GREM vs GCFE

Looks like I won a SANS vLive course through EthicalHacker.net (Thanks to Don and the other contributors! Check it out, you might win free training!) I'm looking at my course options and i'm thinking i'd be most interested in FOR610 (GREM) or FOR408 (GCFE).

I have no forensics analysis knowledge or experience beyond the concepts mentioned and the GCIH.

I have no programming knowledge or experience, but I have some basic knowledge of malware analysis in the form of basic and static analysis but again no knowledge or experience with disassembly or debugging.

What do you guys think I should do? As far as my job goes I hope to gain some experience in both areas in the coming year.

Find more posts tagged with

Comments

docrice

What would be more practical for you? I get the sense that a student who has at least some programming background would benefit well from FOR610. 408 would benefit anyone who has at least some experience with Windows, so it would seem more appropriate in your case. Since 508 builds well on top of 408, I'd suspect that going through 408 and 508 would be a practical prerequisite before going into 610.

That said, 408 and 508 were designed to be a well-executed pair as they're really the same class but separated into a first and second phase.

ramrunner800

That's a pretty excellent prize. Congrats!

YFZblu

Congrats on the win! If you have no programming experience, GREM would be a waste of free SANS training. I just took 408; it's a great class, even for those without forensics experience.

SephStorm

I imagine I would benefit in the 610 from having an understanding of the windows OS and where things like malware would hide such as from the 408.

I know I am very interested in malware analysis at this point, but I think all three classes will work well together, and a person with the skills from all of them would be in an excellent position to understand the entire attack like you see coming from big firms when they analyze stuff like stuxnet or the latest malware that is out there causing issues.One thing I have to consider is that this is a free course, if I were to take 408, i'd possibly still be looking at purchasing 508 and then 610 later. And I think malware analysis is a sellable skill, maybe enough to break 100k, IDK.

I think the vLive 610 course is much later in the year so I would have time to get knowledge of programming as well as getting through the PMA book.

That being said, in my experience at my company I do see that we have a few cases of investigating windows PCs either for significant policy vios, maybe security concerns, only rarely intrusions. I can think of one pc that had ransomware on it but nothing else off the top of my head.

YFZblu

SephStorm wrote: »

I imagine I would benefit in the 610 from having an understanding of the windows OS..

SephStorm wrote: »

I know I am very interested in malware analysis at this point

SephStorm wrote: »

if I were to take 408, i'd possibly still be looking at purchasing 508 and then 610 later.

SephStorm wrote: »

And I think malware analysis is a sellable skill, maybe enough to break 100k, IDK.

I mean, it sounds to be me like you've already made up your mind.

My other question would be: How much research have you done into proper malware analysis / reversing positions? Reddit's /r/reverseengineering hiring thread might be a good place to start as far as expected skillset is concerned:

/r/ReverseEngineering's 2014 H2 Hiring Thread : ReverseEngineering

If you do plan on jumping into the 610 course, it would benefit you to spend the next several months eating and breathing x86 assembly and learning a higher-level language (Perl or Python) to help with automation.

I know a couple of guys that went through the course, and they both indicated that it's a passable track without knowing x86; however you'll be missing a lot, and just eeking by obviously isn't ideal.

Also, keep us updated - Understanding computing at that level is an extremely humbling and exciting journey.

Good luck!

chanakyajupudi

Congratulations on the Win! The GCFE is a good bet. I would like to do the GREM someday but have not done my research yet.

5ekurity

If you are looking at the GREM I'd also look into a debugger like OllyDBG, IDA, and have a grasp of C programming. I used to work with someone who has the GCFE/GCFA/GREM - I'd say most of the time they utilized the skills from the GCFE/FA and only a small amount of time of GREM skills (keep in mind, their role was not dedicated reverse engineering).

SephStorm

Thanks guys.

When starting on this path would it be wiser/easier to start with something like Python and move to C/C++ then ASM? I assume the concepts will carry over and just the language will change.

What is the best way to get a grip of those base concepts? At this point I know what a variable is, the ideas behind compilers, maybe a few other things. I really want to understand these base things before I get into a language.