SANS Security West 2014

docrice

Oh boy, here we go again. I just booked for FOR508 (Advanced Computer Forensic Analysis and Incident Response) at SANS Security West 2014 in San Diego, something I've been wanting to take for a long time now. As this is a newer version of the course revised in the last year or so, there's no OnDemand option for it.

http://www.sans.org/event/sans-security-west-2014/course/advanced-computer-forensic-analysis-incident-response

My other choice was FOR572 (Advanced Network Forensics and Analysis):

http://www.sans.org/event/sans-security-west-2014/course/advanced-network-forensics-analysis

However, since I've been focusing on network-related training over the last few years, dabbling back into the host-level side of the house (especially Windows) would be great for me. Many of the topics in 572 are also somewhat familiar to me and I figured I'd get more bang for the buck out of 508. Plus, there's also NetWars for digital forensics and incident response which might be a great departure from the normal NetWars I participated in last year.

My only other SANS conference experience was last year in Orlando:

http://www.techexams.net/forums/sans-institute-giac-certifications/87391-sec-560-sans-2013-orlando.html

and I remember coming back thinking that it was one of the most well-organized security conferences I've been to. The Vegas and Orlando annual conferences are SANS' largest, but Security West in San Diego is one of their sizable ones as well with a great line-up. Given the supreme jet lag going from the Bay Area to the other side of the country (plus the Daylight Savings added in), I decided to stick towards the Pacific Ocean this time around. I avoid the Vegas event since it's right between Black Hat/DEFCON and another vendor-specific security conference that I attend and I can only handle so much of Vegas.

Anyone else planning on attending?

JDMurray

San Diego is definitely in my range, but I'm not sure of my training budget yet. FOR572 looks exactly what I need for the SOC work I'm doing now, but there's no corresponding GIAC exam! I should probably take SEC504 instead anyway.

docrice

Sort of having second thoughts about 508. Although many people go straight to it and skip 408, I also wouldn't mind doing 408 first. On the other hand, I've taken the CHFI course seven years ago through Global Knowledge (before I even knew about the certification and EC-Council). I've read they don't exactly compare, so maybe I can just take 408 later? Reading over Matt's digitalforensicstips.com blog's got me thinking.

http://digitalforensicstips.com/2013/03/should-i-take-sans-408-or-508-part-1/

http://digitalforensicstips.com/2013/04/sans-508-compared-to-408-part-two-plus-a-side-of-610/

Or maybe I'll do a brain compression and take 408 OnDemand in March (when I'm finally going to allow myself to take days off from work after a year of pretty much going into the office everyday) and by May when Security West comes around, I'll be a bit more prepared. Or maybe this is mental suicide.

Wait, isn't training supposed to be vacation?

JDMurray

docrice wrote: »

Wait, isn't training supposed to be vacation?

Ha! Six days of SEC401 melted my brain. I couldn't do much for a week afterwards. Of course, participating in the downtown San Diego nightlife many have had something to so with that.

ajd86

docrice wrote: »

Sort of having second thoughts about 508. Although many people go straight to it and skip 408, I also wouldn't mind doing 408 first. On the other hand, I've taken the CHFI course seven years ago through Global Knowledge (before I even knew about the certification and EC-Council). I've read they don't exactly compare, so maybe I can just take 408 later? Reading over Matt's digitalforensicstips.com blog's got me thinking.

Should I take SANS 408 or 508? (part 1) | Digital Forensics Tips

Second look at SANS 508 forensics course compared to 408 | Digital Forensics Tips

Or maybe I'll do a brain compression and take 408 OnDemand in March (when I'm finally going to allow myself to take days off from work after a year of pretty much going into the office everyday) and by May when Security West comes around, I'll be a bit more prepared. Or maybe this is mental suicide.

Wait, isn't training supposed to be vacation?

I took 408 at SANS CDI 2013 in December, and the instructor (Chad Tilbury) said that although many people take 508 without taking 408, he strongly feels these people don't get as much out of the course as those who have already taken 408. I don't know what CHFI covers, but that could be enough background info to make you comfortable in 508.

azmatt

You can never go wrong with the mental suicide route

Khaos1911

I'm all booked for SANS Security West 2014 where I'll be taking the GSEC bootcamp. I've never been to San Diego, so I'm getting in a day early to get into some debauchery! I'm sure I'll be to exhausted mentally to do much throughout the week.It'd be nice to meet and shake hands with a few of you "Techexamers."

docrice

When I took the CHFI course back in 2007, much of the material wasn't necessarily new to me, but there was a lot of emphasis on process, chain of custody, and so forth in addition to all the tools. I also don't recall touching any topic relating to timelines. With that in mind, I really doubt that course would come close to providing the same depth as 408.

Which hints me that I should make efforts to go through 408 before I do 508 in May. This is akin to stuffing an elephant into a peanut jar while keeping both intact while trying to stay financially afloat.

Help. Me. Brain. Dying.

A Techexams meetup would be cool, assuming there's time in the packed conference schedule. With the evening talks and NetWars, there seems to be little spare time.

chanakyajupudi

408 is a heavy course mentally at least. Lots of information thrown at you. I took the class last year with Nick Klein in Bangalore, India. As a work study participant.

I intend doing the 508 this year in Sydney. I think doing the 508 is okay if you already have a few years of forensic experience under the belt.

408 will put your already known skills to a persepective or should I say the SANS perspective making the 508 an easy task ( not so easy though ).

Do let us know how the 508 goes in May ! Best of luck !

azmatt

docrice wrote: »

When I took the CHFI course back in 2007, much of the material wasn't necessarily new to me, but there was a lot of emphasis on process, chain of custody, and so forth in addition to all the tools. I also don't recall touching any topic relating to timelines. With that in mind, I really doubt that course would come close to providing the same depth as 408.

Which hints me that I should make efforts to go through 408 before I do 508 in May. This is akin to stuffing an elephant into a peanut jar while keeping both intact while trying to stay financially afloat.

Help. Me. Brain. Dying.

A Techexams meetup would be cool, assuming there's time in the packed conference schedule. With the evening talks and NetWars, there seems to be little spare time.

You'll dig the 408. It's all Windows all the time but I left that class feeling informed and very confident about examining Windows systems. It was FAR more in-depth than the class I took for my CHFI.

Plus, "free" write blocker!

5ekurity

There's a chance I will be going for the GSNA class with David Hoelzer. All depends on the work schedule and which event I can attend in person, be it Orlando, SD or SANSFIRE in Baltimore.

JDMurray

docrice wrote: »

A Techexams meetup would be cool, assuming there's time in the packed conference schedule. With the evening talks and NetWars, there seems to be little spare time.

Ah, it's a personal choice to break away from ensconcement in the air conditioned catacombs of the hotel, walk down to 5th street in front of the convention center, and partake in the colorful and ribald downtown San Diego nightlife in mid-May. It's sooooo much more liberating than NetWars.

TBRAYS

ajd86 wrote: »

I took 408 at SANS CDI 2013 in December, and the instructor (Chad Tilbury) said that although many people take 508 without taking 408, he strongly feels these people don't get as much out of the course as those who have already taken 408. I don't know what CHFI covers, but that could be enough background info to make you comfortable in 508.

I was in the 408 class too with Chad Tilbury this past December at SANS CDI 2013.

docrice

SANS Security West 2014 was excellent. Due to extenuating circumstances, I missed the last day and a half of class but otherwise the training was fantastic. Similar to FOR408, by the third day of FOR508 my head popped. At some point the brain can no longer absorb anything and has to make space by purging out old memory in some fashion. In this state, I was essentially on autopilot trying to keep up. When you overfill at a buffet, it hurts.

I got to attend a couple of talks which was informative. I also got to hang out with some old friends so I ended up missing the other evening talks. Since this isn't SANS in Orlando or Vegas, the number of vendors for the Lunch and Learn was small. The venue was pretty nice though (Manchester Grand Hyatt) and I wouldn't mind staying there again. The big San Diego firestorms were happening in the same week.

I'm done with SANS training for this year. Can't take anymore. In retrospect, I shouldn't have signed up for the GCFE and GCFA exams as I'm now over-committed.

Khaos1911

I have to agree. SANS Security West was pretty awesome. San Diego is a beautiful city with beautiful women and great food. That Lucha Libre place has the best burrito I've ever tasted in my life. It was my first SANS conference/bootcamp and I met a bunch of new people in the field. If you have a chance to take GSEC bootcamp, Keith Palmgren is awesome and quite entertaining. Now If I can just focus on absorbing the material from these books and making my index to go ahead and knock GSEC exam out, I'l be golden. Hopefully I get to work study/facilitate for GCIA or GCIH in August or September.

docrice

Interesting. Your class was directly across the hall from mine.