Gcfe & gcfa

Mike-Mike

Just got word I should look into some Forensic certs, so for SANS i guess the route to go would be:

• GIAC Certified Forensic Examiner (GCFE)
• GIAC Certified Forensic Analyst (GCFA)

Anyone have these and find the associated training worthwhile?

cyberguypr

Rule of thumb for me: all SANS training is awesome and you can immediately translate it into actionable stuff back at the office. Those two are very different. 408 focuses on registry, EVTX, USB, email, internet, etc. artifacts and analysis 508 focuses on analyzing stuff in memory. timelining, NTFS intricacies (MFT, $Logfile, USN Journal, etc.)

The obligatory questions are 1) what is your role/experience and 2)are they paying for the class or just the cert?

Mike-Mike

1 - I am a security jack of all trades, 22 certs (CISSP passed and waiting on endorsement), BS & MS from WGU, about 18 years of tech experience, 5 of which are security related

2 - they would pay for it all

I primarily do Vulnerability Management, but company has money to burn, and wants to have someone trained and certified in Forensics

cyberguypr

Money to burn? Exactly what I want to hear Let me tell you a story. Last year my company bought me a Guidance Software training passport. I took 8 of their courses, which focus on EnCase. The year prior to that I took SEC 408 and passed GCFE. Since I don't do Forensics every day I end up applying more of what I learned in 408 for my day-today that the stuff I got from all that EnCase training. I had a chance to take the EnCe for free but didn't go for it because i just don't care for the product and don't want to maintain another cert, especially if I am not exposed to it regularly.

There are other certs like CCFE and CCE that are well-known in the forensic circles but again, a hardcore forensic practitioner may be better suited for these.

Having said all of this, I would tilt the scale in SANS 408 favor especially given your JOAT aspect. When the next window opens for training, maybe 508.

Mike-Mike

Thanks, this is super helpful, I was wanting to break into SANS/GIAC anyhow, so this probably seals the deal

sb97

I have the GCFE and am going for the GCFA later this year. Didn't have a strong forensics background prior to taking For408. Learned a ton in the class. I am not hardcore into Forensics but was able to bring some useful things back.

The way it was described to me (keep in mind that I havent done the GCFA training yet). GCFE is designed with insider threats in mind. GCFA is designed more for external threats. GCFE focuses on one user's systems. GCFA does more with working on multiple systems/incident response.

docrice

I've done both back-to-back. Worthwhile. Lots of info compressed into a short period of time. Brain explodes. Slightly different focus between 408 and 508, but they're designed as one long class divided into two so they're complementary. The labs use the same environment between both courses (same thing with FOR572).

I've taken a CHFI course a long time ago. Doesn't compare.

Don't take 508 right after 408 like I did. Wait a few months, your brain will thank you.

quogue66

I have both GCFA and GCFE. I took both classes and exams within the last year. They were both great classes and a lot of fun. FOR408 focuses on hard drive forensics and FOR508 focuses on memory forensics. I thought 508 was a tougher class than 408.