SANS Courses 408 &a...
 
Notifications
Clear all

SANS Courses 408 & 508

18 Posts
8 Users
0 Likes
1,502 Views
(@joshsevo)
Posts: 89
Trusted Member
Topic starter
 

How do you guys/gals like these courses? I would assume that a majority of you have been to them. I am about to pay for them in a few weeks and would like to know if I am headed in the right direction?

 
Posted : 23/02/2011 10:08 am
(@mrwh1t3)
Posts: 41
Eminent Member
 

If you wait until after April 4th I can tell you about FOR 408. I will be taking it in Orlando, FL.

 
Posted : 23/02/2011 10:33 am
(@joshsevo)
Posts: 89
Trusted Member
Topic starter
 

Nice! I am taking 408 in Morristown, NJ and then 508 in Boston.

Ya please let me know what your take on them is.

 
Posted : 23/02/2011 11:00 am
(@phenrycissp)
Posts: 1
New Member
 

I teach for SANS so naturally may be a little biased…. that being said I took the 508 course more then a decade ago and repeated it again about 5 years later. I found it to be some of the most valuable hands-on and usable forensics training that I had received in forensics. Taking it the second time covered updated and new material - learned as much the second time around. I have been in forensics for quite a few years and took the 408 course about 2 years ago - what was described as an "essentials" course taught this old dog a few new tricks…

The coverage in 408 of Windows is priceless - how to find what and where as well as using multiple tools to validate findings. The tools used in class are timely and have added value to my forensics practice - I have access to numerous commercial tools but regularly fire up my SIFT workstation to get the fast answers I need. The class "case" brings it all together and has students working as teams to apply the knowledge they learned in the class to solve the case and present their findings..

The 508 course really takes it to the next level with rapid coverage of a myriad of linux based tools that are really applicable across many flavors of *nix. Naturally there is more command line interaction for the student in the 508 course but more then enough background it provided to mitigate the fear of the command line… While there are many methodologies and tools covered in 508 for me personally the biggest take aways from 508 was the hands on touch of the dozens of open source tools that afford much of the capability of today's commercial tools. Personally the detailed usage of DD to carve not only out of unallocated but out of RAM and the Super Timeline creation that I have made a regular part of my analysis in my practice.

Best;

Paul A. Henry

 
Posted : 23/02/2011 7:46 pm
(@jgarcia)
Posts: 25
Eminent Member
 

So far, I have only taken the 408. I am taking the 508 in June, so I won't comment on that. I have heard nothing but great reviews on it though.

The 408 was excellent. I took the 5 day course, which has now been expanded to a 6th day. First they get you familiarized with doing acquisitions, chain of custody, etc. Then you'll move on to common artifacts found on Windows OS'es, email/chat forensics, tracking USB devices, etc. This is done using the SANS Windows SIFT VM appliance (which you need to make sure you have a key for the class). On the SIFT kit, they installed a bunch of tools (most of them available for free) that most examiners will need to use on a regular basis (RegRipper, FoxAnalysis, FTK Imager, USBDevView, DCode, etc….). Each day you get hands on with the tools you have learned for that day to get you familiar with the layout and the reporting features for those tools.

The last day (at least of the 5 day course), the class is broken up into teams and given a challenge examination to perform. I had a blast doing the challenge as I got to work with people I didn't know. It was a good information sharing experience.

What I like overall about the course, is that it is not vendor-specific and you are taught a methodology of verifying your results. For example, you may run RegRipper on an NTUSER.dat registry hive and it will spit out a bunch of info for you. Then you take that hive and load it into FTK Registry Viewer and confirm what RegRipper gave you. It's nice to have tools do the work for you, but if you can't find the artifacts or explain what info they are giving you…….

Oh and as part of the tuition, you get a Tableau T35e write blocker which is a nice piece of kit, especially if you are just starting out or your department/company doesn't have much of a budget.

Hope that helped

Joe

 
Posted : 23/02/2011 8:12 pm
CyberCop808
(@cybercop808)
Posts: 2
New Member
 

Aloha,
When thinking about getting training on computer forensics, I highly recommend that you look for training that is not vendor based.
That being said, the SANS courses are IMO the best out there for the price. Once you get the "basics" down, then you can start looking the vendor based training (i.e AccessData, Guidnace, etc.).
Hope this helps and Good Luck!
Chris Duque
aka da_BiGKahuna on Twitter 8)

 
Posted : 23/02/2011 11:38 pm
(@joshsevo)
Posts: 89
Trusted Member
Topic starter
 

I teach for SANS so naturally may be a little biased…. that being said I took the 508 course more then a decade ago and repeated it again about 5 years later. I found it to be some of the most valuable hands-on and usable forensics training that I had received in forensics. Taking it the second time covered updated and new material - learned as much the second time around. I have been in forensics for quite a few years and took the 408 course about 2 years ago - what was described as an "essentials" course taught this old dog a few new tricks…

The coverage in 408 of Windows is priceless - how to find what and where as well as using multiple tools to validate findings. The tools used in class are timely and have added value to my forensics practice - I have access to numerous commercial tools but regularly fire up my SIFT workstation to get the fast answers I need. The class "case" brings it all together and has students working as teams to apply the knowledge they learned in the class to solve the case and present their findings..

The 508 course really takes it to the next level with rapid coverage of a myriad of linux based tools that are really applicable across many flavors of *nix. Naturally there is more command line interaction for the student in the 508 course but more then enough background it provided to mitigate the fear of the command line… While there are many methodologies and tools covered in 508 for me personally the biggest take aways from 508 was the hands on touch of the dozens of open source tools that afford much of the capability of today's commercial tools. Personally the detailed usage of DD to carve not only out of unallocated but out of RAM and the Super Timeline creation that I have made a regular part of my analysis in my practice.

Best;

Paul A. Henry

No that is cool that you do and your insight is fantastic. I am excited about this. I have taken the infoSec institues Sec+ but for this I wanted it at a slower pace so more of it will soak in na diit's not such a cram session. I do have a question though and maybe you can answer it.

On the materials that I need to bring to class it asks for a copy of Windows with the key. If I already have a laptop with it on it that came installed why would I need the key. The only reason I can think of this is becasuse they are also asking me to bring a blank HDD and would need the copy of Windows 7 and the key to reinstall it on a new HDD. Is this correct?

I am also applying for the facilitator to see if I can get a break on the price since I am a college student and paying out of my own pocket and having the doiscount and being able to speak to the instructors before and after class is an added bonus. The Networking idea is something I have thought about also and since I am a beginner I need this.

 
Posted : 24/02/2011 12:07 am
(@viveknm)
Posts: 10
Active Member
 

I have taken both courses and I will recommend that you take 408 first and then 508.

Just like Paul I had taken 508 when it was a fairly new course and I took the course again 2 years back, it has improved quite a lot and due credit to SANS they listen to student feedback

If you can , try and read "file system forensic analysis" by Brian Carrier before 508. (Dont worry if you cannot complete it but give a quick read ). Once you start 508 you will see the true value of Brian's book

408 is all about windows forensics and you will get a good exposure to commercial tools like encase and FTK

On your question on windows Key, SANS distributes new SIFT virtual machine (on windows) for 408. They can only distribute to some one who has a valid windows license.You can use xp or windows 7 license

Good luck

Vivek

 
Posted : 24/02/2011 4:42 am
ehuber
(@ehuber)
Posts: 91
Trusted Member
 

Nice! I am taking 408 in Morristown, NJ and then 508 in Boston.

Ya please let me know what your take on them is.

I think taking 408 at SANS New Jersey 2011 in Morristown, NJ was your best option of the two. Sure, 508 at SANS Boston is taught by the mighty Rob Lee himself, is in a fantastic location, and has a long history of being a great SANS event. However, I'm told that the 408 instructor is really good and has a magnificant singing voice. In fact, Rob Lee himself as said that he weeps to look upon the shining face of that very instructor.

Okay, you got me. I will be your humble host and instructor at the Morristown, NJ event. It's a nice location and time of the year. The site is in heart of Morristown so you'll have access to lots of great places to eat and relax after class. We'll get your Windows forensic edge nice and sharp so that you're ready for all of the powerful 508 Kung-Fu that Rob will be throwing at you at the Boston event.

 
Posted : 24/02/2011 5:48 am
(@joshsevo)
Posts: 89
Trusted Member
Topic starter
 

I would have thought that you would have said that the instructor for 408 was the best looking man you have ever seen and possibly smarter than the "Watson"computer that was on Jeopardy. Just kidding

Cool, nice to meet you. I need about 400 more bucks and I should be enrolled in the class.

The keys should not be a problem to get as I am a student and the school store offered the Windows 7 Ultimate for free. I have a few copies along with the Keys. I can bring a few extra's in case nobody else brings one.

What's the class sizes like "normally" 20+ students?

 
Posted : 24/02/2011 8:58 am
Page 1 / 2
Share: