Uncategorized

Things I Wish I Knew Before DFIR Netwars

Phill Moore2 Comments

A couple weeks ago I competed in DFIR Netwars at SANS Sydney 2017. Our team did really well, leading most of the way and just losing in the last half hour. But overall, it was a great learning experience and I thought I’d share some things about it.

Here are some things I think might help future participants (and probably make my life more difficult if I get to compete again).

  • DFIR Netwars is brand new and covers forensic analysis on the following topics: Windows, Mac, Smartphone, Network, Memory, and Malware Analysis. You probably won’t be able to answer all the questions but it’s a good indication of what you need to learn.
  • There are four levels, and you have to answer a certain number of questions correctly before the new level is unlocked.
  • Each question is worth a number of points and if you get them wrong you start losing points. You do get one incorrect submission though. Unfortunately, in the team game you can’t see the answers that have already been submitted. I’m not sure if that’s the same for individuals. It may be a good idea to use either the chat system provided on the game website, or use a Google doc to store incorrect attempts. Having said that, I think it would be good if the game stored incorrect attempts and didn’t let you submit the same incorrect answer twice.
  • Don’t skip the early questions because they’re worth less. We didn’t, but I feel like it’s good advice. Get runs on the board.
  • The hints are very useful and you don’t lose points for taking them. They are only used in the event of a tie, which is incredibly rare. Therefore, take the hints.
  • It’s not against the rules to work on the problems between night 1 and 2. So save them, and the hints. This may be an issue if you haven’t unlocked questions or levels. So keep that in mind as part of your night 1 strategy.
  • Don’t get complacent if you’re in the lead. The board is displayed for a majority of the game but is hidden in the last 30 minutes. It’s possible that teams may store some of their answers until the board is hidden. But also, you want to get the highest score you can get so maintain focus.
  • Make a decision early about whether you’re going to compete individually or in a team. We had a really good team – Others struggled, or their teammates left them high and dry and they were left as a “team of 1”. The top team and the top 5 individuals get the winners coin. So if you feel that you’re confident on the topics but are on your own then you’re probably better off not joining a team. That being said, it depends on how many individuals are competing as well. Personally, I think the coins should be given to people/teams that get over a predetermined score, but we have to play within the rules of the game. I’m sure some people are kicking themselves because they did very well inside their team and they probably could have won a coin in the individual ranking.
  • Make sure you double check your answers. You get 1 incorrect attempt before they start taking off points. I had a misspelling and threw away a couple points.
  • If you don’t know a multiple choice question, leave it to the end and guess. I got one correct that way 🙂
  • That being said, make sure no one else on your team has done that. I got one wrong that way 😦
  • They gave us cheat sheets and the SANS posters at the event….use them. They are a fantastic resource, and if you know which parts to look at they have the answers. Also if you get a chance beforehand, then familiarise yourself with them. I was able to answer a number of the memory questions having never learned memory analysis before by picking a couple of the freely available CTFs online, and working through with the memory analysis cheat sheets. This was because I knew it was going to be something that was tested, and that I could learn it the quickest. I didn’t have time to do the same with my other weak points.
  • Get there early and get set up. You don’t want to waste time on configuring your environment. For a team it may be useful to have a Google Drive or Dropbox share preconfigured; makes it easier to share files.
  • Get SIFT working properly (preferably beforehand). I didn’t and it was an issue for me. Doing 508 the next week I got it sorted and realised that some of the questions would have been a breeze (and even more so now after 508, not just from the teachings, but also the workflow that is shown). Side note about Volatility; pipe everything to a file; it’s faster to review a text file than re-running the plugins.
  • Bring your dongles or request trials. I had an issue with some of the Mac questions and knew exactly what needed to get done if I had my Mac with me, or Blacklight. I emailed blackbag support and they were more than happy to provide a trial. If you haven’t used Blacklight it’s great for Mac stuff, especially extended attributes.
  • I don’t think any of the questions require lengthy processing – know where to go to look for evidence. The “process everything” mentality doesn’t work when speed and efficiency is key.

Maybe I’ll think of more, or if you’ve got a different suggestion to add then let me know.

Overall, I really liked the challenge; the competition is good because you’re against the clock to get as many questions correct as possible. I look forward to competing in another one in the future.

 

Edit: 12th December

I had a few more suggestions

 

2 thoughts on “Things I Wish I Knew Before DFIR Netwars

  1. […] Over on my ThinkDFIR blog, I wrote a list of things that I had learned about the DFIR Netwars contest. These are things that I would like to consider the next time I do one of these events, or for those that haven’t had a chance to play yet. (Also, Rob Lee liked the write-up!) Things I Wish I Knew Before DFIR Netwars […]

    Liked by 1 person

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s