Tracer FIRE (Forensic Incident Response Exercise) is a four-day hands-on computer security workshop for cyber security professionals in DOE and other government agencies. Tracer FIRE aims to empower cyber security responders with skills and techniques to recognize and dissect nefarious network activity and malicious software.
March 07–10 2011
La Fonda Hotel
100 E. San Francisco St.
Santa Fe, New Mexico 87501
Registration Form (pdf)
Days 1 and 2: Workshop sessions
Attend a two-day session in one of the following:
Host Forensics, Malware Reverse Engineering, or Network Reverse Engineering.
Please note: Space in each class is limited, particularly in the Malware Reverse Engineering class. Be sure to register soon to ensure enrollment in your chosen class.
Evening, Day 2: Meet-and-Greet Reception
Expand your network as you meet and mix with your fellow attendees at a reception.
Days 3 and 4: Capture the Flag Exercise
Break into teams and compete head-to-head with other participants to test your newly acquired skills and knowledge in the challenging network security contest.
- Rapid Response Cyber Forensics
- Introduction to EnCase Enterprise
- Memory Space: The Final Frontier
- Forensic Memory Acquisition and Analysis: Memoryze and Audit Viewer
- File Systems for Incident Responders: NTFS and Cell Phone
- Windows Event Logs and Registry Analysis
- Prefetch File Analysis
- System Restore Point Analysis
- Internet History Analysis
- Windows Kernel Debugging
- Forensic Crash Dump Analysis
- File Carving and PDF Dissecting
- APT Forensic Analysis
- Creation and Use of IOCs
- Polymorphic EnScripting Hypervisor Magic
- Laptop capable of running VMware Workstation (VMware Fusion on the Mac is fine)
- Fully configured VMware Workstation Windows XP Virtual machine with the following software:
- IDA Pro
- Visual Studio 2008
- One USB 2.0 port able to mount FAT32-formatted USB sticks. If you have a Mac, Windows 7, Vista, or XP this should be just fine. If you're using Linux you're on your own.
If you bring a system with VirtualBox, VMware ESX Server, or anything that is not VMware Workstation be aware that some (possibly all) of the labs might have problems.
Due to problems last year with theft, I will not provide copies of my reversing VM.
NOT REQUIRED BUT NICE:
If you want to play with VERA, my new visualization tool, it helps if you have a laptop that has a 3D card installed and configured correctly. Most laptops built within the last year or so meet this requirement so it shouldn't be a problem.
I WILL PROVIDE:
Copies of the free tools that we use (OllyDbg, Windbg, Sysinternals Tools, VERA). I will bring a working Ether machine for people to play with.
If you bring hardware (desktop, laptop, server, etc.) that you would like to install Xen/Ether on, I will help you get it set up and running. This will most likely be after class, but depending on how many people are interested we could run through it during class.
- A laptop
- Advanced programming skills are not required. If you have a programming language you're comfortable with, have what you need to use it installed. Otherwise, install python3.
- An plain text or code editor of some sort. If you're using python3, it comes with one (IDLE).
- 5. The tcpflow program will also be useful.
Dining on the Santa Fe Plaza
Your options for lunch (on your own) are many and varied. La Fonda Hotel is home to two restaurants, La Plazuela and La Fiesta Lounge. Santa Fe's historic plaza offers a
plethora [Google Maps]
of dining options.
Analyzing running machines and hard drive images to find evidence, malware, or behavior.
Analyzing running binaries or executables to find behaviors, IPs, and capabilities; reverse-engineering unknown executables.
Analyzing network traffic and log files to find evidence, malware, or behavior; reverse-engineering binary protocols.