Forensics training

Yes, I know there's a 3-year old sticky with 10 pages of random musings that I don't feel like reading all through.

SANS training was cut from our budget, but I'm still in need of sending a guy or two to some forensics training course for our IR program. At our current IR standpoint, I'll take any class with any type of focus, be it Windows, memory, network, disk, etc.

Any thoughts as to what's out there and worth doing? Please don't mention EC-Council, I lean towards the "yuck" side unless you can provide a compelling reason otherwise.

Thanks!

Find more posts tagged with

Comments

supasecuritybro

Was it a cost thing? What is the limit?

636-555-3226

Yes, cost was the issue. We had some SANS training approved, but we didn't get quite enough for everybody. Something that isn't $5k a person. Half that would probably work. It's weird here what gets approved and when and how mysteriously 6 months later a ton more money either opens up or gets pulled out of the budget...

Burnsie

Are you looking for training relating to a certifications (Like GCIH and the like) or are you just looking for forensic training in general? Do you use FTK, Encase, etc.?

I've been told CCE is the baseline certification in forensics, so you could look into training your folks for that.

https://www.isfce.com/training.htm

Their website is horrific, but the certification is very reputable.

B

mokaz

Burnsie wrote: »

I've been told CCE is the baseline certification in forensics, so you could look into training your folks for that.

https://www.isfce.com/training.htm

Their website is horrific, but the certification is very reputable.

B

I think you're correct although the work experience needed to qualify for a CCE is quite huge if i'm correct.. Although if i'd be in the forensic field id go for this one yes..

EngRob

You could have everyone try for the SANS work study programs. It would then only run $900 for the course + expenses, although I recall 408 has around a $200 extra optional charge for the write-block hardware.

Burnsie

mokaz wrote: »

I think you're correct although the work experience needed to qualify for a CCE is quite huge if i'm correct.. Although if i'd be in the forensic field id go for this one yes..

As far as I can tell, there is no requirement for work experience if you are doing the instructor led bootcamp or the self paced study option. If you challenge the exam without either, you need to prove 18 months of professional experience. So, it's not bad compared to other certifications. And having some experience is probably a good idea. If you don't know how to read HEX, offsets, and the basics of forensics, you're going to have trouble with any forensics bootcamp because they are going to glaze over that stuff on day 1 and assume you grasped the topics.

B

Edit: I took a bootcamp equivalent class at UMUC, CMIT424. While the instructor was a jerk and useless, the class did teach us alot. I can honestly say that I only completed it through the help of my fellow classmates. That class devolved into a large group project because of how poorly the labs were designed and the MIA instructor.