Kerry Hazelton - Cloud Forensics Workshop and CTF Challenge: Lab Rat Edition

Name of training:  Cloud Forensics Workshop and CTF Challenge: Lab Rat Edition

Trainer information:

Trainer(s) bio: Kerry Hazelton has spent nearly twenty-five years of his career between Information Technology and Security, developing a deep knowledge of systems and network support, data center operations, Cloud computing, digital forensics, and incident response. As such, he considers himself a “cybersecurity enthusiast” due to his desire and motivation to read up on the latest trends within the industry, to learn about a new exploit or tool, or his willingness to teach and share with others his experiences over the years. He created the Cloud Forensics Workshop and CTF Challenge in 2017, which is a technical workshop that focuses on learning about the science of cloud forensics and its real-world applications, followed by a Capture-the-Flag competition to gauge his students’ comprehension and critical-thinking skills by solving multiple forensics puzzles in a race against each other within the allotted amount of time.  

He can be found posting his random thoughts on gaming, hacking, or life in general via Twitter under the handle of @ProfKilroy.

Trainer(s) social media links: 

Twitter: @ProfKilroy 

Mastodon: infosec.exchange/@professor_kilroy

Training information:

Have you taught this training before? Where and when?  

Prior versions of this training have been taught at BSides DC (2017, 2019); BSides Charm (2018); BSides NoVA (2019, 2020); HOU.SEC.CON (2019); BSides KC (2019, 2022); BSides Idaho Falls (2019, 2021); BSides Tampa (2020); CyberjutsuCon (2022). The current version of this class ("Lab Rat Edition") is currently scheduled to be taught at BSides Tampa and HackMiamiCon.

Do you have links to sites that promoted your past training so we can better understand how you presented it to the public?

BSidesDC 2017 - https://bsidesdc2017.busyconf.com/schedule#activity_59a4ad5ab241c9127a000268

BSidesDC 2019 - https://bsidesdc2019.busyconf.com/schedule#activity_5cb52ddb3c54b6b4a30000ac

BSidesCharm 2018 - https://bsidescharm.org/archive/2018/cloud-busting-understanding-cloud-based-digital-forensics.html

BSidesNoVA 2019 - https://bsidesnova2019con.busyconf.com/schedule#activity_5bfd82a9288fd2450200005c

BSidesNoVA 2020 - https://bsidesnova2020.busyconf.com/schedule#activity_5ddae1f9ead21794d800001b

HOU.SEC.CON 2019 - https://web.archive.org/web/20190327171857/http://houstonseccon.org/training/

BSidesKC 2019 - https://bsideskc2019.busyconf.com/schedule#activity_5c37a55b7bebbd459000010d

BSidesKC 2022 - https://bsideskc.org/activities/ (listed under "Trainings and Workshops")

BSides Idaho Falls 2021 - https://web.archive.org/web/20210923110258/https://www.bsidesidahofalls.org/cfw.html

 

Class description:

Now in its sixth iteration since its initial launch at BSides DC in October 2017, the Cloud Forensics Workshop and CTF Challenge have been a regular feature at multiple security conferences across the country where security professionals learn the core concepts of digital forensics and incident response in a Cloud computing environment.  The newest version of this training session takes place over the course of two days, with Day Zero focusing on topics including how the Cloud has evolved from large-scale virtual servers to smaller, more scalable Docker or Kubernetes containers; how small board computers or IoT devices can extend beyond the logical boundary of a Cloud to gather and analyze critical data such as room temperature, humidity levels, or power levels from attached sensors before relaying the information back to the Cloud; how to mirror and capture valuable packet data within a virtual environment; how to obtain and analyze a forensic image, memory capture, and metadata from a virtual instance; how to obtain and analyze a forensic image from a container and from a small-board computer; how to analyze logged API calls, storage access logs, metrics, traffic flows, and server logs look for evidence of suspicious activity; recommended vendor and industry best practices for locking down a compromised Cloud environment; key similarities and differences between the three major Cloud Service Providers; and recommended best practices for writing the after-action reports.  Day Zero will also feature plenty of hands-on lab exercises for students where they will gain practical experience on common open-source tools and techniques used in the field.

Day One will be the "capstone" where students will form teams and take on the CTF Challenge itself - an all-day competition where students can expect to be tested on not only what they learned from the day before, but combine it with their own experiences and knowledge as they tackle multiple puzzles of varying difficulty to earn points while competing for honors and prizes.

Outline the class in enough detail that we can determine the hour-by-hour experience a student will experience:

Training Day (Day Zero) - Labs and Group Discussion (each lab will run about 30 to 45 minutes, group discussions about 5 to 10 minutes)

 

**Group discussion: How the Cloud has Become a Lot Smaller (Bigger?)

**Lab One: Configuring Traffic Mirroring and using Wireshark to capture and analyze the data

**Lab Two: Analysis of Logs to Identify Potential Indicators of Compromise

**Lab Three: Cloud account isolation using Organizational Units and Service Control Policies

**Group discussion: Key similarities and differences between AWS, Azure, and GCP

**Group discussion: How to identify Indicators of Compromise, Vendor and Industry Best Practices to Locking Down an Environment

**Lab Four: Acquisition and analysis of forensic evidence from a compromised virtual server: forensic image, memory capture, metadata

**Lab Five: Acquisition and analysis of forensic evidence from containers and IoT/Edge Devices

**Group Discussion: Encryption vs encoding, Steganography (under which conditions will we see evidence of encryption, encoding, or data exfiltration using steganography)

**Lab Six: Analysis of Portable Executable files using CFF Explorer

 

**Lab Seven: How Cloud-native tools such as Athena, Detective, Security Hub, and their Azure/GCP counterparts can help identify potential issues in the Cloud

**Group Discussion: After-Action Reporting

**Recap/Q&A Session

Students will pre-register for the CTF Challenge after the end of the training session.  I will be available to assist with registration issues.

Day Two: All-day CTF Challenge. Students will be given pre-configured forensic images, PCAPs, logs, and other files to dissect as they will need to extract artifacts I will designate as "flags" in order to earn points. The top three teams will earn prizes, and a special prize will be awarded to the person who turns in the highest individual score.

Technical difficulty of the class: Intermediate to Advanced.  It is recommended students have a good understanding of Cloud environments and/or digital forensics. It is also recommended that students have some prior experience with tools such as Wireshark, TSK/Autopsy, Volatility and/or YARA, and examining portable executables or malware (but not necessary).

Suggested prerequisites for the class. What should the student have read or prepared in advance to get the most out of your class? This could be videos to watch, books or white papers to read, etc.

White papers can include those readily available from AWS, Microsoft, and/or Google regarding Cloud environments.  I also recommend researching white papers published by Cado Security (as a side note, it was one of their early white papers I came across which helped form the foundation of this class.  I have a standing agreement with them to refer to their material and give them credit, but I cannot use their tools and attempt to pass them off as my own) and by Dr. Raymond Choo at UTSA.  Of course, there's always YouTube where students can take a crash course in learning about how to use tools such as TSK/Autopsy, Volatility, and YARA.

Items students will need to provide:

Students will need to bring their laptops with them.  Minimum specs should be at least an 8th or 9th generation Intel i5 processor (or AMD equivalent) and 16GB of RAM.  A Windows environment is preferred, but attendees are welcome to use MacOS or their personal flavor of Linux.

 

DATE: August 14th-15th 2023
TIME: 8am to 5pm PDT
VENUE: Caesars Forum, Las Vegas, NV
TRAINER: Kerry Hazelton

- 16 hours of training with a certificate of completion.

- 2 coffee breaks are provided per day
- Note: Food is not included

 

Registration terms and conditions:

Trainings are refundable before July 1st, the processing fee is $250.

Trainings are non-refundable after July 10th, 2023.

Training tickets may be transferred. Please email us for specifics.

Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.

By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.