EH-Net

Hi All,

I was wondering if anyone has experience of either the SANS SEC508 or 7Safe GFIA courses.

My background is in Information Security and Windows/Network engineering and I'm loking for a formal forensics training course. I've done IT forensics work in the past but want to get some formal training in the legal side of things and further my knowledge. 

The SANS course seems more technical and covers UNIX, whilst the 7Safe course is more UK specific and was recommended to me by an ex Policeman who's used them previously.

Any comments would be very welcome.

Kind Regards

buskerman

YOU CAN HAVE A COURSE LIKE ence ENCASE CERTIFICATION.
Encase is the forensic tools for law enforcement.

Welcome to EH-Net.

If there is a course specifically dealing with UK laws, and that is your main focus, then I would take the advice of your friend.

On the other hand, you may want to focus on the technology more than the laws. Most of the certs such as those listed on this site:

http://www.ethicalhacker.net/content/category/1/29/3/

will deal heavily on the tech and less on the laws. If they do, then the laws they focus on will be more US laws.

Then there's always the question of what you value most... the cert or the knowledge. The certs listed at the link above will be more well known but may not give you exactly the knowledge you want.

Hope this helps,
Don

Thanks Don....

Long time lurker... first time poster....

Not all that interested in a cert, it's nice to have but my need in this case isn't for something I can throw on the resume..... my requirements are to formalise some training in methodology, to learn more about legal considerations and to improve my forensic skills in *NIX systems.

I spoke to 7safe and whilst they seem very good for someone not particularly technical, I got the strong impression that their course was not meant to teach highly technical methods of forensics.

I've heard that SANS courses were very technical and the course guide highlights this, I was hoping to find someone who's done their GIAC Forensics course to see what it was actually like.

We're not using Encase (yet!), so that ones not the best fit.... plus I'm hoping we might be able to get training included in the purchase if it goes through.

Kind Regards

Busker

Hey busker,

I would have to suggest the SANS forensics training. They do go into the methodology behind preforming forensic recovery and cover the legal aspects as well. The course is technical and not vendor specific. They cover a lot of open source forensic utilities too.

I use both Encase and FTK and prefer FTK. That's a personal preference though and both are good. Additionally any training from 7safe or encase will be specific to their product.

Ther local FBI office here uses encase and I believe that they are now using FTK as well.

dean

Disclaimer: I know some of the courseware authors for the GCFA.

You are also going to keep in mind why you are going to need the knowledge or cert.  If it is going to be an internal security/forensics/incident response issue then go with whatever you prefer.  If you are going to be doing work that will be presented in court, then you are probably going to have to lean towards EnCase and the EnCE.  Encase has passed all major court challenges so it is going to be considered a reliable platform in which to gather evidence.  FTK and a lot of the open source tools suites have changed recently or under go changes on a regular basis.  Every time that happens they will be challenged again in court.  If you are the person on the stand when that happens it really freaking blows. You are probably going to be put on the spot to explain the entire theory of computer forensics (across multiple file systems), and the very specific technical workings of the tools you used and why it can be trusted to produce legally verifiable evidence.

Good point. Why do you require the tool/knowledge? Internal investigations, Incident  response, etc... Will this data end up in legal's hands? At that point having and following a sound methodology is essential to your case. Chain of evidence, etc....

BTW, FTK/UTK is made by accessdata and is a commercial tool. Sleuthkit that is based on TCT (the Coroners Toolkit) is opensource.

dean