GCFA Study Plan 🗒

Created: 18.11.2020

This is my GCFA study plan. I hope it will help me in organizing and prioritising the topics to learn and also in estimating the time I need to get ready. There are two plans that I’ve used: exam plan and the official course plan. On the exam description page there is stated that:

No Specific training is required for any GIAC certification. There are many sources of information available regarding the certification objectives’ knowledge areas. Practical experience is an option; there are also numerous books on the market covering Computer Information Security. Another option is any relevant courses from training providers, including SANS.

So, good luck to me 🍀.

⚠️⚠️⚠️⚠️⚠️⚠️⚠️ https://github.com/dezsie/analyst-playbook

⚠️⚠️⚠️⚠️⚠️⚠️⚠️ https://www.giac.org/paper/gcfa/13102/windows-10-forensic-platform/149952

⚠️⚠️⚠️⚠️⚠️⚠️⚠️ https://cybersecfaith.com/2021/06/13/my-giac-certified-forensic-analyst-gcfa-experience/

⚠️⚠️⚠️⚠️⚠️⚠️⚠️ https://www.virginiacyberrange.org/courseware/introduction-digital-forensics

Intro

Below is the skeleton from SAN508 course description. I am using it to make up my study plan. For each step of this plan I estimate my current level of training and I am also collecting resourced for this topic under Resources.

🫑 - level 0. I know nothing and not even where to start. I might have some embarrassingly fundamental knowledge which is not good enough even for the start.

🥒 - level 1. I know something about the subject, but this only gives me an approximate plan and kind of things to look for.

🥗 - level 2. I know something about the subject, I’ve even read something about it. But no hands-on eperience.

🌮 - level 3. I know quite a lot about the subject, I’ve read something about it and some hands-on eperience.

🥘 - level 4. I know a lot about the subject and quite a decent experience. This one I will only use when I am done preparing and have the first mock exam. Bonus - 🍭 real-life expreience (not just labs).

🗒- Topic specific plan. 🍻- done, 🚧 - in progress

🗂 - references and resources.

🎯- objectives.

🏺- artifacts

🛠 - tools to learn/use.

Main Objectives

🎯 Detect how and when a breach occurred

🎯 Identify compromised and affected systems

🎯 Perform damage assessments and determine what was stolen or changed

🎯 Contain and remediate incidents

🎯 Develop key sources of threat intelligence

🎯 Hunt down additional breaches using knowledge of the adversary

The key is to constantly look for attacks that get past security systems, and to catch intrusions in progress, rather than after attackers have completed their objectives and done significant damage to the organization. For the incident responder, this process is known as “threat hunting”. Threat hunting uses known adversary behaviors to proactively examine the network and endpoints in order to identify new data breaches.

Topics covered in the course:

Hunting and responding to advanced adversaries such as nation-state actors, organized crime, and hacktivists.
incident response analysis and breach assessment.
- Incident response and intrusion forensics methodology.
- Remote and enterprise incident response system analysis.
- Threat hunting techniques
- Windows live incident response and scaling collection of triage data.
- Investigating and countering living of the land attacks, including PowerShell and WMI.
Memory analysis
- Transitioning memory analysis skills to enterprise detection and response (EDR) platforms????
Detailed instruction on compromise and protection of Windows enterprise credentials (Active Directory)
- Internal lateral movement analysis and detection.
timeline creation and analysis.
- Volume shadow copy exploitation for hunting threats and incident response.
- Anti-forensics and covering tracks (antidebuggin, virtualisation detection…)
- Malware hunting
- Adversary threat intelligence development, indicators of compromise, and usage.
- Cyber-kill chain strategies - what is it?
- Step-by-step tactics and procedures to respond to and investigate intrusion cases
Identify and track malware beaconing outbound to its command and control (C2) channel via memory forensics, registry analysis, and network connection residue
Antiforensics. Anti-forensics techniques like hidden and time-stomped malware, along with utility-ware used to move in the network and maintain an attacker’s presence.

ToDO 🗒

🚧 Step 1. Laboratory setup.

Learn how to use AWS, whether I can install my own images or not. If yes - then, how. If no - use Dell laptop to install several virtual machines.

Step 2. Follow the plan below. Read throughly the plan. Take each topic and follow these steps:

Estimate my current level of training
Make a list of resources
Learn the material using these resources
Find an appropriate lab online, or image or make it in my lab myself

❗ Think about how this index should be organized and make index along the way even if it incorretly.

Step 6. Lab compromise training. When the last topic is studied, finish the index and take a mock exam (without labs). If you get at least 60% score, buy the exam and take the first mock exam with labs 🧪. Follow these steps to prepare for the practical part:

Make a list of APT groups and tactics. Get the description of several cases when APT group was involved (YouTube, Habr, PhDays etc).
Re-read the Digital Forensics diary and take notes.
Read other lab answers to make a plan for a lab.
Try finding some images of APT compromised systems.
Compromise my own lab (bellow are the steps) and try answering typical lab questions.

📌 VM Compromise:

Phase 1 - Patient zero compromise and malware C2 beacon installation

Phase 2 - Privilege escalation, lateral movement to other systems, malware utilities download, installation of additional beacons, and obtaining domain admin credentials

Phase 3 - Search for intellectual property, profile network, dump email, dump enterprise hashes

Phase 4 - Collect data to exfiltrate and copy to staging system. Archive data using .rar and a complex passphrase

Phase 5 - Exfiltrate .rar files from staging server, perform cleanup on staging server

Laboratory 🧪 🥼 🔬

Lab Setup. I’ve set up a small lab on AWS with 2 Windows Servers (2012 and 2019) acting DC and two other servers (2012 and 2016) acting as user 1 and user 2 respectively. Here is a blog post about some questions and problems that I’ve faced when building my lab and here is a blog post about starting with AWS infrastructure. A separate machine running SIFT workstation is installed as well using AWS EC2 services.

🚧 VM Configuration:

👌Windows Server 2012 DC

AD installed
AD configured
User1 and User 2 added
User1 and User 2 connected
Hardening Windows DC
📌 Full auditing turned on per recommended Federal Information Security Management Act guidelines
📌 Install Office, Adobe, Skype, Tweetdeck, Email, Dropbox, Firefox, Chrome
📌 Fully patched systems
📌 Endpoint Detection and Response (EDR) agents - what is it?
📌 Enterprise A/V and on-scan capability based on the Department of Defense’s Host-based Security System (Endpoint Protection Software - Anti-virus, Anti-spyware, Safe surfing, Anti-spam, Device Control, Onsite Management, Host Intrusion Prevention (HIPS))
📌 Ports open:
- inbound 25
- outbound 25, 80, 443

👌Windows Server 2012 DC User

👌Windows Server 2016 DC User

📌 Windows Server 2019 DC

AD installed
AD configured
User1 and User 2 added
📌 User1 and User 2 connected
📌 Hardening Windows DC
📌 Full auditing turned on per recommended Federal Information Security Management Act guidelines
📌 Install Office, Adobe, Skype, Tweetdeck, Email, Dropbox, Firefox, Chrome
📌 Fully patched systems
📌 Endpoint Detection and Response (EDR) agents - what is it?
📌 Enterprise A/V and on-scan capability based on the Department of Defense’s Host-based Security System (Endpoint Protection Software - Anti-virus, Anti-spyware, Safe surfing, Anti-spam, Device Control, Onsite Management, Host Intrusion Prevention (HIPS))
📌 Ports open:
- inbound 25
- outbound 25, 80, 443

👌**SIFT workstation on AWS**

📌 Solve the issue with the 2019 Server DC. ⚠️ Cannot ping the server 2019

📌 Make snapshots of clean systems.

📌 Find memory and disk images compromised or create your own exe.

traces across host systems, system memory, hibernation/pagefiles, and more

📌 Learn to find answers to these questions (deduced from SIFT lab answers):

Identify logins (successful and unsuccessful) with timestamps
Identify machines that were used to login
Identify users whose acccounts were used to login
Learn to get RDP events
Login types (like 3 - Network)
IP addresses of the machines
Priority for IR
Learn to use Windows Even Viewer and what are the most interesting event codes for IR
What Happened after certain event (like, something was installed or deleted)
String Searching with memdump
- Vol.py -f memory.img memdump -n csrss --dump-dir=.
- Vol.py -f memory.img memdump -n conhost --dump-dir=. - Conhost contains all command lines in memory
- strings -t d -e l *.dmp >> conhost.uni
- ``grep -I “command prompt” conhost.uni`

❓ cmdscan and consoles (lower percentage of success); Cmdscan = command entered ❓ Consoles = command entered and Output

Tools 🛠

✅ SIFT Workstation (Ubuntu Linux LTS Base, 64-bit base system)

🛑 F-Response Enterprise (Endpoint Collection Capability) Enables incident responders to access remote systems and physical memory of a remote computer via the network.

✅ SANS DFIR Cheatsheets to Help Use the Tools in the Field

🛑 SANS DFIR APT Case Electroninc Exercise Workbook

Exam Plan

Enterprise Environment Incident Response 🫑 - level 0
- 🎯 Incident response process
- 🎯 Attack progression
- 🎯 Adversary fundamentals
- 🎯 How to rapidly assess and analyze systems in an enterprise environment scaling tools to meet the demands of large investigations - 🗂 [1] SANS DFIR Webcast - APT Investigations – How To The Forensic Side. ✍️ Frequency analysis, prioritize.
Identification of Malicious System and User Activity. - 🌮 - level 3 + 🍭
- 🎯 identify document indicators of compromise on a system
- 🎯 detect malware and attacker tools
- 🎯 attribute activity to events and accounts
- 🎯 identify and compensate for anti-forensic actions using memory and disk resident artifacts.
Identification of Normal System and User Activity 🥗 - level 2
- 🎯 identify, document, and differentiate normal and abnormal system and user activity using memory and disk resident artifacts.
File System Analysis
- NTFS Artifact Analysis 🥒 - level 1
  - 🎯 Core structures of the Windows filesystems - 🗂 [1] File System Forensic Analysis
  - 🎯 identify, recover, and analyze evidence from any file system layer, including the data storage layer, metadata layer, and filename layer - 🗂 my article about data recovery for different FS
- Introduction to File System Timeline Forensics - 🫑 - level 0
  - 🎯 Methodology required to collect and process timeline data from a Windows system.
- File System Timeline Artifact Analysis 🥗 - level 2
  - 🎯 Windows filesystem time structure - 🗂 [1] Demystifying Mac Investigations: Mac vs. Windows Artifacts Comparison, [2] My article about timelines with links to APFS/NTFS specifics, [10] File System Forensic Analysis, [1] Magnet Demistifying Mac Forensics (NTFS vs APFS)
  - 🎯 How these artifacts are modified by system and user activity
    - 🏺Prefetch 🗂 [3], [6] - [3] SDF: Windows Prefetch Forensics, [6] SDF Podcast: DFSP # 004 – Windows Prefetch
    - 🏺Lnk 🗂 [4], [4] SDF: Link Files
    - 🏺Registry 🗂 [9] - [9] Windows registry file format, Suhanov, Coursera InfoSec DF course
    - 🏺Shadow copy 🗂[5], Shadow copies become less visible, Suhanov, [8] Offline shadow copies, Suhanov, [5] SDF: Volume Shadow Copy
Volatile Data
- Introduction to Volatile Data Forensics 🥗 - level 2
  - 🎯 How and when to collect volatile data from a system and how to document and preserve the integrity of volatile evidence: 🗂 [1] My article, Windows RAM Forensics, based on the [2] SDF: Memory Forensics 1, [3] SDF: Memory Forensics 2 and [4] Surviving Digital Forensics: RAM Extraction Fundamentals. Also, this book is like a bible for memory forensics, [5] The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory, [6] Memory-Forensics-Poster, SANS, the art of memory forensics book.
- Volatile Data Artifact Analysis of Malicious Events 🥒 - level 1
  - 🎯 abnormal activity within the structure of Windows memory
  - 🎯 able to identify artifacts such as malicious processes, suspicious drivers and malware techniques such as code injection and rootkits - 🗂 Udemy SDF 3 Courses, Memory forensics book.
- Volatile Data Artifact Analysis of Windows Events 🥒 - level 1
  - 🎯 abnormal activity within the structure of Windows memory
  - 🎯 able to identify artifacts such as malicious processes, suspicious drivers and malware techniques such as code injection and rootkits.
Windows Artifact Analysis 🫑 - level 0
- 🎯 Windows system artifacts
- 🎯 how to collect and analyze data such as system back up and restore data and evidence of application execution 🗂 SANS posters - [1], [2]
  - 🏺Prefetch 🗂 [3], [6] - [3] SDF: Windows Prefetch Forensics, [6] SDF Podcast: DFSP # 004 – Windows Prefetch
  - 🏺Lnk 🗂 [4], [4] SDF: Link Files
  - 🏺Registry 🗂 [9] - [9] Windows registry file format, Suhanov, Coursera InfoSec DF course
  - 🏺Shadow copy 🗂[5], Shadow copies become less visible, Suhanov, [8] Offline shadow copies, Suhanov, [5] SDF: Volume Shadow Copy

🎯 In general everything is the same: there are network analysis, logs and registry, browser history etc. For each source of info get the tools, commands and common places for each OS platform (for exam Windows only).

Analyzing Volatile Malicious Event Artifacts The candidate will demonstrate an understanding of abnormal activity within the structure of Windows memory and be able to identify artifacts such as malicious processes, suspicious drivers and malware techniques such as code injection and rootkits. Analyzing Volatile Windows Event Artifacts The candidate will demonstrate an understanding of normal activity within the structure of Windows memory and be able to identify artifacts such as network connections, memory resident command line artifacts and processes, handles and threads. Enterprise Environment Incident Response The candidate will demonstrate an understanding of the steps of the incident response process, attack progression, and adversary fundamentals and how to rapidly assess and analyze systems in an enterprise environment scaling tools to meet the demands of large investigations. File System Timeline Artifact Analysis The candidate will demonstrate an understanding of the Windows filesystem time structure and how these artifacts are modified by system and user activity. Identification of Malicious System and User Activity The candidate will demonstrate an understanding of the techniques required to identify and document indicators of compromise on a system, detect malware and attacker tools, attribute activity to events and accounts, and identify and compensate for anti-forensic actions using memory and disk resident artifacts. Identification of Normal System and User Activity The candidate will demonstrate an understanding of the techniques required to identify, document, and differentiate normal and abnormal system and user activity using memory and disk resident artifacts. Introduction to File System Timeline Forensics The candidate will demonstrate an understanding of the methodology required to collect and process timeline data from a Windows system. Introduction to Memory Forensics The candidate will demonstrate an understanding of how and when to collect volatile data from a system and how to document and preserve the integrity of volatile evidence. NTFS Artifact Analysis The candidate will demonstrate an understanding of core structures of the Windows filesystems, and the ability to identify, recover, and analyze evidence from any file system layer, including the data storage layer, metadata layer, and filename layer. Windows Artifact Analysis The candidate will demonstrate an understanding of Windows system artifacts and how to collect and analyze data such as system back up and restore data and evidence of application execution.

Cases to study before exam

References

[1] Official course description

[2] Exam objectives

SANS Webcast about 508 [3], [4], [5], [6], [7].