Need advise from you guys.
my background is sercurity operation team, with occasionally forensic investigation. I am also CISSP, CISA,CEH. Do you think a 504 is more suitable for me or a 508 is more suitable for me ?
I think it depends on what type of forensic investigations you most often participate in. Rob Lee was on the
I've taken both courses. SANS 504 spends a little bit of time covering the basics of incident response. The bulk of the time covers hacker techniques.
SANS 508 goes into more detail about incident response, including how to verify there's been an incident by analyzing memory, running processes, network connections and file system timelines. The bulk of the course is spent covering the forensic methodology, from gathering evidence to analysis, reporting and legal aspects.
Both are excellent courses, with a very small amount of overlap. If you can, you should take them both. If you're interest is forensics, take 508. If you want to better understand how hackers do what they do, take 504.
Alternatively, you could take 508 and read Ed Skoudis' (the author of 504) excellent book "Counter Hack Reloaded".
Full disclosure I'm a Community instructor for SANS and the editor and author for the