Digital Forensics Tips

Anyone can look at my blog articles or my list of certifications and know that I’m a huge fan of SANS trainings. I’ve taken in person courses and OnDemand courses but what I had yet to take is a vlive or simulcast course. I’m currently on my lunch break from Day Three of the SANS 414 (CISSP prep) course at Cybercon and thought I would make a few observations about their online courses. The cost savings are huge. Costs of hotel and travel can fluctuate wildly but free is always the best option. While I was able to keep the hotel and food costs of my Community course in Phoenix under $1,000 my week at Caesars last September for Network Security was probably closer to $2,000. At Caesars a sandwich wrap, bag of chips and soda for lunch was $20 which is far greater than what I pay my wife for similar fare. The whole “attend class in your pajamas” thing does indeed rock. Before the class I felt like “I won’t get to meet the instructor (Eric Conrad) face to face so it won’t feel as real”. The

I just finished the SANS FOR508: Advanced Computer Forensic Analysis and Incident Response course OnDemand version and I wanted to write up a quick review on the class. The 2012 & 2013 version of the 508 course bears little resemblance to the version I took back in 2008. There is still a day on in depth filesystem analysis and a section on The Sleuth Kit tools but that is where the similarities end. In 2008 memory analysis consisted of “dump the RAM and run strings on it to see if you find anything interesting.” By contrast the current version of the course has an entire day on memory analysis using Volatility and Redline. There are some amazing people making some amazing advances in this industry. In addition to the normal books that come with the class the students get a workbook to utilize with the practical exercises. The workbook not only possesses questions that the student should answer but also provides walkthroughs if a student needs a helping hand. Those walkthroughs can

I’ve now had a chance to go through the OnDemand SANS FOR 508 Advanced Computer Forensic Analysis and Incident Response course and feel a little more comfortable comparing it to FOR 408 Computer Forensic Investigations – Windows In-Depth course. I’ve also recently been exposed to the FOR 610 Reverse-Engineering Malware: Malware Analysis Tools and Techniques course content so while this post won’t cover much of the 610 I will talk about how the three courses fit together. SANS has done a remarkable job of designing the 408, 508 and 610 as courses that stand fine on their own but fit together like pieces of a puzzle. There is virtually no overlap between the 408 and 508 (maybe a very tiny bit in the file system section) and a very small amount of overlap between the 508 and 610 in the memory analysis using Volatility section. The following hypothetical scenario is my attempt to classify the 408, 508 and 610 to help give others an idea of what each course covers. You’re a security analyst

I passed the GSEC exam early last week and got my certificate in the mail today. It made me stop and think what a crazy eleven months it’s been. Last May I was fortunate enough to attend a computer forensics course in Phoenix where we took the CHFI and CCFE tests at the end of the week. Those were my first two computer security certificates and I was hooked. I hadn’t seen my wife in a week and we met up at the Phoenix Comicon (yes my wife and I are that big of nerds) and my wife said that I was “glowing” and that she had never seen me so happy. I realized that I had spent the previous six days either in class or in my room studying yet I was unbelievably happy. It’s amazing how smooth things feel when you’re doing what you should be doing. I had taken the SANS 508 course back in 2008 but never had a chance to put those skills to use but now that I had knocked the dust off my forensics skills I was anxious to put myself to the test and try my hand at the GCFA. I passed that last summer