everyone, and welcome to today's SANS webcast. A glimpse into new FOR500:
Windows Forensics Course, Windows 10 and beyond. What is your digital forensics
investigation missing? My name is Carol (mumbles)
of the SANS Institute, and I will be moderating
today's webcast. Today's featured
speaker is Rob Lee, curricular lead and author
for digital forensic and incident response
at the SANS Institute.
If, during the webcast, you
have any questions for Rob, please enter them into
the questions window located on the go to webinar
interface at any time. Please note that this
webcast is being recorded and a copy of the
slides and a recording of this webcast will be
available for viewing later today and can be found
on the SANS registration page. And with that, I'd like to
hand the webcast over to Rob. - [Rob] Hi, everyone.
My name is Rob Lee. And I'm gonna be with you today talking about some
brand new updates to the Windows forensics
class, Forensics 500. That's a picture of me
teaching, I just wanna, you know, if you've
never seen me before, you know, there I am, hi. I've been doing forensics
for about 20 years.
You know, been really fortunate to have worked in
law enforcement, worked at the Air Force Office
of Special Investigations, worked in the
federal government, worked as a cyber investigator on computer intrusion
analysis cases with MANDIANT. For many years,
and I've also been an author and teacher for
SANS since the year 2000. And I have my own
company, Harbingers, based out of Boston,
Massachusetts, and I do instant response,
digital forensics and a bunch of instant
response policy work for a variety of groups
that are out there. But today I really wanna
touch on the latest updates to Forensics 500, which is our core Windows forensic
analysis course.
Now, you know, I
just wanna start off because a lot of folks
out there are familiar with 408 and you're
probably wondering, why did we re-number the
class, is it a brand new class, what's going on? Well, essentially,
it's the same course. But the reason why we
decided to do the renumbering primarily is that the course
really doesn't focus on any of the
introductory or basics to digital forensics
investigations. It really is a
core intermediate, almost in some cases advanced
Windows operating system artifact and analysis course. So as a part of
that, over the years, we found a lot of people
were talking to me and my co-authors
and other instructors saying that their management
and others that are out there saw a four level course
as more of introduction, and they've already
paid for a lot of people going through introductory
material before.
So we really don't
cover disk imaging or checking the custody or
any of the core basic ideas of digital forensic
investigations, we really hit the ground
running in Forensics 500, specifically targeting
the artifacts that are found on
a Windows system. And we really are
pushing the edge on keeping our
course up to date. And part of the reason why the
number changed now is that, with the latest update
that came out this summer, we have added a bunch of
new material and exercises to the class that,
arguably, that this thing is now clearly an
intermediate five level class in the SANS Institute,
and it's comparable to a lot of other
five level classes that we also teach at SANS. So you know, for those of
you who are trying to say, well, you know, how much
has changed over the years and what is this
going to mean for me? Well, you know, that's
one of the reasons why we're attempting to go through
this on a webcast with you and talk about some of
the main differences.
So the main change
is more cosmetic, as the core part of the course has actually rapidly
undergone a change over the past three years. For anyone who doesn't know,
SANS and my author team are consistently updating
our course material for these courses at
least twice per year. And you know, with Windows
releasing a new operating system at least once per year,
and for those of you who, you know, just
said wait a minute, Windows 10 has been out
for a couple of years now. That's true, but there have
been already four versions of Windows 10 that
have been released.
And you know, every version
of Windows 10 might introduce additional new artifacts
and other new items. The browsers that
you're gonna find on a Windows operating system
are also updating frequently, if not every six weeks. They're updating at least
every six months, and a browser is almost its own operating
system in and of itself. So why does it change
so frequently, as
I mentioned before, part of the reason
why is that, you know, even though that there may
be a new Windows release, Windows 10 has, you know,
a bunch of major releases that are out there.
There's a plethora of
new forensic artifacts that are being
discovered and analyzed. In addition to that, we
have quite an amazing array of new tools and capabilities
that are being introduced into the digital forensics
space, especially as it relates to Windows analysis
that's out there. And then finally, one of
the more important ones is, as we progress over the years, we need to continually
update our exercises and our data sets
for the exercises. And one of the major
updates we just released in this past update is
a brand new Windows 10 new data set exercise that
is kind of part hacking case, part insider theft
type, you know, case.
So we really need
to make sure that, when we're updating our
courses, that everything is you want into that course
and you really feel like wow, this stuff was just
released, you know, three or four weeks
ago, I can't believe they're already teaching
it in the course. And part of that also goes
back into hey, you know, this course is tied
into a certification which is ANSI accredited. And the GIAC folks, which is
the certification arm at SANS, will tell you, if you ever
ask them, they say well, you know, which course gives
you the biggest headaches, and honestly, a lot of the
digital forensics courses do because what we end up having
out there is unlike any, you know, science that is
not changing that much. From smartphone forensics
to Mac to Windows, every single operating
system version is changing so
frequently and so often that what was true a year
ago may not be true today, and so the
certification constantly has to keep up to
date with us too.
So you know, as a part
of that, you know, the GCFE, if you've
taken it two years ago, the GCFE today is probably
an entirely new test that they're working off of. So if you ended up worried
about hey, you know, if I have the GCFE
certification right now and I'm worried and I'm like,
what does the name change, is that gonna affect me at all, what's gonna happen with that? It doesn't, if you noticed
it, here's the logo for the GCFE, you don't see
the course number on it, it's the same certification,
it is just basically the course that it's tied
to is Forensics 500 now. Even your certificate
plaque that you have hanging on your wall,
hopefully, doesn't also reflect neither course number
nor course changes. It basically reflects that
hey, you're an official GIAC certified
forensic examiner, the
GCFE certification.
So for anyone out
there who's, you know, the DoD 8570 or
anyone else that has the GCFE certification
that is wrapped into your personnel
training requirements. Nothing has changed on
the certification front, except the certification
itself has to maintain currency with what we're
teaching in the course, and that's why GIAC will
probably be the first to tell you, it's like oh
yeah, those forensics folks, they keep us
challenged, you know, they keep us frosty on our toes while we're trying to
do all these updates. So another question
we routinely get is how does this affect
between formerly 408 and 508? Well, between the two
courses here, and you know, we kind of have some
of the bullets here, that 500 is primarily on a
deep-dive forensic analysis of Windows operating systems. Whereas 508 is an
advanced instant response and threat hunting
course that is also based off of Windows platforms,
but we start increasing from just analyzing
the single platform to multiple platform across
enterprise environments.
The key here is that
there's very little overlap between both courses. There's a couple of
artifacts that are reviewed, and some artifacts that
are gone more in-depth between both courses. But you know, the
original theory between that we would recommend taking the Windows forensics course
prior to 508 is still true. Though at this point,
we have had people take these classes out of order.
You know, it's
another way to say, you know, which
should you read first, Lord of the Rings or The Hobbit. You know, of course you'll
have the purists out there say, well, you know, I
would recommend you
read The Hobbit first and then read Lord of the Rings. But everyone knows that the
stories are really independent, and in order to get the
full picture, you need both. But you could actually
take them in any order.
So our recommendation
is if you are able to take both classes and you
have the ability to do so, we do recommend Windows
Forensics 500 prior to 508. But if you say hey, I
need an advanced IR skills and capabilities, I have
actually seen a lot of folks take 508 and then
go back and complete the deep dive Windows
Forensics analysis training that you have from
500 that's out there. So we really have
gotten to the point now that you can take the
classes in any order as your needs arise, and they
still are really tied together as brother and sister courses, as they're still focused
on the same platforms. One focuses on the deep
dive analysis of forensics, you know, (mumbles) locations, and the next focuses more
on intrusion analysis, enterprise, multi-system
investigations.
And there's almost 5% overlap
between both of the classes. You know, for example,
we review prefetch again in both classes
because it's needed. For those who've
taken both classes, you'll be really happy
that you've done so. So if you're a 408 alumn and
you would say hey, listen, you know, as I'm gonna
go through 408, you know, what in 500, what has
changed in the class, in the next few slides.
If you're interested in
taking the class again, and this is, again,
for any SANS class, for anyone who didn't know this, if you've taken a SANS
class, it's been six years and you know hey,
they update this thing two to three times a
year, that it's probably a brand new course
at this point, and you wanted to come back
and take it one more time, well, there is a standard
alumni discount of if you've taken a
class in the past, you need to obviously class or
email SANS registration and, you know, give them your
SANS account information. They'll look you up
and then they'll apply a 50% discount if
you want to retake the course at some
point in the future. And we've actually had
a lot of people do this. You kind of say, well, how
often does things change? It's honestly, between
four years ago and today, it's a brand new course.
You know, almost 80% of material has probably been
rewritten, updated. Because you know, four
or five years ago, we were only focusing on
Windows XP and Windows 7. Today, we're primarily
focusing on Windows 10, Windows 8 and Windows
7 a little bit, you know, for our class. So let's talk about beyond
just the name change, which was, a lot of
people were asking, why did you change the name? Let's talk about what
this class entails and what it really
targets as a part of what we're looking for here.
So for the first
thing that, you know, I always, you know, really
try to talk about this, but it's the who does
Windows forensic analysis, who would actually
be the best people to take a class like this? And across the board here, we
have three different groups, all right, I kinda label them as the bad guy suppression units,
the cyber security groups and then, obviously,
the legal community. The bad guy suppression units. These are the law
enforcement and the military. And you know, in both instances, you have a group of
individuals out there that are basically tasked
with stopping bad guys.
And obviously, with
bad guy suppression, the law enforcement
agents, local and federal, are trying to take down
organized crime groups, they're trying to take
down people using computers for child exploitation, they're
trying to take down anyone that is potentially a
bad guy using a computer. Now, obviously, that's gotta
tie into the legal community as you move to prosecution. But you really never see
someone in law enforcement ever call themselves hey,
I'm a legal community support because, you know, everything
has to go through prosecution. They're really, and
their mindset is we
take down bad guys.
And whether it goes
to prosecution or
not is their hope. But again, their task
in doing their jobs is predicated on proper
analysis of any of the media, where a Mac,
Windows, smartphone. Of any media that's
presented to them so they could pull
the relevant data off, write up their case and
present it to the prosecutor, and hopefully, the prosecutor
will take up the case and move to prosecution. On the opposite
side, the military.
Now, the military, obviously,
on the cybersecurity side is charged with
defending cyber networks. But the military also has a
huge play in what we call, not us, but you know, the
groups out there in the industry call media exploitation. Which is, you know, recovering
cell phones, laptops, hard drives from terrorists
and adversaries in the field. And when they are able
to extract the data from these devices,
then they're able to gain intelligence
value from them and potentially then
put (mumbles) on target or potentially use that
for monitoring drones over flights or
anything like that as they're trying to learn
more about the adversary and find out who they're
communicating with and so forth.
So the military also has a
large group of individuals, and also, you know,
intelligence agencies as well that are very interested in,
well, not prosecuting someone, but they're still doing
bad guy suppression. And you can read into
that as you will. As to trying to take down
people that they feel are threats to their country. And the biggest swath
that's out there is the cyber security
side, which is you know, SANS is a cyber security
training organization.
And primarily, a lot of
people use forensic analysis for both internal
and external cases. Internal, you have
the Edward Snowdens, you have the people stealing
data from your organization, trying to exfiltrate
it via the network, trying to exfiltrate
it via USB devices. And trying to, you know, how
do they get access to it, how do you create that trail? And so you have the
internal threats that are part of that, cyber
security is about that. You also have the
external threats.
These are the hacker
groups, the organized crime. You have the idea of
persistent threat groups that are out there. And again, doing
investigations, trying to track what an adversary is
doing inside your network at some point will require
deep dive forensic analysis of your systems and, you know, if you think that there's
really a difference between an insider being
able to steal data from you and an outsider doing
that, is that it's actually more difficult to investigate
the insider because they are a known quantity and
they actually do not need to traverse the network
in order to get access to the data that they seek. They literally could go
up to the computer system, plug in a device and
exfiltrate it directly without having to
traverse the network, whereas an outsider has
to traverse the network to get access to said data.
But you know, what they do
on keyboard on that system is almost identical,
what they're looking for, how do they find it,
what are they doing, what tools they're using? What anti-forensics
techniques they're using? And again, all wraps
into, you know, that threat profile that
we're all trying to build here by doing proper
forensic analysis. And then finally is
the legal community, and this one is, when people
think of digital forensics, this is where you primarily
think of things in the world, just 'cause, you know,
sensationalized by the movies and television shows, CSI,
Law and Order and whatnot, is that, you know, when
things get to a point where you either
need to go to civil or criminal proceedings,
then, you know, the standard bear for
producing proper reports, fact-based evidence
into the courtroom is that last nugget
that's there. So really brings in,
you know, the trilogy of groups that are out there
that are really interested in doing forensic analysis
on a Windows system. So you know, how does
this tie into the class? Well, we really approach
Windows forensic analysis not just from hey, we're only
teaching law enforcement.
We're teaching it
from hey, there may be bad guy suppression
units, maybe military, doing media exploitation. We might have folks in
there doing cyber security trying to investigate
an Edward Snowden inside their organization. Maybe they're using Windows
forensics to be able to investigate advanced
persistent threats from China or Russia. You know, hitting a system
and trying to figure out what they took off with.
So it's kind of a, even
though we just talked about the different groups,
we still approach it from an agnostic
perspective in trying to say what are all these groups
going to be interested in. And as a result, instead
of just talking about, you know, different artifacts,
we try to categorize the artifacts into
different areas such as how do you prove
someone executed a tool, how do you prove
someone opened a file? How do you know
someone downloaded or
exfiltrated something from the system, either via
USB device or via the network? How can we even prove that
they knew about the location of the file even
though you can't prove that they opened it? All of these different evidence
of categories are really what the Windows Forensics
500 class is all about. And so we are very
agnostic in saying it doesn't really matter
the case they're using, is the question is
what is the question you're trying to solve,
and we've created a poster that you see linked
here that is really the center of our class
here, Forensics 500, which you'll see a
different category for each segment of the poster, which we'll talk
about, you know, UserAssist or the AppCompatCache or the last visited MRUs,
and basically tells you where the artifact is, the
description of the artifact, where did potentially, how
to examine it and so forth. Now, obviously, in the
class where we just show you different tools to use,
we're gonna show you different exercises
to use for this.
But you know, the key
part of the course that we're trying to really
emphasize here is that, you know, if you're
trying to be able to prove if someone is going
through different folders using Windows Explorer, you're
gonna look at the Shellbags. And so this poster
basically is able to prove different locations that
someone is able to show if they're trying to
say how do we know that they opened up that file, how would we be
able to show that, how would we be able to show
that they executed SDelete, which is a file deletion
program, to do file wiping? We would be able to show it
through different interactions with the poster, and
so the poster becomes a massive cheat sheet of
all the forensic artifacts that are out there. And it honestly
becomes the cornerstone of our course, because people
now literally have this thing up in their office environments
after they leave the course. And they're saying
man, you know, I need a reminder of
all these artifacts because there's so many
and it's impossible for everyone to
remember each one, so we've created a poster
for free for people to, you know, put out there and
basically use this poster as during their investigations.
The other thing that is really
centered on our class now at this point is that
we're really focusing on Windows 10 forensics
and forward at this point. Almost the entire class is
really gunning down that street of, you know, if it's
a Windows 10 artifact, then it's gonna
remain in the course, if it's Windows 7 or
Windows XP, you know, definitely Windows XP is,
if there's an artifact that has Windows XP all
the way through Windows 10, we'll mention hey, it's
also on Windows XP, but we're really
focusing on the latest Windows operating
operating systems. We know that a lot of people
are still on Windows 7. And we use that as more
of a legacy example, like we used to do with XP,
but we're primarily trying to drive the train forward
on the entire course, you know, focusing on
Windows 10 and beyond, especially since
Windows 10 has been out for multiple years now.
And of course, you know,
Windows 7, Windows 8.1 And all the server variations
that are out there as well, most of the artifacts
have a unique overlap, and as a result,
we're gonna talk about where overlap does
exist and which things are gonna be unique between
different operating systems that are out there. The other thing that we
really emphasized in our class is we have an overall case
dataset that we're working on through our entire course, and
we have fairly new datasets out there as well, so
you could potentially see any of the differences between the different Windows
operating systems such as Windows 10,
Windows 8.1, Windows 7. And it's really key to
understand is that the exercises that you go through in the
class are the key to learning. And we have a workbook
that is over 400 pages long that has a full step by
step for every single tool or technique that's out
here, and here are just a couple of screen captures
from different sections in the workbook that basically
stepped someone through the different
techniques and tools that you could use
to potentially target doing proper Windows
forensic analysis, targeting those artifacts.
Now, you know, as we mentioned
here, it's like obviously, you're gonna need some
tools that we're gonna potentially be working with
throughout this course, that is true. But the tool and
teaching you the tool is not the focus of
the course, in fact, if someone really says
what is this course about, I say well, it's really
about the poster, it's about really using your
knowledge of the artifacts to be able to get answers
from your datasets that you're using
for your evidence. And as a result
of that, you know, it doesn't matter
the tool that you use in order to be able
to get that data out. It should be primarily
focused in on, you know, you could use any tool,
all the tools out there should produce the same results, and I've put air
quotes around should because we all know
that's not true.
And so as a result of
that, we do expose students to both free and open source
capabilities and commercial. And at this point,
you can actually use a combination of both,
and we do recommend that, but in most of our
exercises, we do tend to have a flavor of either, you know,
here's a commercial tool that does it such as
something from TZWorks or Magnet Forensics. On the other side, we'll
potentially show you a free tool such as Eric
Zimmerman's Registry Explorer or other capabilities
that are out there. And so it really becomes a
very important thing to note is that we're not
teaching to a tool, but we obviously have
to use tools to be able to do demonstration of
the different artifacts.
And even though
we say, you know, we're not tool focused, a
lot of people, you know, get an idea of hey,
these tools really work. We don't like teaching
tools that don't work, so everything that
we teach in the class really is the best of breed
capability that is out there. Or it's been recommended
to us, but we also know that there are some groups
out there that says hey, listen, we are required
to use commercial tools because we need
the better support, we need to be able to
have them on contract for our software as a
service type capabilities or any other things
that might be out there, government agencies are
a good example of this. And we can't, you
know, credit our free and open source side.
And that's one of the reasons
we absolutely teach both. The other thing that comes into
play, and I always hear this in classes, well, don't
you need to only teach quote unquote accredited tools? You know, things that are
only forensically sound or courtroom approved. Well, first of all,
there's no such thing as a courtroom
approved tool despite what the (mumbles)
might tell you. They're basically saying
that our tool has been used in the courts and no one
objected to it, you know, as a result of it.
But again, if you're
able to articulate what the tool's doing
behind the scenes, which is what we really
emphasized in the course, then you really can use any
capability that's out there. And I do recommend, because
things change so rapidly, that if it's a key
smoking gun evidence, you probably want to
reanalyze it using a second option, a second
tool, second second of eyes on the evidence in
order to make sure everything is, you know, square. When you're gonna be
writing that in the report. But we also have way too
many examples out there where a single tool
produces a bad output, and that is, totally
throws off the case.
You know, Casey Anthony
is a good example of that and others, is that you
potentially need to make sure that you're doing your
own tools evaluations, so we'd like to have a variety
of different capabilities that people end up
using in the class. So let's now talk
about and shift into, you know, what are some
of the new focus areas in the Windows forensics class? And this is, you know, I
went through this morning, it's really hard
for me to do this because there are so
many things that I find extremely fascinating
and extremely fun for people to be able to
see of what's relevant and what is new in the course. And we only have a limited
amount of time here. So you know, I went through
and really tried to say, what are some of the key things that someone who hasn't
seen the course in a while, to really have their
eyes opens to saying wow, there's, you know, some serious
really interesting areas in here that we're
really trying to do.
So one of the first ones is,
I like talking about this on day one in the class
is that Windows and Macs and smartphones and
all these other devices are now all talking
to one another. And this is a really
interesting thing, it's almost impossible now
to have a stove piped system that doesn't talk to any
other system that you have. Most of you out there
that are listening in on this webcast at this
point, I could probably, you know, point to at least
three devices within arm's reach of you that have data
synchronization going on. And what I mean by data
synchronization at its core is, you know, for example,
if you're on your iPhone or your Windows Phone or Android
and you read an email there and it shows that you read
it, and you now switch over to your laptop, your
Mac or your Windows PC, and you go into that
same location and email, will it show the email
that you just read is currently read or unread? And we all know the
answer to that question is the email's one
of the first things that did data synchronization,
where you potentially have a single location that
you're all looking at all through these
different devices.
And if you show you
read a single email, it's gonna show as read on all of your devices
simultaneously at that point. Now, this has expanded
people beyond email, we're talking about
calendars, we're talking about now your desktop systems,
your browser data and more are all synchronizing
across multiple devices. A lot of people may not have
more than one Windows system. But if you did and
you logged in using a Microsoft portal
account, which they really are emphasizing you're
doing at this point, so you have a single log
on through Microsoft Portal that you log into two
different desktops on.
You'll notice immediately
that data synchronization is occurring behind the without
you wanting it to or not. Your desktop background will
change, your desktop icons. You know, recently opened files are gonna be copied over
between both systems. There's a massive amount
of data synchronization that's just now occurring
between your browser data.
As soon as you log
into a Windows device using your Windows
portal account, data synchronization is going on for the Internet Explorer
and Edge browsers. Again, whether you
like it or not. And you could turn a
lot of the stuff off, but by default, the
average individual doesn't know that this is
occurring behind the scenes. Another good example that you
see here on the smartphone is you see that little Skype
application that's in there? If anyone's been on Skype
on multiple systems, you'll know this to be true.
If you're Skyping in a
window on your smartphone, that history is also
being synchronized to your laptop or
any other system that you've ever logged into
using the same Skype account. And you sit there and your
head starts to explode because you start to
say, well, how do we know they did it on this device? So one of the things that
we're really trying to, you know, talk about, is
that in the class, in 500, we're now starting to
really have to recognize which of the applications
that we're forensicating have synchronized data from
application A on device A. To application A, same
application, on device B. And how do we know
which device was used to originate that data? And what happens in
case that the data is then deleted in
one of the devices? Is is deleted, forced
delete that happens across all of these devices? And you know, you could kind
of see where I'm leading here, the answer obviously
would be no, otherwise it'd be a really
important discussion point.
But you know, browser forensics
is a really good example of that, where if you
delete your history on a single device, it doesn't
synchronize the deletion on other devices, that
history is potentially still sitting on another device and you might still have
access to that device. So you know, every single time you log into a
computer system now, data synchronization
is a big issue. So in 500, we'll really
start to focus in on this data synchronization
across multiple devices. Obviously, we're focusing
on the Windows side, and a lot of it has to deal
with browser data especially, because a lot of cases
are contingent on browser.
But it's not just that,
you know, USB devices that are plugged into
multiple systems, you know, what is the forensic
residue for those and more that we'd potentially
be able to see? All right. Here's another really
cool capability that we've just completely re-written our entire registry
day to account for. But one of our SANS
instructors, Eric Zimmerman, has probably written the
most badass and cutting edge free registry examination
tool that's currently existing out there in the market. I have not seen anything
that comes close to this capability
at this point.
And the really
great thing about it is that it basically
incorporates a lot of the features a lot
of the other tools have had. And you know, the only other
argument I would have out there of a tool that might
come close to this is the Arsenal Recon's Registry
Recon capability that's out there that does significant
registry examination as well. So if you're gonna
compare between the two and say Rob, which two
registry tools would you use, it'd be Registry Explorer
and Registry Recon. But you know, I'm not
pushing, they didn't tell me that hey, mention about
Arsenal's or anything like that.
But it's like, some
of these things that we tried to talk
about in the class, which is what do
people actually use? In Registry Explorer
for, you know, we just used Registry
Viewer from Access Data, and it just wasn't
kept up to date or it'd crash all the time. It didn't have as many
plugins, we'd have to use Registry
Viewer plus RegRipper. And RegRipper had some
plugins that, you know, they do their best,
you know, to keep those things up to date. But again, nothing,
you know, kind of came to the capabilities of
what Registry Explorer is able to do for
folks at this point.
And as you've seen
here, it's like wow, that looks like the
standard registry viewer, what else does it do? So one of the
things that it does, I'm try to get the
next slide here. Nope, available bookmarks
is where I wanna go. Yeah, here we go. So one of the things
you're able to do, once you load in a
registry hive file, you switch over to, if you look in the upper left
hand corner here where the arrow's
pointed right here, where my arrow's on
the slide right now, is you'll see this tab
called available bookmarks.
And what Eric has done
is basically every key that contains significant
forensic data, they're automatically
bookmarked for you so you could actually just
use the full hive view and browse through it, or you
could use the bookmark view, and it's a shortcut
to these locations. And once you're in these
locations, you'll see the value which the decoded output. In this example here, we're
looking at recent docs where it automatically
decodes all of the information from recent docs, when
it was first opened, when it was last opened and more based on what we currently know about doing proper forensics
against these documents, recent docs that
are in the registry. It also has the overall
key overview down here, obviously, the hex
data down here, but you can see all the
different available bookmarks.
There's hundreds of
them that Eric has done a really decent job,
and if you find one that is not listed as
a bookmark, I guarantee if you email Eric
and say hey, listen, this is missing,
he'll have it updated in the tool within a week. You know, he's really almost
obsessively, you know, compulsive about
making sure his tool has everything it
could do built into it. So he's one of those individuals
that is very friendly and, you know, is very appreciative to any ideas that you
potentially send over to him when you're using a
tool such as this. The other thing that I found
that was extremely useful in here, which I
have not seen a lot of other registry capabilities
that are out there, is the ability to do
registry keyword searching.
Now, so say you have, you
know, there's a keyword, you know, dirty word
list that you're using and you're not sure
if it exists in a key anywhere in there,
or potentially that you wanna search for a
keyword between a certain date and timestamp, you could
obviously do that as well. And it basically will
show every single location inside the registry for
doing that keyword searching. You could do regular
expression searching, you could look at the
key name, the value name, the value slot, the value
data and more through here. The other thing that I don't
have a good screenshot for, but I'd like to mention
it, for those of you who are doing APT cases,
the Registry Explorer actually has a
built-in capability to identify any key
values that have a very large data
as a part of it, we all know at this
point that a lot of the advanced persistent threats are embedding inside these
tools' capabilities to, you know, do fileless malware, they'll potentially have
a PowerShell script, something that is obfuscated.
And the tool did a
decent job of saying hey, there's some
abnormally large values that you should probably
go take a look at, and you'll do that. It also has built-in
decoders if you wanna do base64 decoding and
other things like that, it also does those,
and you know, we're barely
scratching the surface of what the tool is able to do. So there's your
keywords, there's your last time descriptions
in your search output. The other thing
that this tool does, which is extremely
valuable, other tools do this as well,
commercial tools, but this is the only free
tool I know out there that does this
extremely well via GUI, which is exposing deleted keys and their values
that are in there.
Notice what we
end up having here as in the recent docs,
you end up having a bunch of deleted keys
with the red X over it, it's still our
goal to extract out the data from these deleted
keys, so it's another good example of that
(mumbles) going through it. Another tool that's out
there that we also teach in the class, you know,
also run by Eric Zimmerman. And you know, Eric, this
is one of his first tools that he wrote, which is
pretty amazing capability, which is ShellbagsExplorer. Now, if you're not
familiar with Shellbags, basically, any time that
you view Windows Explorer, open up a folder, it
literally drops a breadcrumb into the registry saying that
you opened up this folder.
So even if it's on
an external device, whether it's, you're
in Control Panel, whether you're in a special
location within Windows, the Shellbags registry
locations via shell items is keeping track of all
these different folders that you specifically opened
and were able to track them. And that's where, you
know, if someone's on an external drive and
they're copying things over to that drive, we
are able to tell that via Registry Explorer,
even if they didn't open up the file, they still
would potentially need to navigate to the folder where they're potentially
placing it to, and we'll potentially
see that via the USB, and that's what we're
actually seeing here. In the F drive template, we're
able to see that this was a folder that was
copied over here, if you actually compared
the creation time and modification
time, it was created after it was last modified,
and as a result of that, this is a signature
for a file copy. And that's something that we
really emphasize in the class is how do we tell someone
is stealing data from us? Whether it's an APT, whether
it's an internal, what it, you know, what did
they potentially take? This is, you know,
ShellbagsExplorer does, you know, a really
good way to expose a lot of that data behind
the scenes as well.
So you know, as we know,
the tools, not just based on a bunch of, you know,
the class is not based on a bunch of tools
that are out there. We also have a bunch
of new capabilities that are build within
Windows as well, and you really can't go that far without really getting
excited about the new SRUM, the System Resource
Utilization Monitor that's built within
Windows 8.1 And Windows 10 that keeps track of a
plethora of internal data that is just waiting
for you to extract. Now, one of the reasons
why that this is a very significant
new section for us within our Windows class is that what if someone is using an
application such as Skype or a browser to send a lot
of data out of the network? And so one of the things
that we're able to see here is that we're able to see
processes that are run and we're able to target
the application and more, but you know, we
get energy usage and some other things
that are inside in here. But we're actually able to see if we they have a network per
process that's on a system, Skype or a browser or,
you know, something else.
How many bytes were sent and
how many bytes were received? So if someone is sending
out a lot of data via an application, you
obviously see more data that is sent out than data
obviously received back from the SRUM analysis
database that we're gonna be, you know, showing
people how to parse. And it's extremely useful for us to be able to
identify the process and potentially network
activity of a process because that's able
to tell us, you know, if someone is potentially
exfiltrating data from a house using a network,
and we're able to tie it down to the specific process
that's in there. Even if the process
is no longer running, it is recording this data inside the system resource
utilization monitor that is built within the
latest versions of Windows. Every process, as soon
as you launch a process, is going to keep
keeping track of this.
And it also provides
us additional layers of evidence of execution in
here as well, which is, again, for anyone who is keeping
track of latest APT stuff and more, and they
potentially use, you know, PuTTY Secure Copy or
something like that to be able to exfiltrate
data, then you might be able to see the user who
executed the app, how many bytes were sent out. Gives you kind of an
estimation of what potentially, how much data that they
took from the system. And then you marry this data up with what files are
potentially opened up around that point in
time or which files were recently created,
deleted, and which folders were opened, you
might have a good idea of what potentially was
taken from your system and which application
was sent over. So this is basically
a quick overview of some of the things
that we're able to do within SRUM analysis.
Now, what about other
things that are in there? And I pulled this
example out, is you know, showing evidence
of file opening, kinda tying back in the
SRUM, which is, you know, are there changes that
happened in Windows 10 that are not found on other versions
of the operating system? And we all know that shortcut
files, the LNK files, are created automatically
when you open up a file on a system. And they're all a part of a
grouping within the course that we call shell
item analysis. And with shell item analysis,
we're able to show usually evidence of file opening,
program execution and more. And as a part of that,
we're able to see in the latest change in
Windows 10, you know, some of the significant
differences that we're able to now see with shortcut
files being created.
And one of the coolest
things that are in here now is that it used to just
include the Nokia Strategy.Lnk, but now it actually
includes the .Docx extension of the file, .Lnk
at the end of it. It also has multiple
different, if you open up, create a folder, it's
gonna probably create three shortcut files
as a result of that. As a result, when we're able
to tell these differences, it creates the created folder,
the folder and subfolder for the different, basically,
the different parents of where it's gonna
be going back, and it's gonna be showing
that in a shortcut file that we're gonna be
looking at on the system. Some of the things that are
extremely useful to investigate, and today is again, going
back to our Registry Explorer, you know, Office 365
examinations, we cover this in-depth, you know,
what residue is left within the registry
of Office 365, and this is really
critical, especially as you're having
data synchronization, a lot of the most
recently opened up files are gonna be recorded
on any system that you potentially have used that plugs into
OneDrive, for example, say, on your iPhone all
the way down to a browser all the way back to your laptop.
If you open up a file,
a lot of this data is synchronized
across the different
versions of Office 365. And as a result of that,
that is being absorbed into the registry and we're
able to see first open, last open time, the
full file path and more of where this data was
found when it was opened up. So you know, we're really
starting to touch upon some of the latest
capabilities that, you know, people are looking at and
saying hey, Office 365 is, you know, really
emphasizing, you know, open up an Office document
from anywhere, on your phone, on your laptop, in your
browser, in an Internet cafe. You know, very similar
to what Google Docs was trying to do for
years and still probably arguably doing it better.
But it's Office 365 is
trying to, you know, edge out that competition
and, you know, it creates a ton of
forensic artifacts for us to take a look at here. The other thing that
we also really start to emphasize in here is, you
know, differences between Mass Storage Devices which
are standard USB keys and Medial Transfer Protocol,
which are other devices such as phones and,
you know, other devices that you're able to actually
copy files to and from. And so if you're on our
USB device analysis section that we just don't
primarily focus on, a lot of these different
capabilities that are out there, but again, if someone
plugs in an Android phone, yeah, you could steal
data from your network just like you do a USB
device, and we need to be able to show how that occurs and
where these different artifacts are gonna be showing
that the file was potentially opened or
copied to one of these devices, that is really
cool for, you know, doing this type of tracking. And we cover all
three of the devices, the Picture Transfer Protocol,
the Media Transfer Protocol and the Mass Storage Class,
which is the MSC device.
Most people are really
interested in USB devices, but again, we still need to
talk about Android phones, Windows Phones and iPhones. And iPhones actually, you
can't really easily copy files directly to the platform,
you have to use iTunes or something like that,
it has its own aspect. But Android, you could
actually, you know, shows up as a drive letter,
copy files over to it and it's much easier, same thing
with Windows phones as well. And we're, you know,
basically showing some different capabilities
that are out there.
Email, you know, a
lot of people say, oh, I know email
forensics, but you know, some of the things you may
not know about email is that, you know, within Microsoft
messaging architecture, there's these
extended MAPI headers. And a lot of individuals doing digital forensic
investigations, you know, are fairly unaware that
these things exist. And so we spend, you
know, a little bit of the class talking about using a commercial tool
called (mumbles) that could expose, via
the Outlook metadata in the single email
message whether or not, when an individual
actually read an email, whether they forwarded
the email, whether they, you know, examined, you
know, potentially replied to the email at all. It basically shows all
of this information, you know, for example, on
the Pr_Last_Verb_Executed shows what the individual
did on that email, including if they made it
unread, it's like made unread, you know, was the last
thing you did to it.
So there's a lot of the
capabilities in here that, you know, when you're doing
email examinations that, you know, it's not
just hey, I know that, there's a lot of things
in here that we get into, including how do we
potentially do enterprise wide email examinations using
Outlook and PowerShell to look for any email that
has the specific subject with this specific
attachment between these date and timestamps, that we're
able to use a PowerShell script to eventually pull
that out of our email. The other thing about
email that frustrates a lot of examiners today is
that it's not guaranteed, other than web mail,
to exist on the system. You actually still might need
to go to that email server and extract out the PST archive of the individual separately
doing that acquisition. Which, again, this is
fairly new as, you know, Microsoft has really
tried to shift away from storing local PSTs
and only using OST files for offline
transactions, you know, between yourself and the
Outlook Exchange email servers that are out there.
We also talked about some of
the new artifacts out there, evidence of execution,
the Amcache.Hve, it's a brand new hive
file that came out with Windows 8.1 Which
is existent on Windows 10 and has been retroactively
activated to Windows 7 now. And they're able to say
per application per device, you know, your volume. You're able to track, you
know, which USB executed a program, which hard drive. And it also is able to tell you the executable name, the
SHA1 hash for the executable, and of course, the
first time of execution for the application.
And this is just,
again, touching on some of the newer
artifacts that, you know, we're really trying to get into with the latest versions of
Windows that are out there. This is going into a little
bit of browser forensics, and you know, as we get
into browser forensics, you know, a lot of
people are saying hey, browser forensics, I have
a tool that does that. But what a lot of people
don't know is that, you know, it's been years that it's
taken the latest tools to get up to date
to be able to parse Windows IE10 and IE11 artifacts, which are no longer
stored in index.Dat files, they're stored in the ESE
database extensible storage database, which is it's own
kinda like journaling database. And these things are not
written too immediately.
So what's really crazy here
that, if you're analyzing a computer system and someone's
using Internet Explorer to do browsing, and you
use your tool to analyze the ESE database,
it may not contain all the most recent up
to date information. And so, in the class, we
really try to point this out, you know, take a look at
the database down here. It was written to at 10:25
a.M., But if you look at the log file, the
log files has not synced to the database yet. Obviously, the log file
has been written to after, almost a day after
the ESE database.
And so when you
sync the database and you actually notice
that there's, you know, 32 entries of where they
browsed online that are missing. You know, two cookies,
about 3,000 cache entries when we do this comparison here. But in order to,
you know, make sure your tools are hitting
this correctly, you actually need to
sync the database offline and then have your tool
parse that database. Otherwise if you don't do that, you're likely missing
the last 24 hours of data for Internet Explorer and Edge.
And this is quite significant,
I've actually talked to a lot of law enforcement
where their mouths literally drop and
they start going uh oh when they hear
this in the class, and we start talking
about how do we do this, what are the tools, it's
a tool called Esentutl that you could force
the synchronization, but obviously, you need
to copy the data off, you know, you don't
(mumbles) only at this point, and you need to
copy it off, sync it and then do a comparison
between the original and new to be able to see how many
entries we're missing from that. So if you really want the
latest up to date information, you actually need to
force the synchronization, and I've looked at all the
tools that are out there, and no tool from my
perspective, and of course, I would always
ask this question, if you know something,
please let me know 'cause I'm always
interested in learning. Does a tool out there
automatically detect that it's out of sync, does
the synchronization for you and provides you a full picture? Or is the tool kinda
blind to it, you know, when they're doing this? And most tools that I've
seen are blind to it and rely on the examiner to say, here's our completed ESE
database for IE10/11 or Edge they potentially
wanna take a look at. In addition to that, you
know, another artifact that not a lot of forensic
tools out there hit or parse correctly
is, and this has been out there for years
now ever since IE8, is the IE session
recovery folders, and this is what happens
when your browser crashes and says would you like
to restore your last, you know, location where
you were browsing to, and you say yes, I would.
These are actually stored
in this folder here under Local, Microsoft, Internet
Explorer, Recovery, Active. You see all these
.Dat files, each one is going to be a separate
tab that was opened up in your last browsing session. And again, you know,
for your automated tools that take a disk image
and parse everything, not a lot of tools parse
the session recovery stuff, in fact, we only teach
one tool that we know of actually out there
does it manually, but not a lot of the
automated tools out there automatically detect
these and, you know, pull these in and potentially
pull the data from these. And one of the reasons why
these are very important is this is one of the
few artifacts that, if you're on InPrivate
browsing mode, it is actually going to
create and write that tab on disk and it's recoverable.
So if you're on
InPrivate browsing mode in Internet Explorer,
you could actually see all the different
websites and the history of each tab that is in each one of these dat files,
including one that is in InPrivate browsing mode. So it's, you know, these
are some of the things in browser forensics, you
know, beyond the history and cookies and cache that
we start talking about that really get
people's eyeballs going and saying hey, what? Another one, especially with IE, is the synchronization
data, you know, what data is synchronized
between a browser on two different systems? Now, I mentioned earlier on
the data synchronization, especially on the
latest version of 500, we end up starting to touch upon that if you have ever logged
into another Windows system using the same
Microsoft account, immediately behind the scenes, a lot of data synchronized
between both systems, including, without
your permission, your IE history, your
favorites, your passwords, your tabs, potentially,
that were opened up. And here's just
an example in here of what is synced between
Windows 8 and Windows 8.1. But even if you open
up a tab on a side of your Internet
Explorer window, it is gonna synchronize that
data onto this second system.
And we show you
how to potentially
detect that dat file, how to potentially forensicate
it, how do we look at it? And I always tell this
in law enforcement, I say man, you know,
this provides another really interesting way
to provide monitoring, is that if you log in
using the credentials of a criminal on second system, you potentially approve
that second system out there and you can potentially do
this behind the scenes somehow. Every time that someone
opens up a browser and starts browsing
through Internet Explorer, that data's automatically
synchronized to
the second system. So it provides a, you know,
built-in monitoring capability if you wanted to do it. And I played around
with this on my own and it definitely works.
And so it's really crazy,
and for those of you who are saying well,
IE11, you know, that has been replaced by Edge. Well, not so, we
actually have both IE11 and Edge that are sitting on
Windows 10 simultaneously. And so, you know, how much
of this data is synchronized? Now, the really
interesting thing is, when it comes to
what data synced, what is going to persist
after history is cleared. On your local system, you know, pretty much as you
expect, you know, things are removed from
the WebCache.Dat file, but they're still
actually recoverable because it's a database.
But again, on the
remote systems, all the history is
going to persist. So you know, even
though the history has been synchronized
to your remote system, you just cleared history
on your local one, you didn't clear it
on the other one, you actually had to manually
go log onto your second system and clear your
history on that one. And this gets people
like wait, what? You know, so my history
is sitting on the system that I logged into, and
as soon as I log back into that system, you
know, then I can clear it? I'm like yup. So again, a lot of
things have to happen in order for the
synchronization to occur.
But you know, it's
like how much is cached into Microsoft Borg before it's
synced to the other system, it's kinda like Google
and the other ones. And it's like well,
what about Google? Does Google do this stuff too? The answer is yes and
you could do that. And as we mentioned before,
it's really hard to do this in a very short timeframe,
but can we identify synced versus local based, you
know, creation of this data? And for Internet
Explorer, Chrome, Firefox, the answer to that
question is yes. You know, one of the
things we're showing you here in Chrome history
is that Chrome history is able to show the source
of the website, whether it's an import or whether it's
synced or user browsed.
If the value is
zero, it was synced from another logged
in Chrome session. So this is a really good
one to play around with on your phones and on
your local laptops, log in via Chrome on
your phone, browse to a couple of website
and then go look at your history via your
SQLite database examiner. And in that file, you'll
see that that was synced from your phone,
and so, you know, source is synced and
you have to go back to your visits in
order to identify this. Now, here's a thing that
was gonna boggle your minds a little bit here.
How many of your tools
are at this point showing you synced versus
local generated data via your tools, from
Magnet Forensics all the way down to
all the other tools? This is something
that the only way to get access to this is
that you have to manually get in here and get
into the SQLite database and take a look at this. And you know, it's
one of the things, it's like once you understand
the SQLite forensics a little bit, we show
the core of how to do it, you might need to go
on and look at the DNA. And be able to figure
this stuff out. A lot of the commercial
tools out there have not really shown
a lot of this data yet at this point so we, you
know, have a lot of the stuff that we're gonna take a look at.
My favorite section on the
course, and a lot of people hate this section, but I love
it because, for many years, a lot of folks
that are out there, when you're doing forensics,
didn't have access to event logs because they
didn't exist on Windows XP. And so as the result,
no one ever started looking at event logs. But on almost every
single type of scenario, from time manipulation,
tracking the USB devices, seeing people log in
on like screensavers. You know, to prove
the SODDI argument, the some other dude
did it argument, you might need to really dive
into the event log analysis.
And we've really done
an extraordinary job of trying to keep this
section up to date with the latest
evolutions of Windows. And, you know, with the
latest process tracking you're able to do and
command line history tracking and more things
you're able to do, that event log
analysis is becoming even more relevant to digital
forensic investigations today. The reason I like teaching
this section is that I always, out of every section I
teach to forensic examiners this is the one that they
know the least about. I have the least amount of
people sitting in the classroom that know anything about this
while they go through it.
So overall, when we end
up taking a look at this, I wanna, you know,
stop here to be able to answer just a few
questions and go through this, but this is just a snapshot
of some of the things that I'm like man, I really
wanna talk about this, and I'm just, you know,
we've just run out of time about how many
things are brand new in a Windows forensic
analysis class. And you know, we update
this thing multiple times per year, every single
time we update it, we're really struggling
with well, you know, how do we get more
stuff into the class and what do we have to take
out in order to keep this thing as relevant as possible? Windows has not stopped its
release schedule for Windows 10, and we're not going to
Windows 11 any time soon, it's just Windows 10 Creators
Edition just came out, and of course, we had
Anniversary Edition and all these other editions. But slight variations
of the Windows artifacts are slowly being released. And we need, you know,
additional research
and development that's gonna come out,
and we're include it in the class as
soon as possible.
There's a ton of new
forensic artifacts that a lot of the tools out
there just don't parse yet. And you need to know
that they exist because they could be relevant to your
cases, to be able to tell, you know, how many bytes is sent from a specific process
is potentially critical to intellectual property
theft cases via SRUM analysis. New tools and capabilities,
we're really looking at the best of breed capabilities
for both commercial and open source, free. And then finally, and this
is the most fun for us, is that we like creating
a bunch of new datasets that are out there that we
could use in the overall class.
So I hope at some point
you're able to take, come and take the class with me. But I wanna open up for
just a few questions before we're going to
end the section here. And I will start with
the first one here. And this is from Mike Diedrich, "If I've taken 408 on demand,
would the 50% discount apply "if I attend the 500 course
live in the classroom?" Mike, I believe it
does, it's alumni in any form that
you've taken it in, as long as it was, you
know, I think, yeah, I'm pretty sure that's the case.
You have to go contact the
registration and say hey, listen, I took 408 on demand,
here's when I took it, you know, your
receipt or whatever, they'll be able to
have that history and you'll be able to
say I'd like to take 500 in the classroom, can I
get the alumni discount? And again, I think
that's the way it works, but again, you know,
it should be any format that you've taken the class in. "Where can we
download the poster?" The poster, oh, Carol has
already answered that question, is under digital forensics
community SANS cheat sheets on an earlier slide of the PDF, I also included the
bit.Ly link for it. And I believe it's
dfir.To/FOR500-POSTER on caps is another location
you could do that. And finally, what's happened
with SIFT and SIFT Saltstack? SIFT is a 508 tool
that we're using, we have the Windows
SIFT in this class, which is you get a full
Windows enterprise license with the class and you
also get all the tools installed on a Windows system.
With the Ubuntu
version of the SIFT, we're currently moving
toward a 16.04 Version and we've rewritten
everything in the Saltstack to be much better
management for people to do the installation. Once we get that thing
completely stable, which we're really
close to at this point, we're probably
gonna do a webcast on the latest in this
SIFT app that's out there. Any other questions here
before we run out of time? Oh, perfect. "How has the adversaries
changed their tactics, "and how has 408/500 adapted?" Well, you know, that's
a really good question, because when we start looking
at the different adversaries, from hackers that are
out there and more, we always hear about things
like fileless malware, you know, this is a big
one, everyone's, you know, executing things through
PowerShell scripts and more.
But again, it's like
there's no such thing as a forensic class
interaction with the system. And one of the things that
we really tried to emphasize is even if you're dealing
with an advanced actor, they're going to have
to execute something. If you're gonna execute
a PowerShell script, PowerShell must be executed. If you're executing WMIC,
WMI must be executed.
So it's trying to understand
how to potentially peel the veil back
instead of just focusing on looking for the
malware of the adversary, you're looking for where
they left the breadcrumbs and the footprints in the snow that the adversary
existed on the system. In the instances
where the adversary is trying to do
actions on objective during a part of the kill chain, they are specifically
looking at files, opening up files,
traversing directories, opening up and executing things, doing file keyword searches. All of these things produce
different artifacts, and it's completely
difficult for them to completely remove their
footprints out of the system. And we talk about
anti-forensics in the class, for example, how do you
wipe a registry key? You could delete it, you
know, and we are able to still recover that, but
a registry is a database and we could recover
things from a database.
How do you remove that
entry from a database? It's not impossible,
but it's difficult. And you know, you can't do it
without a third party tool, and then how do you
anti-forensicate that
third party tool? So there's a lot of different
things out there that, you know, that once
you get that, you know, breadcrumb that
you're gnawing on, that you start being
able to piece together what the adversary is
doing on the system without just focusing on the
malware or the (mumbles). But it's a really good question. Next question, and this
is from Preston Coleman.
By the way, hi, John, that
was a really good question, by the way, I just
saw your name. Preston Coleman, "Is it
possible to get a list of tools "to be used in the class if
we'd like to work with them "ahead of time, similar
to preconfigured ones "machine FOR518?" Yes, in fact, let me
see if I actually have my Dropbox up and running here just 'cause I think I
have it in the Dropbox, I'll paste a link in here. I thought I had it,
yup, here it is. I'm gonna paste a link from,
into the window here, I hope.
So here's a Dropbox
link that contains currently all the tools,
it may not be completely up to date, but this
is the Dropbox link to download the current
tool list that's inside the Windows SIFT workstation. Oh, that was the wrong window, here, let me make sure I
get the right window here. All right, there you go. And Carol, if you can make
sure that's sent out to everyone in the chat
window, if I was not able to do that correctly.
All right, I think
we're out of time. - [Carol] I'm not really
able to copy and paste that from where you put it in
in the question window. If you could just send into
all in the chat window, that would be perfect. - [Rob] Oh, that's where
I'll do that, okay, chat window, paste.
Aww, okay, I think I did it. Did that work? - [Carol] Yes. That's perfect. - [Rob] Okay.
Any other final
questions, or Carol, did anyone write
in the chat window or what should be
questioned and so forth, or anything else I missed? - [Carol] You got them all. - [Rob] Awesome. Everyone, thank you
so much for you time, I appreciate you
attending today. I hope you have a great weekend.
Thanks, thank you and see
you at the next SANS event. - [Carol] All right, well,
thank you so much, Rob, for your great
presentation which helps bring this content to
the SANS community. To our audience, we greatly
appreciate you listening in. For a schedule of all
upcoming and archived SANS webcasts,
including this one, please visit sans.Org/webcasts.
Until next time, take
care, and we hope to have you back again
for the next SANS webcast..
/about/Liriodendron_tulipifera_range_map_3-58e11f053df78c51625a3a41.png)
