An Introduction to Penetration Testing – Part 1

by Si Biles

In an earlier article, many moons ago (Sorry Jamie !), I stated my opinion that Forensics and Security were opposite sides of the same coin. I’ve felt very strongly that my skills as a Security Consultant have only been strengthened and expanded by the experiences I’ve gained with Forensics, both as part of the Forensic Focus community (again, apologies for my absence) and as part of my MSc (an ongoing epic spanning two Universities and many years).

There is a particular area of Security work that I think mirrors the skill set of Forensics more closely than others – and that is Penetration Testing. PenTest is probably the most bleeding edge, exciting and intellectually challenging thing in the InfoSec field – no matter how much I try, I struggle to get as excited about writing an “Acceptable Use Policy” as I do given free rein to attempt a “capture the flag” task on a corporate network. (That’s not to say that AUPs don’t have their own excitements … nah, I’m kidding, but they are important – like eating your vegetables…) – at the same time though, the same measured and methodical approaches and investigative skills that apply in Forensics, apply in PenTest.

Over the next few articles ( I don’t know how many yet, I’ve not written them – but I’m aiming to get an update to you fortnightly ) I’d like to take you through a high level PenTest methodology, showing you some of the tools and toys that you can play with along the way, at the end of it all, my intent is to run a competition (with a small prize for the winner – something like an iPod Nano perhaps?) of a live machine ( or machines … ) connected to the internet that you can all have a pop at – rules and scoring criteria yet to be determined – and will have to write a short report on. ( Not that report writing will phase a single Forensicator! )

In any case, let’s start with outlining the basic methodology – remember, like Forensics, many parts of a PenTest methodology are iterative, as you learn more in one phase, you may want to return to an earlier phase and see what further advances you can make with your new-found knowledge.

Read more

Interview with Professor Golden G. Richard III, University of New Orleans

Golden, can you tell us something about your background and why you decided to teach digital forensics?

I studied computer science at the University of New Orleans, then went to Ohio State to get an M.S. and Ph.D. My evil plan to try to return to New Orleans worked, when a job opening at UNO appeared just as I was finishing up at Ohio State. I made a single job application (which slightly annoyed my advisor) and got the job.

I've been teaching at UNO since 1994. I've been "hacking" (in the positive since of the word) since I was about 13--that's 35 years ago, although I don't really feel that old. Yet. I've always been interested in operating systems internals, filesystems, etc. When I met some people around 2001 that were starting a digital forensics conference, I realized that there could be a formal point and a focus for my tinkering. I started doing formal research in digital forensics around 2002 or so and classes in digital forensics at the University of New Orleans followed around 2003.

What digital forensic courses are currently offered by the University of New Orleans?

We currently offer a bunch of security courses that have slightly overlapping content. There are two core digital forensics courses, CSCI 4623 and CSCI 6621, which are undergraduate/graduate mix and graduate only, respectively. CSCI 4623 is an introductory course and includes a bunch of hands on stuff in my lab. CSCI 6621 is primarily a research course, where graduate students come up to speed on the state-of-the-art in digital forensics research, tools, etc. It's driven primarily by reading papers, but with some lab work as well. We also offer courses in reverse engineering (basically, a malware course), kernel exploitation, network penetration testing, and of course a basic computer security course. Each of these has at least some forensic component.

Tell us more about course structure and content. What core knowledge and key skills should students gain by the end of their studies?

The idea with each of our security courses is to cover foundational stuff and to reinforce that with extensive labwork. For the intro forensics courses that means I lecture using Powerpoint, do walkthroughs that illustrate a point, and then students actually do forensics in the lab. For the reverse engineering class, for example, it's similar--learn about particular aspects of malware, but then actually reverse engineering real viruses on your own. We're not a trade school, so fundamentals are tool agnostic, but we have licenses for major commercial forensics and reverse engineering software so students are exposed to the "real stuff"...

Read more