Pre-requisites for SANS GCFA (508) -> CHFI

scasc

Dear all,

Have been sponsored to go on the SANS 508, however do not have a solid background in Forensics and have enrolled to do CHFI to give me a base start. Would this be suffice considering the fact that the cost to do 408 along with 508 is prohibitive?

Best wishes

cyberguypr

CHFI provides very little help for 508. Since you mentioned you do not have forensics experience I would recommend 408. Either that or somehow supplement your dead box forensics knowledge before heading to 508.

Here are a good link from one of our members (I always keep forgetting who it is) that touches on 408 vs. 508:

Should I take SANS 408 or 508? (part 1) | Digital Forensics Tips

the_Grinch

My boss did 508 before 408. SANS has changed it dramatically and my understanding is that 508 stands almost completely on its own. It is way more geared toward Incident Response then towards forensics.

scasc

Thanks for the information guys.

Is the GCFE a stepping stone to GCFA or a qualification in its own right and more forensics based then?

quogue66

I took FOR408 in March and just finished FOR508. I think taking FOR408 was helpful but not necessary. FOR408 and the GCFE focused on hard drive forensics and FOR508 and the GCFA was memory forensics (and incident response). I think you will be able to get through 508 without taking 408 first.

PJ_Sneakers

Unfortunately, the official EC-Council CHFI class will not help you. There are several slides in the official curriculum that are decent, but overall it's a super-long slideshow about random data recovery tools and network attacks. Also the CHFI class is from like, 2011 or some crap. It's super outdated.

If you have time to read a book, the McGraw All-In-One Certified Cyber Forensics Professional book by Chuck Easttom is a pretty quick read and is a decent summary of digital forensics, and it was helpful for the CCFP. The Syngress Basics of Digital Forensics by John Sammons is also a quick read, and is a quick summary as well. Neither book goes very in depth in any given topic, but they aren't long and drawn out either.

scasc

Thanks for the comments. Just been looking at some random exam questions from aiotest king - I see what you mean regarding the value of this certification. Not sure why some people ask for it - just thought it would act as a bit of a stepping stone for me to get the SANS GCFE/GCFA etc.

PJ_Sneakers

I mean, the class is ok. But at least a day or two of it could have been replaced with real forensics training rather than going over random undelete tools. Then again, the instructor for the class wasn't that great either. He wasn't very experienced and made a few inaccurate statements.

beads

My personal opinion may not reflect the experiences of the board at large but... Don't confuse EC-Council with real training. SANS and EC-Council are like night and day in comparison.

YMMV

- b/eads

PJ_Sneakers

Oh definitely not. That statement is spot on. I've never been able to attend SANS due to cost, which is how I ended up in an EC Council class (through work).

trueshrewkmc

@PJ_Sneakers Thanks for the honest assessment of the official CHFI class! I'll have to sit CHFI for a WGU degree and wondered if the CHFI class material was as bad as the official EC C|EH material. Those random tool slides at the end of every section are the worst!

636-555-3226

beads wrote: »

My personal opinion may not reflect the experiences of the board at large but... Don't confuse EC-Council with real training. SANS and EC-Council are like night and day in comparison.

I disagree. I think most experiences of the board at large concur in your assessment. FWIW, I concur.

the_Grinch

Yup I 100% agree with your opinion and have given my opinion of the CEH in interviews.

UnixGuy

The number of good reviews I heard about EC-Council over the years is ZERO. Stay away...

gwood113

I took FOR508 a couple weeks ago with no forensics experience and was able to keep up with the material well enough to pass GCFA. The only thing I felt like I was missing by not taking FOR408 were the many Windows artifacts, mentioned in 508 - pounded in 408. Three subject areas that stick out in my mind are: memory analysis, hard drive file carving, and timeline construction and analysis. If you want to prepare ahead of time download the SIFT workstation from SANS and check out volatility, the sleuth kit, and log2timeline; they are some of the course heavy lifters.

PJ_Sneakers

I wouldn't say there is no value, but I did feel bad for the people who paid out of pocket for the classes. It was different because my employer paid for the class... I can't imagine paying several thousand for THAT out of my own money. Seriously, online CBT training is better.

scasc

Funny enough went for exam got 92% and invite to review board - though have zero expertise in this area. Mainly common sense if you have a security background, though elements of my BS Computer Science degree helped with the architecture around the OS (kernel, virtual memory, extendable RAM etc). Nothing too taxing.