January 24, 2013 at 11:08 pm #8171Don DonzalKeymaster
In his neverending quest for more knowledge, Jason has done yet another course. And lucky us… we get a review out of it. This is the first of 2 SANS vLive Forensics courses Jason will review for EH-Net. Stay tuned for vLive FOR508: Advanced Computer Forensic Analysis and Incident Response.
As always, let us know what you think of the review. Also be sure to share your thoughts on this course (if you’ve taken it), the cert exam or how other courses might stack up.
The field of forensics used to be the ugly step-child of the ethical hacking world. In fact, it wasn’t even in the InfoSec category at all for the longest time. It was a realm populated by one of two types – the lonely IT guy hired by law enforcement to handle general tasks or the unlucky law enforcement officer who admitted that he knew something about computers. My have we come a long way. Not only is there now multiple disciplines, network forensics and file system forensics, but also each has its own sub-specialties for a given technology. Thus file systems forensics break into mobile and desktop varieties, and further areas of specialization for OSX, Linux and Windows. And with any maturing industry, there are a slew of training options available.
The SANS FOR408 Computer Forensic Investigations – Windows In-Depth class covers the needed skills for proper forensic acquisitions and analysis of devices with this operating system. While many classes focus largely on forensic acquisitions and on a single or just a few tools, FOR408 goes into great depth on the analysis side and covers a multitude of tools: some pay and some free, some open source, and quite a few that will make the hair stand up on the back of your neck. The class also plumbs the depths of a number of operating system artifacts that lurk in the crevices of Windows and is generally a great deal of fun for the forensically-minded. This course and review is slightly different, as I attended the SANS vLive version of this class. Let’s take a look at the specifics.
January 26, 2013 at 3:28 am #51670KetchupParticipant
Jason, thanks for the detailed review. You were certainly very thorough in your description of the activities. This sounds like a good introduction to forensic analysis. It appears that it was limited to Windows forensics, but had some great topics on the subject. Prefetch files, link files, and the tons of registry artifacts can keep an investigator busy 🙂
It seems that people are pushing FTK these days. Access Data has some nice tools, but for some reason many investigators become dependent on FTK and never seek other options. This could lead to quite a few missed artifacts that FTK doesn’t handle well, like Shadow Copies on Windows 7.
I am looking forward to your review of the Advanced Forensics course from SANS. This is where the magic will happen 🙂
- You must be logged in to reply to this topic.