Review of SEC 508 (Forensics) as a SANS Facilitator

First of all let me start out with some information about being a facilitator at a SANS conference for those who do not know about this amazing program. As a facilitator you are like an extended staff member of SANS taking care of the administrative tasks such as checking badges, passing out course materials, tallying evaluations and manning the book store. In return for all the above tasks you get to attend a SANS course of your choice at the conference for $700, which also includes an OnDemand bundle and cert attempt. I have done this a couple of times, and I love it for few reasons:

You cannot beat the price of $700 for SANS training.
You get to learn and experience first hand the finer details of    how the big conference is run.
It’s a wonderful opportunity to network with your peers and instructors.

For more information and an application, please visit:

Well now for the course, SEC 508 - Computer Forensics, Investigations and Response.

As with other SANS courses I have taken in the past, SEC 508 at SANS CDI this past year again was an amazing course. I learned more about disk partitions, data organization and recovery in 6 days than in my entire career. If you are used to the “teaching by fire hose” method, than this is the course for you. The first 3 days dealt with data organization on the hard drives when they are formatted with different partitions (FAT, FAT32, NTFS, EXT2) and how to recover data using open source tools.

Day 4 and half of Day 6 is all about Windows (XP, WIN2k, WIN 2k3, Vista and Win2k8), dealing with registry analysis for forensics data, file system analysis, recovering evidence from System Restore Points and IE forensics. I will say that this course taught me much more about the inner-workings of Windows than any of the other courses I have taken combined. I am now scared to use Windows as every time you click something, you leave a huge trail of data.

Day 5 was fun, because it was all about the legal issues and laws surrounding IR and Forensics, and was presented by a real lawyer. Other courses do teach about different laws when dealing with incident handling, computer fraud and forensics but it is always nice to hear it from Richard Salgado – Sr Director Legal - Yahoo.

The best thing about the course was the practical way of teaching the methodology of navigating through a case via practical examples. Throughout the course you are trying to solve multiple cases, and you are introduced to new tools as you move through the methodology. As always with SANS, all the tools covered in the course are either open source or vendor neutral. Also, this course covers cutting-edge material dealing with Vista and Windows 2008 Server.

Last but not the least, the final afternoon is the “Forensics Challenge” where you are required to pick up a case of your choice and solve it using the knowledge taught throughout the course. This gives you a practical exercise to solidify your newfound knowledge. You have a choice of multiple cases with varying degrees of difficulties.

And finally the Instructor Rob Lee was great, very knowledgeable, and brought with him tons of experience from the trenches. He could relate every method to a practical experience.

Re: Review of SEC 508 (Forensics) as a SANS Facilitator

Now this is the kind of contribution that helps the EH-Net Community and a great way to start this new board on SANS Forensics course. Nice job on the review and excellent advice on how to do instructor-led training on the cheap. This is defintiely going into my new article "Free & Cheap Resources for the Aspiring Ethical Hacker."

With everything else going on, the article mentioned above is taking a little longer (sorry Justin), but it is in the works.



