SANS FOR408 Review

A couple of months ago I decided to sign up for FOR508 at the upcoming San Diego conference, but I kept wondering whether I'd be at a significant disadvantage since I would be lacking the skills taught in 408 (which might especially be relevant if I'm going to participate in DFIR NetWars). I took a CHFI course seven years ago so I figured that I might not get my money's worth by taking 408 as I'm doing this out of pocket. That said, it's not like I've really used those skills and my knowledge is pretty rusty. As usual, curiosity got the better of me so after confirming my suspicions based on other blogs and reviews about 408 vs. 508, I pulled the trigger.

Most of my training over the last few years have focused mainly on the networking side of the security, but because I started my career mainly as a Windows sysadmin, it's nice to go back to the host-level side of the house again and refresh myself on many things which I've since forgotten about.

This course is not cheap and I'm beginning to understand why. As part of the package you get the SIFT (SANS Investigate Forensic Toolkit) VM, but you also get a Wiebetech UltraDock (http://www.cru-inc.com/products/wiebetech/wiebetech_forensic_ultradock_v5/) and an actual Windows 8 license. Very cool stuff. I've always wanted a write-blocker. The course materials come in only three books which is a bit different from other courses I've taken where each class day had its own book. The second and third books are rather sizable.

Something to note about FOR408 - the laptop requirements for the labs are pretty steep compared the past SANS courses I've taken. Your hardware must support a 64-bit environment and have 8 GB of memory in addition to the 200+ GB drive. This probably isn't a big deal if you're going to use a desktop at home, but if you were a student at a conference using an older laptop, this might be a challenge. You also need a scrap 3.5" drive (although course requirements state that this is for an optional lab exercise). I have a MacBook Pro 17 from 2010 that I swapped in a 500 GB drive and installed Windows 7 on for this class, so that worked out for me. Having a larger screen size definitely helps since tools like FTK have quite a few information panes with long lines of detailed information. I imagine it must be cumbersome to do the lab work with a smaller screen and fumbling around with the scroll bars constantly.

I'm currently taking this through the OnDemand option during some time off from work and slowly chugging through it. At the moment I'm on Day 2 covering tracking user activity within Windows. FOR408 feels quite different from the CHFI training I got all those years ago and yes, I feel it's been quite worth it so far. The class material gets right into the action pretty quickly. This is not an intro-to-Windows course; if you've never seen or worked with the registry before, you're in trouble. So far, the material doesn't feel "easier" just because it's a 400-level SANS offering.

There are lots of video demonstrations and my ability to soak up information is not keeping pace with the instructor's ability to throw out tons of minutia, all of which are relevant since performing an investigation requires a very structured approach that must stand up to external scrutiny. This sort of discipline is a good thing, but for people like me who are used to running at a certain speed, I have to force myself to slow down and think in more microscopic terms to slowly step my approach intentionally for obvious reasons.

408 definitely fills in gaps in my Windows knowledge in areas where I always suspected something more was going on than meets the eye. I'll update this review as I get more time.

Find more posts tagged with

Comments

Master Of Puppets

Great review as always! Man, I really have to try these courses some time in the future once I step up my game.

cyberguypr

Agree, great review. I've been eyeing this class for a while and was very disappointed to see they are not bringing it to Chicago this year.

azmatt

Glad you're enjoying it!

The desire to think "I know Windows" or "I want the advanced stuff" and skip straight to the 508 is strong but the 408 is a really good class if examining a Windows box will be part of your future.

chanakyajupudi

Very apt review. I had done the IN Person Class in November last year. I failed the exam though due to personal reasons.

I will try to reattempt the exam in this year.

I did the course before the updation though. Not very sure about how much difference or what the new content is.

In one of my one off contact emails with SANS - They are in the works about certified people buying updated content Books instead of getting them only when they are in the re certification fray.

Cheers

Chanakya

docrice

I'm still slowly chugging along in 408 (and way behind my original schedule), but I'll say this - I've never taken another OnDemand course which had so many videos of the instructor demoing something. It feels like almost every few slides there's a video examining yet another registry key. When I used to do more systems-level work, I'd occasionally have to dabble into documenting various bits of information and string them together as part of troubleshooting or an investigation. It can get incredibly tedious while aligning things like timestamps for consistency, and this is what some of the 408 hands-on labs feel like. Part of it's really annoying, but this is also part of the overall discipline of the craft.

A good mental stretch so far. For example, it blows my mind to see just how convoluted a process it is when Windows manages USB device properties and how someone would have to trace USB storage-related activity on the host at a low level.

camR@

I have taken 508 recently. And they have a lab manual for practicing the exercises. Does 408 also include a lab manual/workbook or just three books to understand the concepts?

docrice

The lab workbook is integrated into the three books, which is sort of annoying since some of your worksheets are in the appendix at the end of the physical books. While there are spreadsheets for you to fill in timeline data within the SIFT workstation, there doesn't seem to be Word/Excel template document for the workbook/appendix sheets. Minor complaint on my part.

Some time ago I had an issue regarding the lab and I emailed the virtual mentor through the "Ask a Question" link within the OnDemand portal. I got a response within an hour or two, and this was around midnight in my timezone. Pretty impressed by that.

camR@

Thanks for the quick reply

so.. thee are three books and 408 exercises must be based on the Windows-In Depth concepts. 508 was a complete case study of an incident. Probably, that's the reason they created a separate practice manual

docrice

Based on my experience with 408 so far, I'd prefer it if they separated the lab book from the normal course books. I'm not a big fan of flipping back and forth between pages within the same book while I do lab exercises. I think some courses have the labs integrated in with the regular books and some have them separate. Probably depends on who's authoring the course material.

docrice

Side question about 508 - do you think it would be beneficial in the class to use a laptop that has a larger screen? In 408, using tools like FTK would seem constraining with a 13 or 15-inch screen since there are several paned sections within the UI and I'm switching between a spreadsheet app, a registry viewer, and a command prompt just to extract data from one place to the next. I'm finding the 17" screen (with a relatively high resolution) helpful, but I swore to myself last year that I wouldn't carry my larger machine with me on planes anymore because that weight does add up and lugging bulky items are a travel annoyance.

camR@

I don't think so. I was using 14" screen and had no issues. You will mostly be playing with SIFT, for most of the exercises. 508 seems to be more structured but it does take context from 408 while doing timeline analysis or finding windows artifacts.

docrice

I logged into the SANS portal today to continue my OnDemand for FOR408 and this message presented itself:

Please note that as of April 10, 2014 the requirements to receive a Certificate of Completion for OnDemand courses have changed to the following:

• You must view 80% of the slides.
OR
• You must pass 80% of the quizzes with a score of 80% or better.

If you have any questions, please contact us at ondemand@sans.org

I had assumed that in order to receive a Certificate of Completion, a student would have to view all of the slides and pass all of the quizzes. I wonder if the bar was set higher or lower with this change.

ajd86

docrice wrote: »

I logged into the SANS portal today to continue my OnDemand for FOR408 and this message presented itself:

Please note that as of April 10, 2014 the requirements to receive a Certificate of Completion for OnDemand courses have changed to the following:

• You must view 80% of the slides.
OR
• You must pass 80% of the quizzes with a score of 80% or better.

If you have any questions, please contact us at ondemand@sans.org

I had assumed that in order to receive a Certificate of Completion, a student would have to view all of the slides and pass all of the quizzes. I wonder if the bar was set higher or lower with this change.

Not completely certain, but I seem to recall the requirement to pass each quiz with 80% or better. So, I believe this new set of requirements is more lenient.

docrice

That is unfortunate. I've always viewed the quizzes to be relatively light in difficulty and designed more to ensure that the student stayed awake during the OnDemand presentation. Passing each quiz with 80%+ was always a requirement in the last few years.

ajd86

docrice wrote: »

That is unfortunate. I've always viewed the quizzes to be relatively light in difficulty and designed more to ensure that the student stayed awake during the OnDemand presentation. Passing each quiz with 80%+ was always a requirement in the last few years.

Agreed. I'm not sure what SANS' motivation was in making this move, but I think it will give unearned CPEs to far too many people.

docrice

I'm finally finishing up the OnDemand course, although I've skipped half the quizzes and lab exercises for now due to a schedule constraint with work and other related responsibilities (my work has been extending into weekends for a while now). It seems odd that I would pay for this rather expensive course out-of-pocket and not yet take advantage of all the lab exercises, but aside from scheduling, here's the reason...

...this is a very information-dense course. At least for me. I originally reasoned that since I took the CHFI course seven years ago, I would have at least a basic understanding of the material in FOR408. I was dead wrong. What's taught in 408 is much more practical, and although less tool-oriented than CHFI, it's very heavy on looking at timeline / user-action reconstruction in a structured manner. Don't be fooled by the fact that this is a 400-level course. My impression of SEC401 was that it was an amazing amount of information, but much of it wasn't new to me.

FOR408 is a different experience for me. I don't plan on going into forensics (at least not traditional forensics) as a career, but the level of detail and the complexity of Windows as an operating system which leaves behind a lot of user footprints is quite astounding. It's one thing to be aware of that, but then to see all the things which Microsoft doesn't teach you up-front is quite daunting. The case-study followed through the five days of training is based on Windows XP, although there's a lot of material which notes the differences against Windows Vista / 7 / 8. I think I remember hearing that this course got updated with a Windows 7-based case study right after I started my OnDemand, so I just missed out if that's true.

After going through some work on timelines, data carving, looking at user profiles, event logs browser forensics, etc., I'm at the point where my eyes are just glazed over. Part of this is due to the limited time I've been able to spend on this course, but it's also the overwhelming amount of critical minutia regarding tool gotchas (bugs), registry keys, timestamp correlation, Windows versioning differences, and whatever else I can't remember. I'm currently at the point where I can barely recall anything I supposedly learned from 408. Brain implosion at its best.

In retrospect, it probably wasn't a good idea for me to sign up for the GCFE exam as I'm not sure if I'll be able to prepare for it given that I have 508 coming up next week in San Diego, plus a number of projects at work that need to get done. I still have yet another online vendor course that I have to complete soon.

As the instructor (Rob Lee) said, 408 and 508 are not just complementary courses, but they're really the same course split into two. I'll have a better impression of this after I get through 508. I'm exhausted after just the first part and I wish I can postpone the second for a few months.

Here's another FOR408 review from a couple of years ago ago which had a different impression:

http://www.techexams.net/forums/sans-institute-giac-certifications/79128-gcfe-passed.html

His version of 408 was probably different though. That said, while there was some mention of EnCase in my class, there really wasn't any hands-on with it either which was disappointing. There was also no exercise using the UltraDock, and perhaps this is something that's labbed with during the live-instruction version of the class during "after-hours" when the normal class hours have passed for the day.

I also did not activate my copy of Windows 8 in the SIFT workstation, simply because the license key was barely readable on the Microsoft packaging in the tiny font and colored background on the label.

In reading through the above review, it occurred to me to check if I had a disk image for the Day 6 challenge. I don't seem to have one, so I'll have to check with the virtual mentor, who I did need for a couple of things and the response time has been very quick (within a few hours, even around a weekend midnight local time for me). This is consistent with the level of service I've received from another virtual mentor on a different SANS OnDemand. But if there's no Day 6 challenge, that would be a big bummer indeed considering how expensive this course is.

As I mentioned before, the number of videos are numerous, more than I've seen in any other OnDemand course. I wish they were more hi-res though, because when expanded to full screen it wasn't like YouTube where the HD version kicks-in. While I could make out the on-screen specifics the instructor was pointing out, it nevertheless felt a bit cheap. I'm going to let SANS know about this.

docrice

FYI, I found the disc for the Day 6 challenge. It was buried in the pile with all the other class materials.

docrice

I passed the GCFE today with 83%, my lowest score ever for a GIAC exam and it took me over 2 hours for a 3-hour exam (115 questions). I didn't take a break during the exam, just powered through it. I'm glad I took FOR408, but wish I had skipped the exam as I'm not directly involved with this area and quite frankly, I don't have the time for exams anymore. I really didn't put a lot of dedicated effort into studying and put this off for as long as I could since I'm buried in much more important issues at work.

The practice exam I took over the weekend felt very similar to the real exam. I really rushed through that one and barely passed (and with only minimal index referencing).

That said, I've put a lot of material in 408 to good use at work and that in itself was gold due to the information structure in the courseware. It also helped as a study aid while putting the material into practical application.

I still have the GCFA exam in queue and it's another one I wish I hadn't paid for, but I'll go through with it, pass or fail. Just need to get it over with, and that will be my final certification exam for the year. And perhaps a while longer.

kanecain

Hey Docrice, in what order did you earn your GIAC certs? Oh, and congratz!

docrice

GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, and GCFE.

docrice

Just as a side note, my score was at 100% at the 30-question checkpoint during the exam. I was on a good roll. Then fate decided to head-butt and started pounding down my short-lived pride. It's so sad.