In June I attended SANS FOR508 (Advanced Computer Forensic Analysis and Incident Response) at SANSFire in DC. What a great course that was! FOR508 starts you out in incident response mode. A breach has occured and you are tasked with finding the malware and determining what data was stolen, and if the attacker was able to compromise multiple systems. During the week we hit memory forensics, timeline analysis, anti-forensics, and ended with a forensic challenge. The challenge consisted of four hard drive, and memory images from potentially compromised systems. In teams we were each tasked with a system to generate timelines on, and import the memory image into tools like Mandiant's Redline which can be time consuming. The last day of the course we were tasked with analyzing all four systems and providing a report on what happened during the compromise. I am planning on writing a few forensics-focused articles in the wake of my latest training. I will be taking the GCFA (GIAC Certified Forensic Analyst) certification exam within the next couple of months.