https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/ Digital Forensics Discussion Forums en-US Thu, 18 Jun 2026 04:46:33 +0000 wpForo 60 https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/#post-6596483 Thu, 18 Oct 2018 21:22:37 +0000 Brian Carrier's book on forensic analysis of filesystems is still a good book IMHO. Worth a read, especially if you are just starting out.
Interestingly where File System Forensic Analysis was previously one of the books people recommend being read first, now we're starting with forensic artefacts and working down to the file system. FOR 508 covers the NTFS artefacts on the second last or last day.

Reading through FSFA is definitely recommended at some point.

@apurva.rustagi
As per Investigating Windows Systems, I haven't received my copy yet but Harlan has indicated that it isn't a book on parsing artefacts, but about putting them together. Can't really say if its worth reading for your purpose (but considering the reviews so far, as well as knowing harlan delivers a good read), but I'd definitely be starting with the earlier books.

Either way, doing a bit of reading beforehand, even if its just reading the weekly blog posts by everyone leading up until the course will help you hit the ground running]]> Education and Training randomaccess https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/#post-6596483 https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/#post-6596476 Thu, 18 Oct 2018 15:44:03 +0000 Education and Training edman https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/#post-6596476 https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/#post-6596474 Thu, 18 Oct 2018 14:04:09 +0000 Secondly, could someone recommend a good beginners book(s) I could read prior to taking the course?
Brian Carrier's book on forensic analysis of filesystems is still a good book IMHO. Worth a read, especially if you are just starting out.]]> Education and Training hectic_forensics https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/#post-6596474 https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/#post-6596472 Thu, 18 Oct 2018 13:22:43 +0000
To cover the basics, you can read the following books

1. Basics of digital forensics (you already mentioned that)
2. Investigating Windows Systems - This is a new book written by Harlan Carvey and will serve as a great introduction and reference to Windows Forensics. The book will help you get more out of your SANS class in April.

I hope you enjoy your class and wish you best of luck with your career in digital forensics.

Regards,
Apurva R]]> Education and Training apurva.rustagi https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/#post-6596472 https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/#post-6596470 Thu, 18 Oct 2018 13:03:15 +0000
If you are VERY new to DFIR, I'd recommend the SEC 401 class. It covers lots of forensic and IR basics and is still pretty detailed. However, if your job is really focused on forensic analysis alone, the 500 is best.

If you want to prep, lots of universities offer free online material for study and review. I'd also read as many SANS whitepapers on forensic basics to prepare.]]> Education and Training jpickens https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/#post-6596470 https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/#post-6596467 Thu, 18 Oct 2018 12:06:33 +0000 I've sat in classes when people had really never done forensics before
That happened to me in FOR508 -)
No idea how these guys and girls define "Advanced", but I went there after 5 years in DFIR. At the same time there was a team from **** Telecom with no clues and none of them had a notebook with enough memory or hard drive space to run the SIFT workstation…so these 4 people sat around and were surfing all day until the end of the week -) That is definetly one way to burn a lot of money!

regards,
Robin]]> Education and Training Bunnysniper https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/#post-6596467 https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/#post-6596465 Thu, 18 Oct 2018 12:02:11 +0000 It depends on how you define beginner
I've sat in classes when people had really never done forensics before and they can get a bit lost because there is a lot of information given in a short period of time.

I'd have a look at the course page and see what's on each day. Generally I recommend Harlan's books wfa4 and wrf2 as a good overview of a few of the data points. I don't recall it.covering email or browsers as extensively and also doesn't cover the win10 artifacts.]]> Education and Training randomaccess https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/#post-6596465 https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/#post-6596464 Thu, 18 Oct 2018 12:02:06 +0000 Hi All,

I'm completely new to Forensics and I'm planning on taking the SANS FOR500 course
Yes, that is a good beginning. In parallel you can start with memory forensics and from my point of view, there is no way around Volatility atm.

regards,
Robin]]> Education and Training Bunnysniper https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/#post-6596464 https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/#post-6596462 Thu, 18 Oct 2018 11:16:20 +0000
I'm completely new to Forensics and I'm planning on taking the SANS FOR500 course (and GCFE certification) in April. Firstly, is this course good for beginners?

Secondly, could someone recommend a good beginners book(s) I could read prior to taking the course? I've seen a few being recommended elsewhere (one being The Basics of Digital Forensics The Primer for Getting Started in Digital Forensics by John Sammons) but these are very US-centric - does that matter?

A bit of background about me, I've worked in E-Discovery in London for the last eight years but I've always been interested in Forensics and I am now planning to learn more about it and transition over to working in Forensics.

Thanks in advance for all your help!]]> Education and Training edman https://www.forensicfocus.com/forums/education-and-training/sans-for500-newbie-to-forensics/#post-6596462