Join Us!

Notifications
Clear all

Sans FOR500 - Newbie to Forensics  

  RSS
edman
(@edman)
New Member

Hi All,

I'm completely new to Forensics and I'm planning on taking the SANS FOR500 course (and GCFE certification) in April. Firstly, is this course good for beginners?

Secondly, could someone recommend a good beginners book(s) I could read prior to taking the course? I've seen a few being recommended elsewhere (one being The Basics of Digital Forensics The Primer for Getting Started in Digital Forensics by John Sammons) but these are very US-centric - does that matter?

A bit of background about me, I've worked in E-Discovery in London for the last eight years but I've always been interested in Forensics and I am now planning to learn more about it and transition over to working in Forensics.

Thanks in advance for all your help!

Quote
Posted : 18/10/2018 12:16 pm
Bunnysniper
(@bunnysniper)
Active Member

Hi All,

I'm completely new to Forensics and I'm planning on taking the SANS FOR500 course

Yes, that is a good beginning. In parallel you can start with memory forensics and from my point of view, there is no way around Volatility atm.

regards,
Robin

ReplyQuote
Posted : 18/10/2018 1:02 pm
randomaccess
(@randomaccess)
Active Member

It's a good overview of the variety of artefacts available on a windows system.
It depends on how you define beginner
I've sat in classes when people had really never done forensics before and they can get a bit lost because there is a lot of information given in a short period of time.

I'd have a look at the course page and see what's on each day. Generally I recommend Harlan's books wfa4 and wrf2 as a good overview of a few of the data points. I don't recall it.covering email or browsers as extensively and also doesn't cover the win10 artifacts.

ReplyQuote
Posted : 18/10/2018 1:02 pm
Bunnysniper
(@bunnysniper)
Active Member

I've sat in classes when people had really never done forensics before

That happened to me in FOR508 -)
No idea how these guys and girls define "Advanced", but I went there after 5 years in DFIR. At the same time there was a team from **** Telecom with no clues and none of them had a notebook with enough memory or hard drive space to run the SIFT workstation…so these 4 people sat around and were surfing all day until the end of the week -) That is definetly one way to burn a lot of money!

regards,
Robin

ReplyQuote
Posted : 18/10/2018 1:06 pm
jpickens
(@jpickens)
Active Member

500 is an excellent class, but as some said before, you could easily get lost if you don't have some security or similar exposure.

If you are VERY new to DFIR, I'd recommend the SEC 401 class. It covers lots of forensic and IR basics and is still pretty detailed. However, if your job is really focused on forensic analysis alone, the 500 is best.

If you want to prep, lots of universities offer free online material for study and review. I'd also read as many SANS whitepapers on forensic basics to prepare.

ReplyQuote
Posted : 18/10/2018 2:03 pm
apurva.rustagi
(@apurva-rustagi)
New Member

FOR500 is a good class but it assumes certain basic knowledge about forensics. The class no longer spends time on acquisition or basics of digital forensics as it used to do when it was FOR408. That beings said, I really like this option because the money that you spend on SANS training should ideally get you more than just basics.Considering your background in e-discovery, i would say the course is an ideal start for you.

To cover the basics, you can read the following books

1. Basics of digital forensics (you already mentioned that)
2. Investigating Windows Systems - This is a new book written by Harlan Carvey and will serve as a great introduction and reference to Windows Forensics. The book will help you get more out of your SANS class in April.

I hope you enjoy your class and wish you best of luck with your career in digital forensics.

Regards,
Apurva R

ReplyQuote
Posted : 18/10/2018 2:22 pm
hectic_forensics
(@hectic_forensics)
Junior Member

Secondly, could someone recommend a good beginners book(s) I could read prior to taking the course?

Brian Carrier's book on forensic analysis of filesystems is still a good book IMHO. Worth a read, especially if you are just starting out.

ReplyQuote
Posted : 18/10/2018 3:04 pm
edman
(@edman)
New Member

Awesome thanks a lot everyone for the detailed informative responses, very much appreciated!!

ReplyQuote
Posted : 18/10/2018 4:44 pm
randomaccess
(@randomaccess)
Active Member

Brian Carrier's book on forensic analysis of filesystems is still a good book IMHO. Worth a read, especially if you are just starting out.

Interestingly where File System Forensic Analysis was previously one of the books people recommend being read first, now we're starting with forensic artefacts and working down to the file system. FOR 508 covers the NTFS artefacts on the second last or last day.

Reading through FSFA is definitely recommended at some point.

@apurva.rustagi
As per Investigating Windows Systems, I haven't received my copy yet but Harlan has indicated that it isn't a book on parsing artefacts, but about putting them together. Can't really say if its worth reading for your purpose (but considering the reviews so far, as well as knowing harlan delivers a good read), but I'd definitely be starting with the earlier books.

Either way, doing a bit of reading beforehand, even if its just reading the weekly blog posts by everyone leading up until the course will help you hit the ground running

ReplyQuote
Posted : 18/10/2018 10:22 pm
Share: