29.01.2020 11:00
TRANSITS II in Utrecht
I had the pleasure to take part in the TRANSITS II training in Utrecht in January 2020. One of the great things about these trainings is that they are not just about tools and techniques, but about getting to know people from other CERTs/CSIRTs, especially from the European community.
However, the training part was also fun to have. TRANSITS II is split into three modules, i.e. forensics, communication and NetFlow, distributed over three days. While the netflow part gets a full day on its own, forensics and communication alternate over the other two days.
For the practical parts, prepared laptops are provided, which is a good thing because everyone can start working right away, but had the disadvantage that we couldn't practice outside of the course hours and couldn't take any data/scripts/etc. with us.
Forensics
This module covers a lot of ground and touches many topics to get you started and interested in the field. Of course, you won't become a forensics expert in these few days, but this isn't the goal anyway. In general terms, disk forensics, memory forensics and steganography were covered, always illustrated by examples the instructors had encountered at some point, which was helpful to memorize the content.
For the most part, topics are introduced theoretically and then immediately put into practice. This includes non-technical exercises as well, e.g. learning to "seize" a laptop and remove the harddrive to get its serial number while not destroying any evidence and maintaining a thorough protocol as well as a chain of custody. If you've never done this before, you'll see how easy it is to forget to write down something which may lead to real problems in a potential legal case. (And you'll definitely learn how annoying it is to pry open devices when you have to use gloves and can't use your fingernails ;)) We worked on disk images as well as memory images using standard UNIX commands like dd
, strings
, etc., but also more advanced tools like volatility
. At the end of the module, there was a short capture-the-flag-like game where we had to use everything we've learned during the previous two days, which I enjoyed very much.
Communication
As most people who work in CERTs/CSIRTs know, communication is something we have to do all the time and in many cases it's also where problems are the most obvious, so I consider covering this topic in an otherwise technical training to be a neat idea.
First some basic principles of communication according to NLP (neuro-linguistic programming) were introduced and then again we put them in practice. This was an interesting experience, but I thought it to be a bit too little integrated into the context of the class, i.e. we trained very general skills but didn't get into how we can use this in the technical world we work in, something like "how do I communicate technical content in a way that other people (including management) can understand?"
NetFlow
The last day was a hands-on deep dive into the world of NetFlow and specifically into how to work with NetFlow data using the open source tools nfdump
and nfsen
. After a general introduction to NetFlow, how sampling impacts what you can see and the tools we were going to use as well as an overview of which others exist out there, we got a dataset and a list of tasks we had to do with it, like finding peaks of certain flow types and interpreting their significance, etc. This playing around was very beneficial for understanding what you can and can't do with NetFlow data.
Conclusions
The TRANSITS II training is a great oppurtunity to get you started in the fields of forensics and NetFlow and also introduces you to some basic communication skills which are often ignored in other technical trainings. Additionally, it is a good opportunity to get to know other people from the CERT/CSIRT community, so I can wholeheartedly recommend it :)
This blog post is part of a series of blog posts related to our CEF Telecom 2018-AT-IA-0111 project, which also supports our participation in the CSIRTs Network.