Having fun while learning about and pivoting into the world of DFIR.
by ogmini
Continuation from Part 4 looking back at my coursework in the Master’s Degree in Digital Forensic Science. In this post, I’ll be talking about DFS-530 Incident Response and Network Forensics.
This course had a big mix of theory, labs, and discussions on many topics related to incident response. The discussions centered heavily on what I’d consider important soft skills and buiding an incident response team. Some example discussions include:
I felt that the relationship management discussion was very important and one that is easily overlooked. If you are internal or an external incident responder, you need to quickly work with many different people across an organization. They may see you as a problem to make go away as fast as possible. They may not want to work with you. They may think you are there to get them in trouble. The fears and difficulties can go on and on. A soft touch and the ability to find some way to work collaboratively with them will make everyone’s lives easier. The course also had assignments related to writing professional memos or proposals on various topics. Again, a useful skill being able to succinctly present and make requests to upper management. Hard to get the resources to do you job if you don’t know how to ask and justify them.
The labs for me were a mixed bag. The labs that involved analysis using Wireshark, tcpdump, and NetworkMiner were very focused and enjoyable. None of them were incredibly difficult but showed practical use of the tools. Sidenote, I’m a a little skeptical about the real world applicability since most traffic is now encrypted. Still important to know how network traffic works and the tools. The first lab on Splunk was literally just doing their tutorials. I’m on the fence if this is something the student should just be expected to do on their own and not a graded assignment. I had exposure for Splunk before this class so that may color my opinion.
The last lab on Splunk was a complete failure. The course used the Boss of the SOC v1 dataset from Splunk https://www.splunk.com/en_us/blog/security/what-you-need-to-know-about-boss-of-the-soc.html and the Splunk instance that was provided was hosted and administered by another college. Unfortunately, this instance was non-functional during our class and no one was able to complete the lab. I ended up spinning up my own trial Splunk instance on a VM and installing the dataset from https://github.com/splunk/botsv1 to complete the lab just for my own practice and knowledge. The whole situation left a bit of a sour taste in my mouth and my only advice would be to not rely on other’s for your infrastructure.
I also don’t think it is unreasonable to expect student’s to be able to install a trial instance of Splunk, load the Boss of the SOC v1 dataset, and complete the lab.
Still, a useful class.