Title: SANS 408 Feedback
Post by: Joshsevo on May 19, 2011, 11:38:09 PM
I recently had the opportunity to attend a Community SANS 408 Computer Forensics course in Morristown, NJ taught by Eric Huber.
My first impression when I signed up was, "man that's a ton of money". I paid for this class out of my own pocket. I'm not employed by anyone at this moment but will be graduating with my BA in CIS in 4 weeks. So I thought this would be a good chance to learn more than what they taught me in school and try and get a leg up on the competition that are already out of school or soon to be.
So I bit the bullet. Paid for the class. I was lucky because I was able to get 10% because I am a member on another site. Plus, I signed up early enough that I saved another $400. Also since this was a Community SANS course and not one of the larger meets that was cheaper by $400 also.
I did not stay in the hotel they wanted as it would have come out to around $1200 more so I found a deal on website for like $300 that was a few miles away in Parrispany, NJ.
The first day class started at 9 am (the whole week we did) and it was mostly a lecture day where Eric was standing in front of us and going over some basic like the Tableau write blocker that was given to us as kit as well as examination reports and a few laws. Eric also went into a few stories about his previous experiences and these were great as they showed what his hard work had done and how he went about some different cases. We went over the book page by page which is about 140 pages. Not spending a lot of time on certain topics as they were pretty self explanatory.
Day 2 was where we got to use a few more tools that were given to us on SIFT workstations. Te SIFT workstations were loaded with about 20 different tools to use in an investigation. The VMware that was required to have before class worked good for me. I only had a few minutes of playing with one before coming to class. I've never really had a chance to fool around with prior to it. So it was good exposure.
The Second day was spent going over how to use FTK and why you would turn some options off when you are about to load a case into it. Example: MD5 takes a long time to load into FTK and not always necessary so this would be some check boxes that we could uncheck for the sake of class time.
Once we were in, we went over FTK with a fine tooth comb. Going over the different screens and what the small icons through out the overview screen. What they did and how to get to what Eric called "porn mode". This was viewing all the images in a thumbnail format. It sped the process up of looking for possibly contraband. Good little tip.
Day 3 was when the fun began. The book that we used for the next few days is about 500 pages thick and has all the slides that we on the projector so we could follow along. This is nice. The books are extremely well written. There are screen shots of the process that we were doing at the time as well as the path's that you had to take to get there. This is good if you were caught behind or forgot some of it. Again Eric told some stories. We had a few good laughs at some of them. The class was great and we all participated and asked questions about things we didn't understand and Eric was great in answering them. He seemed to know 97% of the questions we asked. Some more technical than we went over things like web mail such as Yahoo, gmail, MC exchange server, Lotus notes/Domino, Novell etc.
This day is when I realized that my copy of Windows 7 was the incorrect one. Even though it stated Windows & Home Premium I went and purchased Windows 7 Ultimate thinking that since ultimate is the highest then it should work fine. Ya I was wrong. I also had another copy from my school that also didn't work. Eric was nothing short of fantastic. Class ended around 4 pm that day and he stayed after class to get me all caught up. I stayed till around 6 pm and me and him had some off topic conversations. Thanks Eric!!
Day 4 was a huge day for Windows Registry. Eric seemed overly excited about this. LOL, JK buddy. He explained that there is a huge wealth of information within the registry and some of this can make or break a case.
We went into finding all of the USB, Ipod's, or any kinds of removable storage in the registry. The hives were broken down and explained about the most important ones. The day continued with doing analysts of the registry, using regripper and mounting the files. At the end of each chapter there were hands on about what we just went over and make sure that we understood it.
Day 4 night time afterhours meet. SANS had a quest speaker ( Juri ??? ) come to the hotel and speak to a group of people that signed up about the world of cyber security and where it was going and some of the newest threats out there. This was also a time to Network and for someone like me (without a computer job) was uber important to get some hands on experience with other members of the security/forensics field.
Day 5. I was mentally burned out. There was so much information to take in that had to be taken in to make the class worth it. Plus the night before was a late night. I pushed through and continued to learn about Windows artifact analysis, Log analysis. During this time we were using different tools like Exif, FTK Thumbcache Parser, Mandian, FTK Imager etc...
This day was also huge because we also went over browser forensics. Skype chat logs, yahoo chat, msn,Firefox, IE 6/7/8 and private browsing mode (Pron mode) and the details of "how chatty they are".
Day 6 The final day was upon us. This was the final group project where we solve a case. It was interesting. We didn't win the coin which is something I really wanted but due to the VMware not working with me for most of the morning I was playing catch up. The group that had two E Discovery trained people won. They deserved to win.
Conclusion (finally): The classes was well prepared. We were not waiting on anything like a network that would not come up or software that took a crap as we all loaded it up. The class ran flawlessly. The information was top notch. I understand why they broke the classes into two separate ones 408 & 508. The teacher was nothing short of fantastic. He taught the class well made some jokes, told some stories, gave me some help on what I should do to make myself look better to employers. He even steered me away from taking the 508 which I had the money saved up to take but he was being honest and I would not get much out of it unless I had more practical experience. Then I could take more away from the class. Which I understand and Thank him for not being a sales person but being a friend and telling the truth. Thanks Eric!!
Since I have experience with SANS now and also in the past I've taken Info Sec Institute Security+ & Network+ classes I can honestly say that SANS even though expensive and you have other costs that are not include like they are in Infosec's classes (hotel, lunch) the information was second to none and well worth the money. By far. On top of all of this I get podcasts of the entire course over again for free and I can call and speak to Eric anytime if I have a question. So he didn't teach us and then split.
SANS was a fantastic opportunity for me and I would like to Thank them and Thank Eric for taking vacation from his FT job to teach this course. I will recommend this course over any other I have ever been too.
Title: Re: SANS 408 Feedback
Post by: lorddicranius on May 20, 2011, 12:48:04 AM
Sounds like you had a great time and the class was great! Thanks for the review :)