All Articles

Fun in New Orleans!

First class of the year!

Ever since I stopped being a software engineer, I don’t get to code as much (not daily anyways!) and I really missed it! So for the new year, I wanted to take a week and just code! Therefore… I spent the past week in New Orleans taking the SANS 573 - Automating Information Security with Python class.

Python python python!

DFIR

Things I loved from this class:

  • Utilizing Python to extract registry info
  • Converting Python 2 code to Python 3 and the few gotcha’s
  • Writing and compiling your own backdoor
  • Regex

Writing your own pcap parser: DFIR DFIR

Regex fun (to parse out img tag URL from log files): DFIR

The class was well structured and the PyWars challenge was super fun. I felt the most accomplished during the regex module because it uncovered a lot of the mysteries about regex that I never understood (and now I do!). Overall, I would definitely recommend!

New Orleans was absolutely a lot of fun as well. The foods are delicious if you are into fried chicken, sea foods, and comfort foods! Although…I would highly recommend saving the comfort food AFTER class because it was TOO comforting for lunch, and I defiiiinitely had a hard time staying awake in class that one day! (Learned my lesson!) :‘)

I attended a tons of music bars. I got to try my first “Hurricane” drink at the Pat O’brien bar, attended my first Mardis Gras parade in French quarter/Bourbon street, and got to experience the whole #NOLA vibe of bar hopping/drinking/partying all day & night on the street. It was a lot of fun, and I probably won’t be drinking ever again for the next 10 years…

Fun coincidence: On the plane to the event, I sat next to 2 other students who were also attending the same event! It was a lot of fun chatting with them and learning more about their experience. If you’re reading this Rob & Miranda — hi!! :)

Netwars - DFIR

DFIR At bigger SANS event, there’re what’s known as Netwars tournament. There’re a few types: Core (offensive), DFIR (forensics), GRID, ICS, and Defense (packet heavy). Whichever one that you chose to go to, they’ll hand you a USB at the door. You set up your VM, and the moment the event start, the server will be open which contains a list of questions that you can answer using your knowledge about the topic. There are 5 different levels. It start out easy, with many hints and get progressively harder without hints at level 5. I personally think Netwars is the most fun part of attending a SANS event and would highly recommend everyone to play and try it out!

This time around, I participated in the DFIR Netwars and was able to take home a coin for making it into the top 5 (individually). I got to level 3 and had about 520 points in the end. Since I don’t get to do actual DFIR at work, I had a lot of fun playing at this event! In this particular DFIR Netwars, you’ll get some machine images, pcaps, and smartphone (Android/Iphone) artifacts. Then to answer the questions and score points, you’ll have to get your hand dirty and be digging deep into the registry hive, look at prefetch files, read pcaps, perform memory forensics, malware analysis…etc!

Not only this event helped to see my strengths in host forensics & malware analysis, it also showed areas where I was weak in and wanted to learn more (packets/mac and smart phone forensics). I loved that fact that I could skip the parts I didn’t know, and was still able to level up. I’m not sure how some team could get to level 5 in 2 short days…but that’s some serious skills and dedication!

This is the coin…isn’t it beautiful =) DFIR DFIR

Tips: Have your VMs set up prior to participating in the event and free up spaces on your computer! This will help to speed up the set up process and can save you about 30 mins! Also, if you are new, don’t be afraid to take hints. If you’re taking more than 5 mins to answer a question, just take the hints. It doesn’t matter if you win or not. The most important thing is to walk away learning something new! :)

A new cert!

I took the reversing engineering exam right before I flew out to New Orleans. The moment I got home, my GREM cert arrived (what great timing!)! I really loved this class, and will definitely continue to practice and write more about this topic in the future. GREM

That’s it for this blog. I’ve been catching up on school after my week away, so there’s a mountain of work waiting for me… but I promise that I will write more once I get over my 13 lectures for school! While I mentioned in another blog post that I was taking 3 classes and planning to finish my Masters… it wasn’t feasible due to the courses’ workload and difficulty. I ended dropping a class and chose to delay my graduation by a semester so I don’t completely hate life (for having no life!). Again, prioritizing mental health is one of my priority for this year. ;)