences and knowledge as they tackle multiple puzzles of varying difficulty to earn points while competing for honors and prizes.
Past content:
Prior versions of this training have been taught at BSides DC (2017, 2019); BSides Charm (2018); BSides NoVA (2019, 2020); HOU.SEC.CON (2019); BSides KC (2019, 2022); BSides Idaho Falls (2019, 2021); BSides Tampa (2020); CyberjutsuCon (2022). The current version of this class ("Lab Rat Edition") is currently scheduled to be taught at BSides Tampa and HackMiamiCon.
BSidesDC 2017 - https://bsidesdc2017.busyconf.com/sc...41c9127a000268
BSidesDC 2019 - https://bsidesdc2019.busyconf.com/sc...54b6b4a30000ac
BSidesCharm 2018 - https://bsidescharm.org/archive/2018...forensics.html
BSidesNoVA 2019 - https://bsidesnova2019con.busyconf.c...8fd2450200005c
BSidesNoVA 2020 - https://bsidesnova2020.busyconf.com/...d21794d800001b
HOU.SEC.CON 2019 - https://web.archive.org/web/20190327171857/http://houstonseccon.org/training/
BSidesKC 2019 - https://bsideskc2019.busyconf.com/sc...ebbd459000010d
BSidesKC 2022 - https://bsideskc.org/activities/ (listed under "Trainings and Workshops")
BSides Idaho Falls 2021 - https://web.archive.org/web/20210923110258/https://www.bsidesidahofalls.org/cfw.html
Trainer(s) bio:
Kerry Hazelton has spent nearly twenty-five years of his career between Information Technology and Security, developing a deep knowledge of systems and network support, data center operations, Cloud computing, digital forensics, and incident response. As such, he considers himself a “cybersecurity enthusiast” due to his desire and motivation to read up on the latest trends within the industry, to learn about a new exploit or tool, or his willingness to teach and share with others his experiences over the years. He created the Cloud Forensics Workshop and CTF Challenge in 2017, which is a technical workshop that focuses on learning about the science of cloud forensics and its real-world applications, followed by a Capture-the-Flag competition to gauge his students’ comprehension and critical-thinking skills by solving multiple forensics puzzles in a race against each other within the allotted amount of time.
He can be found posting his random thoughts on gaming, hacking, or life in general via Twitter under the handle of @ProfKilroy.
Trainer(s) social media links:
https://twitter.com/ProfKilroy
https://infosec.exchange/@professor_kilroy
Outline:
Day 1: (Day 0)
Training Day (Day 0) - Labs and Group Discussion (each lab will run about 30 to 45 minutes, group discussions about 5 to 10 minutes)
**Group discussion: How the Cloud has Become a Lot Smaller (Bigger?)
**Lab One: Configuring Traffic Mirroring and using Wireshark to capture and analyze the data
**Lab Two: Analysis of Logs to Identify Potential Indicators of Compromise
**Lab Three: Cloud account isolation using Organizational Units and Service Control Policies
**Group discussion: Key similarities and differences between AWS, Azure, and GCP
**Group discussion: How to identify Indicators of Compromise, Vendor and Industry Best Practices to Locking Down an Environment
**Lab Four: Acquisition and analysis of forensic evidence from a compromised virtual server: forensic image, memory capture, metadata
**Lab Five: Acquisition and analysis of forensic evidence from containers and IoT/Edge Devices
**Group Discussion: Encryption vs encoding, Steganography (under which conditions will we see evidence of encryption, encoding, or data exfiltration using steganography)
**Lab Six: Analysis of Portable Executable files using CFF Explorer
**Lab Seven: How Cloud-native tools such as Athena, Detective, Security Hub, and their Azure/GCP counterparts can help identify potential issues in the Cloud
**Group Discussion: After-Action Reporting
**Recap/Q&A Session
Students will pre-register for the CTF Challenge after the end of the training session. I will be available to assist with registration issues.
Day 2: (Day 1)
All-day CTF Challenge. Students will be given pre-configured forensic images, PCAPs, logs, and other files to dissect as they will need to extract artifacts I will designate as "flags" in order to earn points. The top three teams will earn prizes, and a special prize will be awarded to the person who turns in the highest individual score.
Technical difficulty:
Intermediate to Advanced.
Suggested Prerequisites:
It is recommended students have a good understanding of Cloud environments and/or digital forensics. It is also recommended that students have some prior experience with tools such as Wireshark, TSK/Autopsy, Volatility and/or YARA, and examining portable executables or malware (but not necessary).
White papers can include those readily available from AWS, Microsoft, and/or Google regarding Cloud environments. I also recommend researching white papers published by Cado Security (as a side note, it was one of their early white papers I came across which helped form the foundation of this class. I have a standing agreement with them to refer to their material and give them credit, but I cannot use their tools and attempt to pass them off as my own) and by Dr. Raymond Choo at UTSA. Of course, there's always YouTube where students can take a crash course in learning about how to use tools such as TSK/Autopsy, Volatility, and YARA.
What students should bring:
Students will need to bring their laptops with them. Minimum specs should be at least an 8th or 9th generation Intel i5 processor (or AMD equivalent) and 16GB of RAM. A Windows environment is preferred, but attendees are welcome to use MacOS or their personal flavor of Linux.
DATE: August 14th-15th 2023
TIME: 8am to 5pm PDT
VENUE: Caesars Forum, Las Vegas, NV
TRAINER: Kerry Hazelton
- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2023.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.
Cloud Forensics Workshop and CTF Challenge: Lab Rat Edition
Description: (covers)
How the Cloud has evolved from large-scale virtual servers to smaller containers.
How small board computers or IoT devices can extend beyond the logical boundary of a Cloud.
How to mirror and capture valuable packet data within a virtual environment.
How to obtain and analyze a forensic image, memory capture, and metadata from a virtual instance.
How to obtain and analyze a forensic image from a container and from a small-board computer.
How to analyze logged API calls, storage access logs, metrics, traffic flows, and server logs look for evidence of suspicious activity.
Key similarities and differences between the three major Cloud Service Providers.
Recommended best practices for writing the after-action reports.
Finally, contest where students apply their knowledge.
Training description:
Now in its sixth iteration since its initial launch at BSides DC in October 2017, the Cloud Forensics Workshop and CTF Challenge have been a regular feature at multiple security conferences across the country where security professionals learn the core concepts of digital forensics and incident response in a Cloud computing environment. The newest version of this training session takes place over the course of two days, with Day Zero focusing on topics including how the Cloud has evolved from large-scale virtual servers to smaller, more scalable Docker or Kubernetes containers; how small board computers or IoT devices can extend beyond the logical boundary of a Cloud to gather and analyze critical data such as room temperature, humidity levels, or power levels from attached sensors before relaying the information back to the Cloud; how to mirror and capture valuable packet data within a virtual environment; how to obtain and analyze a forensic image, memory capture, and metadata from a virtual instance; how to obtain and analyze a forensic image from a container and from a small-board computer; how to analyze logged API calls, storage access logs, metrics, traffic flows, and server logs look for evidence of suspicious activity; recommended vendor and industry best practices for locking down a compromised Cloud environment; key similarities and differences between the three major Cloud Service Providers; and recommended best practices for writing the after-action reports. Day Zero will also feature plenty of hands-on lab exercises for students where they will gain practical experience on common open-source tools and techniques used in the field.
Day One will be the "capstone" where students will form teams and take on the CTF Challenge itself - an all-day competition where students can expect to be tested on not only what they learned from the day before, but combine it with their own experiences and knowledge as they tackle multiple puzzles of varying difficulty to earn points while competing for honors and prizes.
Past content:
Prior versions of this training have been taught at BSides DC (2017, 2019); BSides Charm (2018); BSides NoVA (2019, 2020); HOU.SEC.CON (2019); BSides KC (2019, 2022); BSides Idaho Falls (2019, 2021); BSides Tampa (2020); CyberjutsuCon (2022). The current version of this class ("Lab Rat Edition") is currently scheduled to be taught at BSides Tampa and HackMiamiCon.
BSidesDC 2017 - https://bsidesdc2017.busyconf.com/sc...41c9127a000268
BSidesDC 2019 - https://bsidesdc2019.busyconf.com/sc...54b6b4a30000ac
BSidesCharm 2018 - https://bsidescharm.org/archive/2018...forensics.html
BSidesNoVA 2019 - https://bsidesnova2019con.busyconf.c...8fd2450200005c
BSidesNoVA 2020 - https://bsidesnova2020.busyconf.com/...d21794d800001b
HOU.SEC.CON 2019 - https://web.archive.org/web/20190327171857/http://houstonseccon.org/training/
BSidesKC 2019 - https://bsideskc2019.busyconf.com/sc...ebbd459000010d
BSidesKC 2022 - https://bsideskc.org/activities/ (listed under "Trainings and Workshops")
BSides Idaho Falls 2021 - https://web.archive.org/web/20210923110258/https://www.bsidesidahofalls.org/cfw.html
Trainer(s) bio:
Kerry Hazelton has spent nearly twenty-five years of his career between Information Technology and Security, developing a deep knowledge of systems and network support, data center operations, Cloud computing, digital forensics, and incident response. As such, he considers himself a “cybersecurity enthusiast” due to his desire and motivation to read up on the latest trends within the industry, to learn about a new exploit or tool, or his willingness to teach and share with others his experiences over the years. He created the Cloud Forensics Workshop and CTF Challenge in 2017, which is a technical workshop that focuses on learning about the science of cloud forensics and its real-world applications, followed by a Capture-the-Flag competition to gauge his students’ comprehension and critical-thinking skills by solving multiple forensics puzzles in a race against each other within the allotted amount of time.
He can be found posting his random thoughts on gaming, hacking, or life in general via Twitter under the handle of @ProfKilroy.
Trainer(s) social media links:
https://twitter.com/ProfKilroy
https://infosec.exchange/@professor_kilroy
Outline:
Day 1: (Day 0)
Training Day (Day 0) - Labs and Group Discussion (each lab will run about 30 to 45 minutes, group discussions about 5 to 10 minutes)
**Group discussion: How the Cloud has Become a Lot Smaller (Bigger?)
**Lab One: Configuring Traffic Mirroring and using Wireshark to capture and analyze the data
**Lab Two: Analysis of Logs to Identify Potential Indicators of Compromise
**Lab Three: Cloud account isolation using Organizational Units and Service Control Policies
**Group discussion: Key similarities and differences between AWS, Azure, and GCP
**Group discussion: How to identify Indicators of Compromise, Vendor and Industry Best Practices to Locking Down an Environment
**Lab Four: Acquisition and analysis of forensic evidence from a compromised virtual server: forensic image, memory capture, metadata
**Lab Five: Acquisition and analysis of forensic evidence from containers and IoT/Edge Devices
**Group Discussion: Encryption vs encoding, Steganography (under which conditions will we see evidence of encryption, encoding, or data exfiltration using steganography)
**Lab Six: Analysis of Portable Executable files using CFF Explorer
**Lab Seven: How Cloud-native tools such as Athena, Detective, Security Hub, and their Azure/GCP counterparts can help identify potential issues in the Cloud
**Group Discussion: After-Action Reporting
**Recap/Q&A Session
Students will pre-register for the CTF Challenge after the end of the training session. I will be available to assist with registration issues.
Day 2: (Day 1)
All-day CTF Challenge. Students will be given pre-configured forensic images, PCAPs, logs, and other files to dissect as they will need to extract artifacts I will designate as "flags" in order to earn points. The top three teams will earn prizes, and a special prize will be awarded to the person who turns in the highest individual score.
Technical difficulty:
Intermediate to Advanced.
Suggested Prerequisites:
It is recommended students have a good understanding of Cloud environments and/or digital forensics. It is also recommended that students have some prior experience with tools such as Wireshark, TSK/Autopsy, Volatility and/or YARA, and examining portable executables or malware (but not necessary).
White papers can include those readily available from AWS, Microsoft, and/or Google regarding Cloud environments. I also recommend researching white papers published by Cado Security (as a side note, it was one of their early white papers I came across which helped form the foundation of this class. I have a standing agreement with them to refer to their material and give them credit, but I cannot use their tools and attempt to pass them off as my own) and by Dr. Raymond Choo at UTSA. Of course, there's always YouTube where students can take a crash course in learning about how to use tools such as TSK/Autopsy, Volatility, and YARA.
What students should bring:
Students will need to bring their laptops with them. Minimum specs should be at least an 8th or 9th generation Intel i5 processor (or AMD equivalent) and 16GB of RAM. A Windows environment is preferred, but attendees are welcome to use MacOS or their personal flavor of Linux.
DATE: August 14th-15th 2023
TIME: 8am to 5pm PDT
VENUE: Caesars Forum, Las Vegas, NV
TRAINER: Kerry Hazelton
- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2023.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.