FOR500 (GCFE)

tboetboe CompTIA Security + | Cisco CCNA | Sans GCIAPosts: 36Member ■■■□□□□□□□
edited February 7 in GIAC
this one is going to be a follow up after GCIA. share your experiences with this one Peeps...
Tagged:

Comments

  • Randy_RandersonRandy_Randerson CFE, GASF, GAWN, GCFA, GCFE, GCIH, GLEG, GMOB, GNFA, GPEN, GSEC, GWAPT, DFCP, ACE, CompTIA A/N/S+ Posts: 110Member ■■■□□□□□□□
    What would you like to know? Overall class or like the full gambit (e.g. instructor experience) ?
  • tboetboe CompTIA Security + | Cisco CCNA | Sans GCIA Posts: 36Member ■■■□□□□□□□
    edited February 8
    What would you like to know? Overall class or like the full gambit (e.g. instructor experience) ?
    anything you would like to share honestly,  but if i can be specific I would say difficulty level compared to any other sans/vendor course you've taken, preparation time, indexing,and etc. things along that scope. 
  • Randy_RandersonRandy_Randerson CFE, GASF, GAWN, GCFA, GCFE, GCIH, GLEG, GMOB, GNFA, GPEN, GSEC, GWAPT, DFCP, ACE, CompTIA A/N/S+ Posts: 110Member ■■■□□□□□□□
    tboe said:
    What would you like to know? Overall class or like the full gambit (e.g. instructor experience) ?
    anything you would like to share honestly,  but if i can be specific I would say difficulty level compared to any other sans/vendor course you've taken, preparation time, indexing,and etc. things along that scope. 

    I've taken quite a few vendor training and hold various forensic certs and even created training that is used within a specific community of digital forensic people. 

    I can say without a doubt that FOR500 is the best course that is out there right now if you are getting into digital forensics. While a person can go and take Smartphone forensics, or network/memory, FOR500 really lays down the foundation within an environment that you're probably going to see 90% of the time in your day-2-day operations. If you don't know how to do those, then how can you expect yourself to fully understand how to work other avenues of the field? Just my opinion. 

    Far as the class goes, you are going to get exposure to a ton of things. Unlike vendor training, the class is not focused on one specific piece of software and will actually teach you the artifacts that are out there in the wild. Additionally, outside of CFCE, I don't think there is another training that has the student looking at Windows 10. Windows 7 is End of Life at the end of this year, so looking at those as the primary method of comprehension is a bit of a misnomer in my opinion. What this means is you'll understand what you're looking at with the Registry or Event Logs. You'll be able to read Email headers and properly decipher where the mail was routed from. You'll see amazing artifacts like SRUM that will show you how much network bandwidth a specific program is running. These are all things that tools can parse (Axiom), but without really KNOWING what it is, can you really testify to what that artifact is? Knowing what the artifact is and what it does, and articulating that to your customer (or jury) is what you're really going to get from this class. It will separate you from others that are reliance on a specific tool to do the job for them and they just create a report based on search terms or request. 

    Far as the instructors go, you can never go wrong with Rob Lee when he teaches it. I'm also a big fan of Matt Bromley's teaching as well. 

    Be ready for lots of labs if you take the class. The VM will have a TON of tools in there. But the most impressive is just how many free tools you'll have at your disposal to do things better and quicker than EnCase or FTK. 
  • tboetboe CompTIA Security + | Cisco CCNA | Sans GCIA Posts: 36Member ■■■□□□□□□□
    tboe said: you're spot on with your reasoning as to why one should place this cert on their technical cert list, Hence why I chose this one instead of 504. I do still plan to take the 504 however I think 500 is not only more of an personal interest  but also necessary to building a firm forensics background... More than enough sir, Thanks! ......
    What would you like to know? Overall class or like the full gambit (e.g. instructor experience) ?
    anything you would like to share honestly,  but if i can be specific I would say difficulty level compared to any other sans/vendor course you've taken, preparation time, indexing,and etc. things along that scope. 

    I've taken quite a few vendor training and hold various forensic certs and even created training that is used within a specific community of digital forensic people. 

    I can say without a doubt that FOR500 is the best course that is out there right now if you are getting into digital forensics. While a person can go and take Smartphone forensics, or network/memory, FOR500 really lays down the foundation within an environment that you're probably going to see 90% of the time in your day-2-day operations. If you don't know how to do those, then how can you expect yourself to fully understand how to work other avenues of the field? Just my opinion. 

    Far as the class goes, you are going to get exposure to a ton of things. Unlike vendor training, the class is not focused on one specific piece of software and will actually teach you the artifacts that are out there in the wild. Additionally, outside of CFCE, I don't think there is another training that has the student looking at Windows 10. Windows 7 is End of Life at the end of this year, so looking at those as the primary method of comprehension is a bit of a misnomer in my opinion. What this means is you'll understand what you're looking at with the Registry or Event Logs. You'll be able to read Email headers and properly decipher where the mail was routed from. You'll see amazing artifacts like SRUM that will show you how much network bandwidth a specific program is running. These are all things that tools can parse (Axiom), but without really KNOWING what it is, can you really testify to what that artifact is? Knowing what the artifact is and what it does, and articulating that to your customer (or jury) is what you're really going to get from this class. It will separate you from others that are reliance on a specific tool to do the job for them and they just create a report based on search terms or request. 

    Far as the instructors go, you can never go wrong with Rob Lee when he teaches it. I'm also a big fan of Matt Bromley's teaching as well. 

    Be ready for lots of labs if you take the class. The VM will have a TON of tools in there. But the most impressive is just how many free tools you'll have at your disposal to do things better and quicker than EnCase or FTK. 

  • Randy_RandersonRandy_Randerson CFE, GASF, GAWN, GCFA, GCFE, GCIH, GLEG, GMOB, GNFA, GPEN, GSEC, GWAPT, DFCP, ACE, CompTIA A/N/S+ Posts: 110Member ■■■□□□□□□□
    "tboe said: you're spot on with your reasoning as to why one should place this cert on their technical cert list, Hence why I chose this one instead of 504. I do still plan to take the 504 however I think 500 is not only more of an personal interest  but also necessary to building a firm forensics background... More than enough sir, Thanks! ......"


    I find SEC504 to a worthwhile venture for those who are going to be in that world in some capacity. If you're not, then what are you really gaining from the class? Things like the IR methodology are taught in FOR508, which I still find to be a Top 3 most rewarding classes that SANS currently offers. It also just went through a complete revamp according to Rob's tweets. Now, if you're looking to get into the "how did the hacker get into the system?" killchain, then SEC504 is much more beneficial from a practical standpoint. The labs in that class are designed to reflect BASIC weaponization/exploitation. But for things like lateral movement or exfiltration, SEC560 is going to be your jam then. 

  • Randy_RandersonRandy_Randerson CFE, GASF, GAWN, GCFA, GCFE, GCIH, GLEG, GMOB, GNFA, GPEN, GSEC, GWAPT, DFCP, ACE, CompTIA A/N/S+ Posts: 110Member ■■■□□□□□□□
    "tboe said: you're spot on with your reasoning as to why one should place this cert on their technical cert list, Hence why I chose this one instead of 504. I do still plan to take the 504 however I think 500 is not only more of an personal interest  but also necessary to building a firm forensics background... More than enough sir, Thanks! ......"


    I find SEC504 to a worthwhile venture for those who are going to be in that world in some capacity. If you're not, then what are you really gaining from the class? Things like the IR methodology are taught in FOR508, which I still find to be a Top 3 most rewarding classes that SANS currently offers. It also just went through a complete revamp according to Rob's tweets. Now, if you're looking to get into the "how did the hacker get into the system?" killchain, then SEC504 is much more beneficial from a practical standpoint. The labs in that class are designed to reflect BASIC weaponization/exploitation. But for things like lateral movement or exfiltration, SEC560 is going to be your jam then. 

Sign In or Register to comment.