Gcfa for508

n8236n8236 Member Posts: 20 ■□□□□□□□□□
Just came off taking the FOR508 (advanced forensics) course with Alissa Torres and I have to give this class a pretty big thumbs up. I'll give a quick run-thru.

I'm not a hacker, programmer, digital forensic examiner, malware or reverse engineer by trade. As a matter of fact, I just left a four year job doing email disaster recovery, email security and eDiscovery. I do have Security+, MCTS and GSEC.

Without much background in digital forensics, this course blew my mind. I probably should have taken FOR408, but I thought the easy-button stuff in that course wasn't worth my time or $ (which I am paying myself). While I have a pretty technical mindset, not taking 408 put me at a disadvantage in not knowing some of the foundations of DF.

The first day was more of a review and presenting the concepts of what will be taught. The next 4 days presented the students with a number of tools on how to extract data of all sorts from memory and disk. Besides using just tools, the concepts behind them were also taught, so you knew their strengths and weaknesses. You were taught to know how to analyze the results. Throughout days 1-5, you are examining thru a single machine's memory and disk image as part of a larger fiction plot as part of your lab exercises. By day 6, you are broken into teams to find out (CSI style) the whole story behind of the attack by examining other machines which were also part of the attack.

It's very command line driven, so the student should have at least some basic Linux skills. I had folks from all walks of IT in the class, so even if you're not in this field yet, it still provides A LOT of valuable methods in performing forensic analysis. Unfortunately, the class is driven towards Windows forensics as I would have liked to see more Linux. But there would have been no way to pack all that info a week's worth. They will have a Linux forensics course down the line. But I still highly recommend this course.


  • ChooseLifeChooseLife Member Posts: 941 ■■■■■■■□□□
    Thanks for the review! Are you planning to go for the certification?
    n8236 wrote: »
    They will have a Linux forensics course down the line
    That would be wicked! Was there any word on the timeline for such course or any other details?

    n8236 wrote: »
    $ (which I am paying myself)
    I automatically tried evaluating that expression... Should do less scripting... icon_biggrin.gif
    “You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896

    - discounted vouchers for certs
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    How was Alissa Torres as an instructor? I'm interesting in taking FOR526 at SANS in Vegas, but that probably won't happen. I assume she really knows her stuff, considering her employer.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • n8236n8236 Member Posts: 20 ■□□□□□□□□□
    I already paid for the exam, but might have to postpone it past the standard 3 months because I just started a new job and there's going to be another SANS course they want me to pass.

    She's very knowledgeable as she's held important positions as very large gov't contractors (think Northrop Grumman) and so forth. She's very energetic and animated, lots of character! She had to be pumped up with Redbull and Monster drinks in the afternoon, but who wouldn't have to if you had to stay awake and engaged.

    I don't know how far her windows memory forensics knowledge goes, but if I had to give an educated guess, probably pretty deep. She's really into her material.

    As for when the Linux digital forensics course is launching, I don't have a firm date, but I think you can email SANS as ask them about that offering.
  • ITforyearsITforyears Member Posts: 35 ■■□□□□□□□□
    Just curious on how long you took the exam after the course and did you pass?
  • n8236n8236 Member Posts: 20 ■□□□□□□□□□
    In another thread I just responded to...I took my exam in March, but sadly failed by a few %. I was disappointed. What really hurt me was not taking 408, not having academic or job experience in forensics and not understanding everything in the books. It's very necessary to know what tools do what and recognize their output. The exam was relatively heavy on that.

    I am re-taking at the end of August and this time I REALLY hope I pass. Starting to get a bit nervous.
  • ITforyearsITforyears Member Posts: 35 ■■□□□□□□□□
    I ran out of time on mine. icon_sad.gif
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    508 is a pretty intense course with tons of details. It's similar to other SANS courses, but man was this one an overload. I have to take my exam next week and may fail this one, but so be it if that happens. I took 508 within a couple of weeks after taking 408 which was a mistake. It would've been better if I had given myself some breathing room, but instead I went Gung-ho and by Day Three of 508, my brain was totally fried. I was on auto-pilot at that point.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • n8236n8236 Member Posts: 20 ■□□□□□□□□□
    Did you find a lot of value in 408 after looking at 508?
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I think it helped extend the perspective of the disk/registry forensics into the larger world of intrusion identification/scoping/containment. I can see how 408 and 508 can work as standalone courses, but at some point being able to understand the Windows environment and the tell-tale footprints users and apps leave behind really helps to make some things in 508 click. Rob Lee said that the two courses are really one long course at heart but just logically separated for the sake of being practical. I can't imagine having to go through a two-week class covering all that material and trying to maintain focus (which I guess in some sense that's what I ended up doing).

    Taking 408, then letting the material sort of sink in for a few months, then going for 508 afterwards would be less stressful. Halfway into the second class my brain started closing its blinds for its own protection.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I just finished my first practice exam. While I got through it with maybe half an hour to spare (and I rushed on some of the questions), my score was at the low-end of the spectrum and was surprised I actually got a pass status. GIAC's website indicates that the passing score is 69% which says quite a bit in regards to the difficulty level. Compare that to the GCIA which has a threshold of 67%.

    Even though I got a passing score on my practice run, I'm still not very confident about the real exam and I'm seriously considering extending my exam date out another month (paying the fee for the privilege), although I'm not sure if I'd gain anything. I also really need to get on with life.

    The GCFA is no doubt pretty intensive. While it's still a multiple-choice format, this is a solid, challenging test that reflects real-world situations. You really do need an eye for detail and while I did reference the courseware often during the exam, I still had to fundamentally know the material. It's quite obvious that my grasp isn't as strong on this subject, but given how much time I've been able to devote to the material, I'm not surprised either.

    I recommend anyone who wants to get their brain kicked in (and I say that in a good way) to take FOR408 and 508. It seems to be a class that stretches many people's limits and I think we need more of that in this field. I think next year I'll do FOR572 as that's more up my alley these days anyway. But for this year, pass or fail on the GCFA, I'm so done with SANS training as I've pretty much averaged about two courses and two GIAC certs per year for the last four years.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
Sign In or Register to comment.