Intro and SANS GCFA FOR508 Course Review

I'm new here after just finding this site while looking for info on SANS forensics certifications. Just thought I'd take a minute to introduce myself, and post a link to a pretty good review on FOR508 I found.

I've been in IT for 25+ years (yes, I'm old) and have done most everything from setting up small networks to managing large ones. About 6 years ago I began retraining myself in digital forensics and began my own business doing forensics, incident response and e-discovery. Earlier this year I took a full-time contracting position with a federal agency in a cyber-security group. My main job is threat analysis but I also do some forensics and response as needed.

I'm finding some gaps in my knowledge so I'm about to pull the trigger and take a SANS forensics course and associated exam. I'll be paying for the class out of my own pocket (no paid training for contractors). I hold other certifications already (Cyber Security Forensic Analyst, EC Council Certified Hacking Forensic Investigator, AccessData Certified Examiner) so it won't be my first test. Although I use elements of both FOR408 and FOR508 in my work (mostly 50

. I'll probably take FOR408 to get my baseline SANS knowledge down.

I've heard of other SANS class attendees making something called an "index" that they then use during the cert test. Can somebody explain to me what this is?

And to sign off on a good note I thought I'd share a great review I found yesterday by a guy who describes nicely the SANS FOR508 class and a few of the differences between it and the FOR408 class. Enjoy!

Review Link: Invoke-IR | PowerShell Incident Response

Find more posts tagged with

Comments

docrice

An index is basically a quick-reference guide that you build based on the SANS courseware. You can (and almost everyone does) bring this index into the exam. The index is typically a 10 - 30+ page set of notes.

I've become less dependent on using indexes for these exams over the years. I really use them more as a book/page reference so I can look up the actual book material when in doubt in answering an exam question.

I recommend creating your own index, but some people share their's with others. Personally, I think an index is best leveraged to identify your own weak points on different subject areas, so the collection of paper is really tuned to you as an exam candidate more than anything else.

LDRydr

Well crap, I just clicked the wrong damned button and deleted my original post! Where's a backup when I need one!? That's what I get for watching the Seahawks game at the same time I'm reading the forum.

Anyway, thanks for the reply back docrice.

Psyco32

Hey LDRydr. I'm in the FOR508 class this week with SANS instructor, Chad Tilbury. Days 1 and 2 were pretty good. We went over IR concepts and usage of Redline/Volatility. Chad did mention that 408 covers IR procedures (First Responder) and some analysis, but that it was mainly a Windows based course. 508 seems to go over more the IR procedures and how they are applicable to both windows and linux/unix OSes. As for the "Index" you can do a search on how to make one here in SANS forum or try How to Guide for making a SANS / GIAC Index with Pictures | Digital Forensics Tips

LDRydr

Cool, I see my original post is back!

Thanks for the reply Psyco32. I'll check the links out. I was just playing with Redline and Volatility both today, getting a new analysis machine configured. FYI, I noticed in the release notes for the new version of Redline that it's NOT compatibile with .Net v4.5. Go figure. I'm checking out Redline to see how hard/easy it will be to use their collector on a suspect machine. I never could get it to work on the previous version so hoping for better luck on this one.

Psyco32

Standard runs good, comprehensive takes FOREVER to run. I would still use both tools though, Redline is "sexier" with it's GUI and reports. But, Volatility catches a hell of a lot more info with its plugins.

ITforyears

I will be playing with the VM for FOR 508 and LDR, did you pass the exam? I started the class.

LDRydr

LDRydr wrote: »

FYI, I noticed in the release notes for the new version of Redline that it's NOT compatibile with .Net v4.5.

They've fixed this in the latest release (v1.11). https://www.mandiant.com/resources/download/redline

LDRydr

ITforyears wrote: »

I will be playing with the VM for FOR 508 and LDR, did you pass the exam? I started the class.

Scheduled for the afternoon of the 17th (St. Paddy's Day), which is the day before it expires. I got a 79% on my first practice exam. I'm shooting for the coveted +90% mark so I'm still studying. Just wrapping up some final changes on my index. I'll probably do my 2nd practice exam in the next day or two, that will leave me enough time to make changes in my index to fix the items I might miss.

FYI, my index looks a lot like Psyco's and is currently sitting at 22 pages!

ITforyears

How did your exam go? I am taking my practice test tomorrow.

LDRydr

Say howdy to the newest GCFE cert holder. 96% strong.

FYI, I had 86% on my second practice test, so was a bit disappointed that I didn't hit the 90%+ mark. But it did motivate me to spend my final week massaging my index and going over everything yet again. On my 2nd practice I also went TOO FAST and finished before the allotted time.

So, I corrected for time in the test, figuring I needed 20 questions done per 1/2 hour. After the first three 15-question marks (when your score shows up) I was running 100%. I knew a lot of the answers from memory, which gave me time to check and double-check the ones I wasn't sure of. If you can't figure one out skip it and move on so you don't get discouraged.

For sure there will be questions that CAN'T be answered from your coursework. Take pictures of these during your practice tests or whatever you need to do to remember them and find the answers. They will give you an idea of the types of questions you won't be able to answer off the top of your head. Thankfully the practice tests give you the answers (take a photo of those too) so you can see what you need to learn.

Hope this helps. With my score I hope to be able to help out in the mentor program. I really do know this stuff and love to teach others. Now I get a break and start to ponder when to do the GCFA, possibly in the Fall, after motorcycle-riding season is slowing down.

Best of luck to you ITforyears, hope you do well!

docrice

Solid score. I'm slowly going through 408 via OnDemand right now and just got past Day 1. Seems this is your first SANS/GIAC experience. How did you feel about the course and the open book exam format? Did you use up all the allotted exam time?

How was this experience compared to other forensic-related exams? Looks like you already had prior knowledge in this area so I'm guessing you weren't going into it cold.

cyberguypr

Congrats on the pass! I really want to do 408 but SANS is only bringing 508 to Chicago this Summer. Based on Docrice's previous post I'll be shooting for 503.

TBRAYS

I was just approved from my Director to attend the DFIR Summit in Austin for the FOR508 with Chad Tilbury. Took the FOR408 two weeks ago and scored a 92%.