nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

GCIA passed. Now what?

justSomeGuy

I just passed my GCIA exam today and was curious as to what other SANs certs others have moved onto from there. I work mostly with IDS, netflow, and pcap solutions, so I was considering FOR 572 - Advanced Network Forensics and Analysis. Does anyone have feedback on this one? I'm also considering 501 or 504, but am unsure if those will be useful. Any feedback would be appreciated. Thanks!

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

JDMurray

The foundation of the GIAC certs are the GSEC, GCIH, and GCIA. If you are looking towards the GSE then the GCWN and GCUX are recommended too. All of the other GIAC cert are specialty branches as shown on the GIAC Certification Roadmap.

justSomeGuy

Thanks! I was considering the Linux hardening one, but network forensics is something I actually enjoy, hence my curiosity about 572. I've only found 1 thread on it and the exam was never taken.

JDMurray

One thing that interests me in SANS digital forensics training is that "incident handling" is also thrown in to those classes too. I assume this refers to the use of forensics in incident investigation, but I'm interested to know if any of the FOR classes describe in more detail the overall incident response/handling process than is covered in SANS SEC504.

DAVIS NGUYEN

Congrats!

justSomeGuy

Is GCIH just as technical and difficult as GCIA. I'm considering picking that up before heading on to any advanced certs. For context, when studying for GCIA, I put in about 4 days of dedicated studying and did both practice exams the day before the actual one. Did not touch the labs, although I had plenty of Snort/Silk/tcpdump experience.

gwood113

@justSomeGuy
FOR572 is the only other real network focused class. You'll like it since you're already familiar with silk. GCIH is more mostly host focused centering on beginner pentesting skills. I would not consider it as technically challenging as GCIA. At least not in the same way.

@JDMurray
FOR508 the host forensic class goes into incident handling pretty well. FOR508, 572, and 610 are the IR team triad: host, network, and malware.

JDMurray

I only see Windows forensics and mobile (Android) forensics SANS classes. Do any of the SANS forensics classes also cover UNIX (iOS) or Linux (other than Android) forensics?

UnixGuy

With your skills you should be good to go for FOR572, go for it!

gwood113

508 covers *nix environments in the course books, but all of the forensic practice is on windows targets (hhd images, memory images, etc.)

Given the variety and nuance of the countless flavors of Linux I doubt the DIFR team will ever produce a generic Linux forensic course. You could probably conduct effective host forensics applying the tools and methods from 508 with a little practice though.

GirlyGirl

JDMurray wrote: »

I only see Windows forensics and mobile (Android) forensics SANS classes. Do any of the SANS forensics classes also cover UNIX (iOS) or Linux (other than Android) forensics?

I took the 575 Course less than 6months ago.

I see that you are the mod for the Java and Developers forums. If you are indeed knowledgeable in those areas some of the 575 course will not be new to you. It covers iOS/Android and the wearable devices. It might have touched slightly on the tablet I don't recall. Google devices were touched on slightly if my memory serves me correct. It is more backend development and frontend applications/security/app manipulations/API, etc. That's the majority of it. I don't believe any Linux/Unix was in any of my books. If it was it wasn't much of it.

lostsol

justSomeGuy wrote: »

I just passed my GCIA exam today and was curious as to what other SANs certs others have moved onto from there. I work mostly with IDS, netflow, and pcap solutions, so I was considering FOR 572 - Advanced Network Forensics and Analysis. Does anyone have feedback on this one? I'm also considering 501 or 504, but am unsure if those will be useful. Any feedback would be appreciated. Thanks!

I'd highly recommend FOR572. I haven't taken 503 yet, but am planning it. How did it handle encrypted packets? Also, a new course was released, SEC555 on SIEMs.

silvercleric

Hello,
I believe that this document may be of help - a visual representation of the different "paths" is found on page 2 of the document.
https://www.sans.org/media/security-training/apac_2017_brochure.pdf
please note that the training dates are for the APAC region.
HTH