ajd86ajd86 Member Posts: 60 ■■□□□□□□□□
My job is giving me the opportunity to take one SANS course and I'm stuck between FOR408 (GCFE) and SEC504 (GCIH). My manager is pretty open, and I'm unsure which I really want to do. I have some pentesting background/experience (I took SEC560 and intend to challenge GPEN in the near future).

Here are my questions:
  • Is there too much overlap between SEC560 and SEC504?
  • Is FOR408 too much for someone with absolutely no forensics experience?
  • Which of the two courses/certs would complement a GPEN more?


  • Psyco32Psyco32 Member Posts: 104 ■■■□□□□□□□
    If you took 560 already you will see a lot of overlap in Book 1 (Day 1) in GCIH. However after that it starts to move in a different direction (Note: Some of the toolsets you will have seen before). GCFE is perfect for a person with none to little forensics experience. Goes over Windows OS file system, processes, registry, etc to find where an attacker/defendant may have hidden malware or evidence. Just my opinion, but I would take the FOR408 course. I think it complements 560 more than 504 on the Windows side because it goes more in depth of where and how you can hide/create malware to exfil data. They are both great courses (GCIH and GCFE) though.
    2014 GOALS
    > GMOB [MAR_2014] OSCP [MAY_2014] GREM [OCT_2014]
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    408 would be for the beginner - So I wouldn't worry about the experience factor.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    There's a bit of natural overlap between 504 and 560, but the former focuses a lot on workflow, identification of events, issues with preparing for an incident, and that sort of stuff. Much more on the defensive point of view so it's actually rather complementary to 560. I think the combination of the two provides a decent balance.

    Now that said, 504 is not forensics. If you already have a good background with Windows, I'd even suggest consider 508 instead.

    Which to choose? I think it depends on whether you see yourself doing more in-depth forensics type roles (or if it's just an area of interest to you) or if you want to understand the nature of handling security incidents.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • ajd86ajd86 Member Posts: 60 ■■□□□□□□□□
    Thank you all for the advice. I think I'll go with 408, since I could likely challenge the GCIH with minimal self-study. 408 will be a great exposure to a new field, and just the right amount of challenge for me.
  • Psyco32Psyco32 Member Posts: 104 ■■■□□□□□□□
    Good luck!!
    2014 GOALS
    > GMOB [MAR_2014] OSCP [MAY_2014] GREM [OCT_2014]
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    if you intend to challenge gpen. I would suggest gcih as there is more material that can complement gpen.
  • chanakyajupudichanakyajupudi Member Posts: 712
    Best of luck. I have done both 504 and the 408. 408 is good if you have no experience in forensics.

    I will be challenging the 560 once I am done with tge 408 and 401 exams. Planning to attend the 503 and 508 soon.
    Work In Progress - RHCA [ ] Certified Cloud Security Professional [ ] GMON/GWAPT if Work Study is accepted [ ]

Sign In or Register to comment.