I am currently looking into various training options. Unfortunately, I am located in an area where there is virtually no forensics training and I won't be able to travel to attend any training. This means my only option for this year is to complete a course online. What online training courses have people attended that you feel was worth the money (where you learned practical information which could be applied in your job)?
I am looking for either an intermediate or advance course. I have attended Guidance Software's CF2 online course in the past so I am fine with the online format when it is my only choice. I am considering a few of Guidance's other options or the SANS 508 course but am interested in what other trainings are out there before I make a decision. FYI, I don't use FTK so I can't attend Access Data's training.
My background been in IT for over 8 years, been in forensics for 3 years, primary tool is Encase (I use free tools as well), cases are on the Windows platform, and the majority of my caseload is internal policy violations and financial audits but I have an interest in incident response. Budget is between $2,000 to $4,000 but might be able to swing a passport for $5,000.
Thanks for any feedback.
Corey Harrell
"Journey into Incident Response"
http//journeyintoir.blogspot.com
Why do you feel that you need a course? I've used available online images for training, for myself and for others. There's a lot that can be done with what's currently available.
Why do you feel that you need a course? I've used available online images for training, for myself and for others. There's a lot that can be done with what's currently available.
I have used different resources such as websites, forums, blogs, listservs, books, and articles in order to get a better understanding of the forensic process. This is where the majority of what I have learned about forensics has come from in addition to my IT background and Infosec experience. However, I find that formal training helps to learn new things faster since you can cram a lot of material in a one week period without the family or office distractions. Afterwards, I use the information I learned from the course in order to conduct further research and testing.
I am looking at different courses so I can learn about an aspect of the forensic process. Guidance and SANs were being considered so I could learn more about the tools but I am also open to other types of courses that are more processed based like different investigative techniques such as link analysis (as long as the material can translate to forensics). I want to use the course as a starting point.
Corey Harrell
"Journey into Incident Response"
http//journeyintoir.blogspot.com
Corey,
I see your point…but I also think that there's a lot that could be learned in the time between now and when you find a course to attend.
While I was on the IBM team, we went through two rounds of hiring and I learned a lot in both rounds. For example, I learned that we had hired people who could ONLY learn while sitting in a course, and couldn't even achieve a minimum level of productivity when given instruction one-on-one.
The "forensic process" is an interesting area, as there are a number of commonly-accepted aspects, such as never working on original "evidence". But then you get into other areas, such as documenting everything, and you get into a whole different area. In my experience, "documentation" means a lot of different things to different people.
I guess overall, while I do think that attending courses and obtaining certifications definitely have their place and are very useful, pursuing areas of study between the classes really separates mediocre analysts from the good ones.
I guess overall, while I do think that attending courses and obtaining certifications definitely have their place and are very useful, pursuing areas of study between the classes really separates mediocre analysts from the good ones.
I agree. The issue really comes down to whether someone is passionate about digital forensics or not. If you aren't motivated to learn outside of formal classroom settings, you likely aren't going to live up to your full potential as a digital forensics examiner and you will fall behind relative to your peers.
If you want to be really good at digital forensics, you have to make a commitment to eternally learning. Digital forensics is the convergence of science, law and technology and while there is some change in the first two elements, there is constant and sometimes dramatic change in the technology element.
I agree that being able to pick things up and figure things out on your own are essential elements for success in this field. But I don't think self-learning need be mutually exclusive of formal training.
In the interest of full disclosure, I'm a community instructor for SANS, so consider the source.
One of the benefits of formal training is the density of information that can be delivered in a short period of time. In a quality course, the instructor or course author has pulled the essential pieces of information together and can present them in the context of real world experience.
Consider Brian Carrier's File System Forensic Analysis book, the category killer for file system forensics books. It's outstanding and everyone working in this field should have a copy and be familiar with it. It is an invaluable resource. You could learn a lot by sitting down and studying the book and playing with different file systems and a hex editor and examine the data structures as you read the book, etc.
But how much of that information will you need every day on the job? A good course will pull those pieces of information that you may need on a regular basis from sources such as Carrier and present them along with real world gotchas. And that may be accomplished in half a day in a formal course.
Consider also the feedback you can get from an instructor or fellow classmates. As an instructor, I almost always learn something new from my students. Someone in class may have a fresh perspective to offer or knows some command or command line argument that I'm not familiar with that can save time, etc. Yes, these are things I could have eventually discovered on my own, but formal training can facilitate learning in ways that self-study can't… and the opposite is also true. In my opinion, one should take both approaches.
As for which course you should take, I can't tell you which is better because I haven't taken any of the Guidance courses yet. I can tell you that SANS 508 is very hands on and relies heavily on command line tools. Many experienced examiners walk out of the course having a greater understanding of how the commercial tools work and just as importantly, they are equipped with a new set of tools that they can employ when the commercial tools aren't working, for whatever reason, or that they can use to verify the results that commercial tools are presenting.
Furthering what dave.hull said, I think one of the greatest values of formal training is the informal conversations that occur between students/instructors that are not part of the curriculum. For that matter, just getting a bunch of us (DF examiners) together in one place is invaluable to me. Oftentimes life happens and the only time that occurs is when we schedule "formal" training.
Correct me if I'm wrong, but I'm not sure a Passport with GSI is going to help you at this point. If you have taken CF2 already, then I believe that the ENCE test prep course is the only one you can do online apart from CF1 and 2. The rest you will have to travel to and you said that you can't do that very easily.
As far as classrooms go, I appreciate having the instructor there to bounce things off of - it is a selling point. Like mjantal said, the contacts you develop in class are big pluses too.
Then there are your bootstraps. This might be books, forums, and test images. I like these because I find myself using them out of pure interest and curiosity. On a Friday night I may be at home reading some manual or sorting through a test image, much the same way I used to build model cars as a kid - sort of like tinkering. This has been very helpful since it allows me to create my own curriculum based on what areas I've been confronted with in real life.
I agree with Harlan and Eric's comments about being able to learn outside of the classroom setting. I prefer to periodically supplement forming training with the learning I do on my own since I have not been in this field for that long. I have approached learning on my own by putting into context what I am learning by matching it up to the different phases of the forensic process. For example, if I am trying to learn about a new technique (to me) then I try to determine what data the technique extracts, what types of cases the data can apply to, what questions the data can help you answer, etc… . I have found this not only helps me to gain a better understanding but helps prepare me for future cases.
I mentioned how I approach this because I don't view formal courses as a replacement of learning on your own. I have an opportunity to attend a forensic training which I can complete during the day with no distractions. I am looking into various trainings to see what the courses offer and to determine if it is worth the while. If the course only covers material I could learn on my own, in a reasonable timeframe, then I won't waste my time. However, if the course covers content that could help me learn something that would take a lot longer on my own then I would like to consider this opportunity. Plus, the course would still enable me to research and test different topics on my own before and during the course.
I am only at the stage of trying to gather a list of courses to look into further.
crosser,
According to Guidance's website, more courses are offered besides the CF1 and CF2 courses.
Corey Harrell
"Journey into Incident Response"
http//journeyintoir.blogspot.com
I'll echo Dave's comments about the value of formal training and in the way of directly answering the original question, I highly recommend SANS
FOR408 and FOR508 are essentially the same class that Rob split into two separate courses. They offer some of the finest digital forensic training that I've received so far in my career. FOR508 in particular was a transformational experience for me because of the memory forensic and timeline training alone.
However, you have to consider the source. Like Dave, I'm also in league with Rob Lee and SANS including, but not limited to, acting as Rob's TA for
I once took Access Data's