any tips for taking FOR508 live this year?

LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
Hoping to take the SANS FOR508 live course this year, and was wondering if anyone had any tips or experiences to share about it? I know the course has extensive laptop requirements, but any gotchas or recommendations hardware-wise or even just preparatory studies I could pursue? Anything I should not forget to bring? :) I haven't decided whether I will do NetWars DFIR or standard. I am leaning to standard as I think I'd have the most fun with that one.

Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?

Comments

  • Randy_RandersonRandy_Randerson Member Posts: 115 ■■■□□□□□□□
    LonerVamp wrote: »
    Hoping to take the SANS FOR508 live course this year, and was wondering if anyone had any tips or experiences to share about it? I know the course has extensive laptop requirements, but any gotchas or recommendations hardware-wise or even just preparatory studies I could pursue? Anything I should not forget to bring? :) I haven't decided whether I will do NetWars DFIR or standard. I am leaning to standard as I think I'd have the most fun with that one.

    Easily one of my favorite classes!

    The class has gone over a major revamp though from when I took it as an Advanced Forensics course and is almost entirely dedicated to Incident Response now, which is good in some ways. I'll get to that in a second.

    But for what you should be doing before the course:

    - Get into Volatility and Rekall both for memory analysis. Learn how to use them and how to set the profiles up as well. Depending on who you have an instructor, will predicate how in-depth they'll take this tool. If you haven't played with memory or hibernation file before, start! Also I would suggest dabbling into the SIFT 3 they provide on SANS's website in general.

    - Log2timeline is something that many students have issues with for some reason. I think it really just is because there are more than just that command to run a timeline. Go look at the Plaso website and just read up on it. There are SANS videos out there on the tool if you want dabble into this too before the course. All things time related....: What flies there? What fares there? Or moves through the air? Plaso 1.5 - Gná released

    - One of my analysts is in the course right now and he's having issues with NTFS attributes. You'll get the File Systems book by Carrier, but if you can find it beforehand I would strongly suggest you take a look at it! It will go a VERY long way when you do the only day that is really "forensics."

    - They will provide some snippets from FOR500 for artifacts. If you haven't taken 408/500, then I would at least brush up on Wikiforensics at the very least just to get an idea of what artifacts are what and WHERE they are

    - You're going to be using Sleuthkit a lot on the last couple days. Everything about this class is CLI basically, so take a gander at this: Index of /sleuthkit/man to get a headstart on what commands do what


    Now onto the other piece, what instructor:

    If you get a chance, I would only take this course with either Alissa Torres, Eric Zimmerman or Rob Lee. Nothing against the other ones who teach it, but they seem to understand the material the absolute best and don't get so far into the weeds with their own gloating that it distracts from the class.

    Good Luck!!
  • LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    Thank you for the information; it's far more than I was expecting to hear! And yeah, Zimmerman will be teaching my session. :)

    This will be my first SANS course, let alone my first in the FOR track.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
  • Randy_RandersonRandy_Randerson Member Posts: 115 ■■■□□□□□□□
    LonerVamp wrote: »
    Thank you for the information; it's far more than I was expecting to hear! And yeah, Zimmerman will be teaching my session. :)

    This will be my first SANS course, let alone my first in the FOR track.

    You'll enjoy having Eric as your teacher. He has a great background of both LE and Programming. Don't be afraid to ask questions as well. This course can seem a little too much at times, but they'll slow down during certain spots to make sure the course is really grasping the material.
  • lucky4lifelucky4life Registered Users Posts: 9 ■■□□□□□□□□
    Hey all - I'm to take FOR508 in Austin, TX is just a few weeks, and I am happy to have found this thread! Regarding Volatility & Rekall, should I learn both, or is just learning Volatility sufficient? I don't know if both are used in class, so I was just wondering. This is my first Forensics class, and I want to be as ready as I can for both the class, as well as NETWARS - so any tips now can only help me. Thanks!
  • Randy_RandersonRandy_Randerson Member Posts: 115 ■■■□□□□□□□
    lucky4life wrote: »
    Hey all - I'm to take FOR508 in Austin, TX is just a few weeks, and I am happy to have found this thread! Regarding Volatility & Rekall, should I learn both, or is just learning Volatility sufficient? I don't know if both are used in class, so I was just wondering. This is my first Forensics class, and I want to be as ready as I can for both the class, as well as NETWARS - so any tips now can only help me. Thanks!

    Volatility and you'll be fine. If this is your first DF course, make sure you are familiar with Windows artifacts! LNK, Shellbags, Registry, Jumplists, Email, Prefetch, SHIMCACHE, etc. They will expect you already know what they are AND where they are.
  • sb97sb97 Member Posts: 109
    lucky4life wrote: »
    Hey all - I'm to take FOR508 in Austin, TX is just a few weeks, and I am happy to have found this thread! Regarding Volatility & Rekall, should I learn both, or is just learning Volatility sufficient? I don't know if both are used in class, so I was just wondering. This is my first Forensics class, and I want to be as ready as I can for both the class, as well as NETWARS - so any tips now can only help me. Thanks!

    Hey, there. Things have changed since I took the class last year (There was talk of dropping redline) so I may be a bit out of date. For class prep, you can probably just focus on Volatility. My best advice for getting a jump on the class is to take a look at the SANS DFIR posters:
    https://www.sans.org/security-resources/posters/dfir
    I think for this class pay attention to Hunt Evil, Sift Workstation, Memory Analysis, and the Windows Forensic Analysis posters. The Sift workstation is the environment you will be using and the rest all cover the major topics of the class.

    Even if you come into the class relatively new to DFIR you should be able to keep up if you work hard so don't get discouraged if you are really struggling with one topic. Just remember to take a deep breath and enjoy the ride.
  • LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    I wanted to come back around to this thread now that I have returned from SANS West.

    First, I think coming to this class without much advance prep is absolutely just fine. Granted, I have been a (largely) Windows administrator for 13+ years, so I've seen lots of things and am pretty comfortable troubleshooting the OS, which includes looking at some similar places that you look into for forensics purposes. And while I've done some homegrown malware incident response and such, nothing at the level where I'm examining memory **** or disk images.

    Second, you don't really need to know anything else. I had 0 experience with any of the above tools, including volatility and SIFT. Redline is no longer a part of the course. We didn't do anything with ReKall, either. Everything I needed to know was taught in the class during the lab exercises. Having a decent grasp of Linux command line will help, but you don't really need much beyond being able to cd around and move or read files.

    Third, the course went over shimcache, prefetch just fine for someone like me who knows Windows, but hasn't ever dug into those things specifically. That said, knowledge of the RED DFIR poster would have been useful. We had access to it, but I had to consume it right there. The blue DFIR posters (there's a newer Hunt Evil one now) are wonderful.

    Ultimately, some in my class clearly had some forensics experience in the past, and others like myself had not. I feel like I was able to grasp and at least begin to understand everything presented, even the dense Day 5 NTFS topics.

    And I'd also say there's no need to have had any forensics tools exposure beforehand. Though some may have an advantage if they've used F-Response, Autopsy, or Redline in the past.

    Edited to add: I do think it helps a lot if someone has taken a course or has some background or knowledge of red team/pen testing tactics. It certainly helps when digesting the things we didn't define, like persistence, lateral movement, hash dumping (pillaging/looting), and initial exploitation. Having some offensive exposure helps understand why these attacks worked and how they worked. Thankfully I'm strong in that regard, but others were not.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
  • iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    GJ on that NetWars finish too icon_thumright.gif
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
Sign In or Register to comment.