LANL | Cyber Security Research

Cyber Security Science

Tracer FIRE

Tracer FIRE (Forensic Incident Response Exercise) is a four-day hands-on computer security workshop for cyber security professionals in DOE and other government agencies. Tracer FIRE aims to empower cyber security responders with skills and techniques to recognize and dissect nefarious network activity and malicious software.

March 07–10 2011
La Fonda Hotel
100 E. San Francisco St.
Santa Fe, New Mexico 87501

Registration Form (pdf)

Days 1 and 2: Workshop sessions

Attend a two-day session in one of the following:
Host Forensics, Malware Reverse Engineering, or Network Reverse Engineering.
Please note: Space in each class is limited, particularly in the Malware Reverse Engineering class. Be sure to register soon to ensure enrollment in your chosen class.

Evening, Day 2: Meet-and-Greet Reception

Expand your network as you meet and mix with your fellow attendees at a reception.

Days 3 and 4: Capture the Flag Exercise

Break into teams and compete head-to-head with other participants to test your newly acquired skills and knowledge in the challenging network security contest.

Course Details

Host Forensics:  Overview of topics to be covered in the Host Forensics course:

Day One:

  • Rapid Response Cyber Forensics
  • Introduction to EnCase Enterprise
  • Memory Space: The Final Frontier
  • Forensic Memory Acquisition and Analysis: Memoryze and Audit Viewer
  • File Systems for Incident Responders: NTFS and Cell Phone
  • Windows Event Logs and Registry Analysis
  • Prefetch File Analysis
  • System Restore Point Analysis
  • Internet History Analysis

Day Two:

  • Windows Kernel Debugging
  • Forensic Crash Dump Analysis
  • File Carving and PDF Dissecting
  • APT Forensic Analysis
  • Creation and Use of IOCs
  • Polymorphic EnScripting Hypervisor Magic

Malware Reverse Engineering:  Notes from the instructor:


  • Laptop capable of running VMware Workstation (VMware Fusion on the Mac is fine)
  • Fully configured VMware Workstation Windows XP Virtual machine with the following software:
    • IDA Pro
    • Visual Studio 2008
  • One USB 2.0 port able to mount FAT32-formatted USB sticks. If you have a Mac, Windows 7, Vista, or XP this should be just fine. If you're using Linux you're on your own.

If you bring a system with VirtualBox, VMware ESX Server, or anything that is not VMware Workstation be aware that some (possibly all) of the labs might have problems.

Due to problems last year with theft, I will not provide copies of my reversing VM.

If you want to play with VERA, my new visualization tool, it helps if you have a laptop that has a 3D card installed and configured correctly. Most laptops built within the last year or so meet this requirement so it shouldn't be a problem.

Copies of the free tools that we use (OllyDbg, Windbg, Sysinternals Tools, VERA). I will bring a working Ether machine for people to play with.

If you bring hardware (desktop, laptop, server, etc.) that you would like to install Xen/Ether on, I will help you get it set up and running. This will most likely be after class, but depending on how many people are interested we could run through it during class.

Network Reverse Engineering:  Here are some notes from the instructor about what you'll need for the course:

  • A laptop
  • Wireshark
  • Advanced programming skills are not required. If you have a programming language you're comfortable with, have what you need to use it installed. Otherwise, install python3.
  • An plain text or code editor of some sort. If you're using python3, it comes with one (IDLE).
  • 5. The tcpflow program will also be useful.

Dining on the Santa Fe Plaza

Your options for lunch (on your own) are many and varied. La Fonda Hotel is home to two restaurants, La Plazuela and La Fiesta Lounge. Santa Fe's historic plaza offers a plethora [Google Maps] of dining options.


Host Forensics

Analyzing running machines and hard drive images to find evidence, malware, or behavior.

Malware Reverse Engineering

Analyzing running binaries or executables to find behaviors, IPs, and capabilities; reverse-engineering unknown executables.

Network Reverse Engineering

Analyzing network traffic and log files to find evidence, malware, or behavior; reverse-engineering binary protocols.

About Us | Contact Us | Jobs | Library | Maps | Museum | Emergencies | Inside LANL | Inside Phone | Site Feedback

Managed by Triad National Security, LLC for the U.S. Department of Energy's NNSA. © Copyright Triad National Security, LLC. All Rights Reserved. | Terms of Use, Privacy Policy