Should I take SANS 408 or 508? (part 1)

I recently got asked a question in a comment that I was planning to answer in about 45 days but I don’t want to wait that long so I’ll give half of an answer now.

The question was a common one: “Should I take SANS 408 or 508?”

First let me provide one HUGE caveat and explanation of why I was already planning on answering this in 45 days. I have taken the 508 (I’m even a proud holder of a GCFA) but I took the course back in 2008.I was completely unprepared but it was still a fantastic learning experience and it taught me concepts that I use to this day. The 508 exam of today has very little in common with the 508 from 2008. The course has been completely re-designed from the ground up and I have yet to take the new version.

I’m taking my GSEC exam at the end of this month but after that I’ll have a narrow window to watch the 508 OnDemand content for a much needed refresher. The new 508 books are actually sitting in a spare room in my house and in an unbelievable act of discipline I haven’t touched them yet as I wanted to knock out my GCFE and GSEC first. Once I’ve gone through the new 508 material I’ll write a post about my thoughts on how 408 and 508 fit together but until then I wanted to share the thoughts from others on the subject.

I’ve been told by individuals far more qualified to speak on the subject than I that there is a fair amount of knowledge taught in 408 that is assumed in 508. One of the best examples is timelines. As I talked about in my 408 review you start the 408 course off by creating a very small timeline of events and build onto that timeline throughout the course by examining every sort of artifact that you can think of. All of the artifacts are examined “manually” and you write your entries into a spreadsheet. Not the quickest process in the world but it gives you a great understanding of both the artifacts themselves and how they relate to one another.

A quick look at the 508 course shows that day three is all about timelines. With a quick glace you would think that it was redundant with 408 but I’ve been told there is little overlap between the two courses. The 508 timeline section is about automating timeline creation so that instead of doing them manually (as is done in 408) you use tools to create them for you. The knowledge from 408 comes into play in several areas:

  1. Understanding what the data means. 508 assumes you have a level of understanding of artifacts and timestamps that one acquires in the 408
  2. Validating the results from the tools used in 508
  3. Performing the process manually when the tools utilized in 508 don’t work correctly for whatever reason

The timeline topic is only one example of how 408 and 508 complement each other and I’m sure I’ll have some more after I go through the updated 508 content next month.

SANS instructor Mike Pilkington (great teacher and even better human being) told our class that in his opinion SANS 408 was an intermediate class since “it teaches the basics, but then goes into some pretty advanced topics”. I couldn’t agree more.

Anyone who’s ever taken a SANS class has probably hit a point where your brain feels like it hit a short circuit. Where the material for a topic takes a complicated turn or where it’s day six and your brain is overflowing but the content keeps coming. In the OnDemand version of 408 Rob Lee is discussing a topic and he realizes it’s probably a “wait, what???” moment for a lot of students. He says something along the lines of “I know a lot of you are thinking that you thought you signed up for basic class and you’re not sure what’s going on…” .

A lot of forensics courses have students leave thinking “I can look at the internet browsing history, I can check for inappropriate pictures, I can run a dirty words list to find relevant documents etc.” . This is all really good stuff and the 408 teaches all of that. The 408 also goes MUCH further and teaches a student what’s going on behind the scenes and how instead of relying on “I ran tool X and it shows Y” the student can transition to “I ran tool X, it shows Y. We can also demonstrate Y by looking at Q, R, S, T…”.

After going through the course and subsequently going through the books while creating my index I really do feel like I can intelligently work my way through a detailed analysis of a Windows machine and not only validate what my tools are telling me but dig deeper in some areas for information that isn’t covered.

When I took the 408 course there were individuals in the class who had been performing analysis on Windows machines daily for the past decade. They both told me that they enjoyed the class and picked up some good tips but they absolutely could have skipped 408 and gone straight to 508. If that’s you and you don’t have the budget for both classes then that’s a tough decision.

If you’re where I was and you understand forensics basics, file systems, prefetch files etc. but don’t feel like you have a truly deep understanding that comes from dealing with things like jump lists, shortcut files and registry artifacts on a daily basis than I think you would love 408.

On the in person vs. OnDemand, you really can’t go wrong with either. The in person experience is always incredible and you get to meet people with similar interests but the great part about OnDemand is the ability to pause, research, practice and then come back to the content. I know it’s a crazy time commitment but for some classes (504 included) I try to watch the on demand videos in addition to the live class. The 504 on demand videos really opened my eyes to how high quality the OnDemand learning experience was. I had a slight preconceived bias that OnDemand was inferior to a live conference but it’s absolutely not and there are some serious pros to each.

Quickie SANS Forensics 408 Review

In January I was able to attend the SANS FOR408: Computer Forensic Investigations – Windows In-Depth course. When choosing what course to take it would be easy to focus on the fact that this is a “400 level” course and assume it’s a beginner class. What shouldn’t be overlooked is the “Windows In-Depth” part of the course title. SANS absolutely delivers on the “in-depth” part.

The course is six days of wholesome forensic goodness with five days of instruction and a day six “forensic challenge” where you examine an image from a case and compile a report of what happened. The course also comes with a hardware write blocker for every student which you get to keep. That’s one heck of a freebie.

Rather than just spending a few minutes over-viewing what a particular type of Windows artifact does, the 408 course covers each artifact in detail, explains the differences across various Windows platforms and has labs throughout the course where the students get a hands on feel for examining a disk image.

What makes the 408 course really special isn’t just the detail in which the various artifacts and registry values are covered, but the methodology provided.

At the start of the course the students are given a disk image from what appears to be an intellectual property case. You examine the first set of artifacts that you learn about to start assembling a timeline of what activity occurred, when it occurred and what artifact demonstrates that it occurred. Throughout the rest of the week you use each of the artifacts, registry settings etc. that you learn about to add details to your timeline. By the end of the week you have a detailed step by step overview of what happened down to the second. There are usually multiple artifacts which prove that an action occurred and you actually know what they all mean.

The SANS course provides other bonuses throughout the course-ware including checklists of step by step things an examiner could look at when examining a specific category of artifacts.

Overall I was extremely pleased with the course. Not only are the students taught forensic concepts, how to use popular forensic tools (commercial and free) etc. but they’re also given a fantastic methodology and given the knowledge to perform a “deep dive” by digging into the artifacts to truly understand what occurred on a system.

An update and a useful link

I wanted to post a quick update to let everyone know the why the posts have been few and far in between these last few weeks. The quickie version is long hours at work combined with two sans conferences since my last post in January. Yes, two conferences in two months.

I took the FOR 408 Windows Computer Forensics course in January and the SEC 401 Security Essentials Bootcamp in February. Reviews of both will be coming soon but I loved them both. I’ve also been reviewing some other course content which I may be able to write about soon.

One thing I want to share before I go back to my GCFE studies is a great site I saw a few weeks ago.

One of the most useful parts of my penetration testing course was the online lab of machines to try to hack. is a repository of images that a user can download and practice their hacking skills on. Right now there are five pages of images including some that can be difficult to find. After I’m passed my current glut of SANS material I will definitely spend some time with a few of these distros.