Should I take SANS 408 or 508? (part 1)

I recently got asked a question in a comment that I was planning to answer in about 45 days but I don’t want to wait that long so I’ll give half of an answer now.

The question was a common one: “Should I take SANS 408 or 508?”

First let me provide one HUGE caveat and explanation of why I was already planning on answering this in 45 days. I have taken the 508 (I’m even a proud holder of a GCFA) but I took the course back in 2008.I was completely unprepared but it was still a fantastic learning experience and it taught me concepts that I use to this day. The 508 exam of today has very little in common with the 508 from 2008. The course has been completely re-designed from the ground up and I have yet to take the new version.

I’m taking my GSEC exam at the end of this month but after that I’ll have a narrow window to watch the 508 OnDemand content for a much needed refresher. The new 508 books are actually sitting in a spare room in my house and in an unbelievable act of discipline I haven’t touched them yet as I wanted to knock out my GCFE and GSEC first. Once I’ve gone through the new 508 material I’ll write a post about my thoughts on how 408 and 508 fit together but until then I wanted to share the thoughts from others on the subject.

I’ve been told by individuals far more qualified to speak on the subject than I that there is a fair amount of knowledge taught in 408 that is assumed in 508. One of the best examples is timelines. As I talked about in my 408 review you start the 408 course off by creating a very small timeline of events and build onto that timeline throughout the course by examining every sort of artifact that you can think of. All of the artifacts are examined “manually” and you write your entries into a spreadsheet. Not the quickest process in the world but it gives you a great understanding of both the artifacts themselves and how they relate to one another.

A quick look at the 508 course shows that day three is all about timelines. With a quick glace you would think that it was redundant with 408 but I’ve been told there is little overlap between the two courses. The 508 timeline section is about automating timeline creation so that instead of doing them manually (as is done in 408) you use tools to create them for you. The knowledge from 408 comes into play in several areas:

  1. Understanding what the data means. 508 assumes you have a level of understanding of artifacts and timestamps that one acquires in the 408
  2. Validating the results from the tools used in 508
  3. Performing the process manually when the tools utilized in 508 don’t work correctly for whatever reason

The timeline topic is only one example of how 408 and 508 complement each other and I’m sure I’ll have some more after I go through the updated 508 content next month.

SANS instructor Mike Pilkington (great teacher and even better human being) told our class that in his opinion SANS 408 was an intermediate class since “it teaches the basics, but then goes into some pretty advanced topics”. I couldn’t agree more.

Anyone who’s ever taken a SANS class has probably hit a point where your brain feels like it hit a short circuit. Where the material for a topic takes a complicated turn or where it’s day six and your brain is overflowing but the content keeps coming. In the OnDemand version of 408 Rob Lee is discussing a topic and he realizes it’s probably a “wait, what???” moment for a lot of students. He says something along the lines of “I know a lot of you are thinking that you thought you signed up for basic class and you’re not sure what’s going on…” .

A lot of forensics courses have students leave thinking “I can look at the internet browsing history, I can check for inappropriate pictures, I can run a dirty words list to find relevant documents etc.” . This is all really good stuff and the 408 teaches all of that. The 408 also goes MUCH further and teaches a student what’s going on behind the scenes and how instead of relying on “I ran tool X and it shows Y” the student can transition to “I ran tool X, it shows Y. We can also demonstrate Y by looking at Q, R, S, T…”.

After going through the course and subsequently going through the books while creating my index I really do feel like I can intelligently work my way through a detailed analysis of a Windows machine and not only validate what my tools are telling me but dig deeper in some areas for information that isn’t covered.

When I took the 408 course there were individuals in the class who had been performing analysis on Windows machines daily for the past decade. They both told me that they enjoyed the class and picked up some good tips but they absolutely could have skipped 408 and gone straight to 508. If that’s you and you don’t have the budget for both classes then that’s a tough decision.

If you’re where I was and you understand forensics basics, file systems, prefetch files etc. but don’t feel like you have a truly deep understanding that comes from dealing with things like jump lists, shortcut files and registry artifacts on a daily basis than I think you would love 408.

On the in person vs. OnDemand, you really can’t go wrong with either. The in person experience is always incredible and you get to meet people with similar interests but the great part about OnDemand is the ability to pause, research, practice and then come back to the content. I know it’s a crazy time commitment but for some classes (504 included) I try to watch the on demand videos in addition to the live class. The 504 on demand videos really opened my eyes to how high quality the OnDemand learning experience was. I had a slight preconceived bias that OnDemand was inferior to a live conference but it’s absolutely not and there are some serious pros to each.

13 thoughts on “Should I take SANS 408 or 508? (part 1)

  1. Thanks for the writeup. I had already signed up for FOR508 given that one course “track” I looked at a while ago showed SEC504 was a good prereq. Class starts tomorrow but it’s vLive and I have the OnDemand and selfstudy bundles. Hopefully being able to go over the materials from 2 trainers in 2 formats will help me prepare.

    I have read a few books on Windows Forensics (Windows Forensic Analysis, Registry Analysis by Harlan Carvey) so hopefully that’ll help fill in gaps. I have a few other books I might leverage for reference as well. Had I known what you mention about 408 before I probably would have gone that route first. Hopefully I can catch up quickly since my vLive is over 7 weeks (2 3 hour classes a week).

    Thanks again for this review.

  2. Awesome! Enjoy the class!!!

    You’ll do great and honestly there is such little overlap between 408 and 508 you’ll still get a lot out of 408 if you take it down the road.

    I got the double instructor for 504 (Skoudis OnDemand and Strand in person) and it was great. Two points of view, two sets of war stories, and by the time I went though my books to make my index that was the third time I was exposed to the material and it really helped me soak it up.

  3. I think you nailed perfectly why it might make sense to take 408 before 508. I’m wrapping up the on-Demand for 408 and I’m glad I took it, if only for understanding all the under the hood stuff and the ‘process’ of an investigation.

    This is my first on-demand, but third SANS course. The other two I did as simulcasts. I think the one advantage of the on-demand is the ability to take a pause when drinking from the firehouse gets to be too much. In every six day class there was a point where I literally felt like there wasn’t any more
    room in my brain. Being able to take a break often means not having to review stuff you should get the first time.

  4. Steve,
    I think the vlive is nice in that you get some time in between to review what you covered and look ahead.

    Matt – I had Skoudis for 504 and he was awesome! Rob Lee did the 408 on-demand and was outstanding. I met John Strand at RSA and he was very gracious – chatted me up for quite awhile when he found out I was from North Dakota and followed up later with an email. His presentation at RSA was very well received.

    • Jeff —

      I couldn’t agree more regarding how helpful the ability to pause is. I recall that being a tactic I employed several times on 504.

      And John Strand is awesome. The energy, humor, knowledge etc. makes for a great class. I thought I would never have an instructor that high energy again but last month I took 401 with Eric Cole and oh my… He did six ten hour days with no microphone and never skipped a beat.

      Also, what did you think of the 408? I’ve taken other forensics classes but I thought the 408 did an amazing job of being thorough and giving you a road map to follow.

    • The vLive seemed like the right track for me this go around. I did SEC504 with John Strand last year in Baltimore which was awesome, but I’m glad I did the OnDemand bundle with it as it was a lot for 6 days. The bonus with vLive is that it’s 6 hours a week, so I can tackle it on a weekend since all classes are archived and it gives me those nights free to handle any issues at home as my wife is due any day now.

  5. 408 is really well put together with the case in parallel with the coursework. It makes it tie together really well.

    I’m planning on taking 508 either on-demand or in Austin at the DFIR summit. What other forensics classes have you taken?

    • Austin would be a blast. I’d love to go but I’ve already done Phoenix in January (408), Phoenix in February (401) and I’m getting ready to do the Cybercon in April (414) so I think the next in person I’ll be able to hit is Vegas in September.

      I’ve taken a lot of mobile device forensics courses (SANS 563, XRY, Cellebrite etc.) but my only computer forensics courses were the 508 back in 08 and the Infosec Institute Computer Forensics class early last year.

      I got a 93 on my second GSEC practice test yesterday so even though my test is a week away I cheated and starting watching the 508 videos last night. I really want to get through all of the material before Cybercon starts and my focus shifts.

  6. I’ll tell you a secret: I found your site the night before I took the 504 exam from Googling about the difficulty of the actual exam vs. the practice exam. And when I saw your index post, I panicked. Mine was six pages. 🙂 I got a 93 so you’ll be fine. Although I will say I thought GSEC was more challenging only because of the breadth of material covered. On the plus side, it sets you up nicely for CISSP if you want to go that route. I took those two 14 days apart.

    I’m thinking I’m going to try to get in as a facilitator in Austin to save OK the cost. We’ll see.

    • Lol, sorry my site caused you some worry 🙂

      I’ll be on a similar schedule for my GSEC-CISSP. I take the GSEC next Tuesday, the 414 at the end of April and the CISSP May 20th. I’ve got two questions for you:

      1: How was the CISSP after the GSEC?
      2: How was it taking a test that wasn’t open book after taking SANS tests? 🙂

      I have to pay for all of my trainings out of pocket so facilitating is my only option. It’s a great program.

  7. CISSP is tough but the GSEC sets you up well for it. The exam is awful in that I finished having no idea how I did which to me says its a poorly written exam. I’ll look through my notes for my chapter guide on which ones to prioritize.

  8. Pingback: SANS Security West 2014

  9. Pingback: Pre-requisites for SANS GCFA (508) -> CHFI

Leave a Reply

Your email address will not be published. Required fields are marked *