I recently got asked a question in a comment that I was planning to answer in about 45 days but I don’t want to wait that long so I’ll give half of an answer now.
The question was a common one: “Should I take SANS 408 or 508?”
First let me provide one HUGE caveat and explanation of why I was already planning on answering this in 45 days. I have taken the 508 (I’m even a proud holder of a GCFA) but I took the course back in 2008.I was completely unprepared but it was still a fantastic learning experience and it taught me concepts that I use to this day. The 508 exam of today has very little in common with the 508 from 2008. The course has been completely re-designed from the ground up and I have yet to take the new version.
I’m taking my GSEC exam at the end of this month but after that I’ll have a narrow window to watch the 508 OnDemand content for a much needed refresher. The new 508 books are actually sitting in a spare room in my house and in an unbelievable act of discipline I haven’t touched them yet as I wanted to knock out my GCFE and GSEC first. Once I’ve gone through the new 508 material I’ll write a post about my thoughts on how 408 and 508 fit together but until then I wanted to share the thoughts from others on the subject.
I’ve been told by individuals far more qualified to speak on the subject than I that there is a fair amount of knowledge taught in 408 that is assumed in 508. One of the best examples is timelines. As I talked about in my 408 review you start the 408 course off by creating a very small timeline of events and build onto that timeline throughout the course by examining every sort of artifact that you can think of. All of the artifacts are examined “manually” and you write your entries into a spreadsheet. Not the quickest process in the world but it gives you a great understanding of both the artifacts themselves and how they relate to one another.
A quick look at the 508 course shows that day three is all about timelines. With a quick glace you would think that it was redundant with 408 but I’ve been told there is little overlap between the two courses. The 508 timeline section is about automating timeline creation so that instead of doing them manually (as is done in 408) you use tools to create them for you. The knowledge from 408 comes into play in several areas:
- Understanding what the data means. 508 assumes you have a level of understanding of artifacts and timestamps that one acquires in the 408
- Validating the results from the tools used in 508
- Performing the process manually when the tools utilized in 508 don’t work correctly for whatever reason
The timeline topic is only one example of how 408 and 508 complement each other and I’m sure I’ll have some more after I go through the updated 508 content next month.
SANS instructor Mike Pilkington (great teacher and even better human being) told our class that in his opinion SANS 408 was an intermediate class since “it teaches the basics, but then goes into some pretty advanced topics”. I couldn’t agree more.
Anyone who’s ever taken a SANS class has probably hit a point where your brain feels like it hit a short circuit. Where the material for a topic takes a complicated turn or where it’s day six and your brain is overflowing but the content keeps coming. In the OnDemand version of 408 Rob Lee is discussing a topic and he realizes it’s probably a “wait, what???” moment for a lot of students. He says something along the lines of “I know a lot of you are thinking that you thought you signed up for basic class and you’re not sure what’s going on…” .
A lot of forensics courses have students leave thinking “I can look at the internet browsing history, I can check for inappropriate pictures, I can run a dirty words list to find relevant documents etc.” . This is all really good stuff and the 408 teaches all of that. The 408 also goes MUCH further and teaches a student what’s going on behind the scenes and how instead of relying on “I ran tool X and it shows Y” the student can transition to “I ran tool X, it shows Y. We can also demonstrate Y by looking at Q, R, S, T…”.
After going through the course and subsequently going through the books while creating my index I really do feel like I can intelligently work my way through a detailed analysis of a Windows machine and not only validate what my tools are telling me but dig deeper in some areas for information that isn’t covered.
When I took the 408 course there were individuals in the class who had been performing analysis on Windows machines daily for the past decade. They both told me that they enjoyed the class and picked up some good tips but they absolutely could have skipped 408 and gone straight to 508. If that’s you and you don’t have the budget for both classes then that’s a tough decision.
If you’re where I was and you understand forensics basics, file systems, prefetch files etc. but don’t feel like you have a truly deep understanding that comes from dealing with things like jump lists, shortcut files and registry artifacts on a daily basis than I think you would love 408.
On the in person vs. OnDemand, you really can’t go wrong with either. The in person experience is always incredible and you get to meet people with similar interests but the great part about OnDemand is the ability to pause, research, practice and then come back to the content. I know it’s a crazy time commitment but for some classes (504 included) I try to watch the on demand videos in addition to the live class. The 504 on demand videos really opened my eyes to how high quality the OnDemand learning experience was. I had a slight preconceived bias that OnDemand was inferior to a live conference but it’s absolutely not and there are some serious pros to each.