Quickie SANS Forensics 408 Review

In January I was able to attend the SANS FOR408: Computer Forensic Investigations – Windows In-Depth course. When choosing what course to take it would be easy to focus on the fact that this is a “400 level” course and assume it’s a beginner class. What shouldn’t be overlooked is the “Windows In-Depth” part of the course title. SANS absolutely delivers on the “in-depth” part.

The course is six days of wholesome forensic goodness with five days of instruction and a day six “forensic challenge” where you examine an image from a case and compile a report of what happened. The course also comes with a hardware write blocker for every student which you get to keep. That’s one heck of a freebie.

Rather than just spending a few minutes over-viewing what a particular type of Windows artifact does, the 408 course covers each artifact in detail, explains the differences across various Windows platforms and has labs throughout the course where the students get a hands on feel for examining a disk image.

What makes the 408 course really special isn’t just the detail in which the various artifacts and registry values are covered, but the methodology provided.

At the start of the course the students are given a disk image from what appears to be an intellectual property case. You examine the first set of artifacts that you learn about to start assembling a timeline of what activity occurred, when it occurred and what artifact demonstrates that it occurred. Throughout the rest of the week you use each of the artifacts, registry settings etc. that you learn about to add details to your timeline. By the end of the week you have a detailed step by step overview of what happened down to the second. There are usually multiple artifacts which prove that an action occurred and you actually know what they all mean.

The SANS course provides other bonuses throughout the course-ware including checklists of step by step things an examiner could look at when examining a specific category of artifacts.

Overall I was extremely pleased with the course. Not only are the students taught forensic concepts, how to use popular forensic tools (commercial and free) etc. but they’re also given a fantastic methodology and given the knowledge to perform a “deep dive” by digging into the artifacts to truly understand what occurred on a system.

6 thoughts on “Quickie SANS Forensics 408 Review

  1. Great site! I’m taking the 408 course on-demand and am loving it. Have you done your index for this one yet and did you do it like you did for the GCIH class? How many pages did you end up with?

  2. Thank you for the kind words Jeff 🙂 I hope you enjoy the course as much as I did. I had high expectations going in but the course exceeded them in every way. It really helped my transition from a “this is what the tool says” level of understanding to a much deeper understanding what the artifacts demonstrate.

    This index was slightly shorter (15 index pages + a few copies of pages from the book) and had more categories. I did it up exactly the same way as my GCIH as far as taking it to Kinko’s and having them bind it. It’s only $4 and it adds a huge touch of class. I plan on taking this route for all of my indexes.

    In my GCIH I only had a main, tools and then two tiny sections on Windows commands & Linux commands. For my GCFE I broke it up into main, tools, Windows artifacts, log fine analysis, internet browser, email and registry. I took the test last Thursday and got a 91 so the index worked great but I think I’m a fan of less categories.

    One of the reasons I waited so long to take the GCFE test was taking the 401 class in February. I just finished that index and it only has two categories main and tools. I think the tool index is the most important part. If a tool gets mentioned once, even at the bottom of a page, it goes in the tool index.

    Going through the books to make the index is very time consuming but it has paid huge dividends for me. I never fail to pick up a few concepts in the book which escaped me during the course.

  3. Hey I found your blog from the techexams.net forums. Congrats on your GCFE!

    I’m taking the vLive for FOR508 starting this month (GCFA). I passed my GCIH with a 95% and according to the site I should be ok with FOR508 (going through the book I’m not so sure, but I have multiple books/resources to aid in any gaps). Have you taken 508? I’m curious to how it compares. Do you think you’d recommend FOR408 on self study or do you think it’s important to do something in class (physically or online)?

    I had thought of doing 408 first but a friend who’s done them said 508 was the way to go. From reading your post it seems there’s definitely a methodology practice that I might find helpful.

  4. Excelent review Matt.
    I’m taking gcfe test in two weeks, i’m very nerveous about it, i’ve done both practice test and i’ve got 82- 84% in both, how difficult is the real test comparing with the practice ones?

    • Thanks Rafael!!

      I’ve taken four SANS exams since last May and I honestly felt like all of them were very close to the practice tests.

      I got a 80 on my first practice test and a 91 on the real one so there’s no need to worry!

      Spend these two weeks going through the books for anything you’re fuzzy on, make sure your index is good to go and you’ll do great.

Leave a Reply

Your email address will not be published. Required fields are marked *