Should I take SANS 408 or 508? (part 1)

I recently got asked a question in a comment that I was planning to answer in about 45 days but I don’t want to wait that long so I’ll give half of an answer now.

The question was a common one: “Should I take SANS 408 or 508?”

First let me provide one HUGE caveat and explanation of why I was already planning on answering this in 45 days. I have taken the 508 (I’m even a proud holder of a GCFA) but I took the course back in 2008.I was completely unprepared but it was still a fantastic learning experience and it taught me concepts that I use to this day. The 508 exam of today has very little in common with the 508 from 2008. The course has been completely re-designed from the ground up and I have yet to take the new version.

I’m taking my GSEC exam at the end of this month but after that I’ll have a narrow window to watch the 508 OnDemand content for a much needed refresher. The new 508 books are actually sitting in a spare room in my house and in an unbelievable act of discipline I haven’t touched them yet as I wanted to knock out my GCFE and GSEC first. Once I’ve gone through the new 508 material I’ll write a post about my thoughts on how 408 and 508 fit together but until then I wanted to share the thoughts from others on the subject.

I’ve been told by individuals far more qualified to speak on the subject than I that there is a fair amount of knowledge taught in 408 that is assumed in 508. One of the best examples is timelines. As I talked about in my 408 review you start the 408 course off by creating a very small timeline of events and build onto that timeline throughout the course by examining every sort of artifact that you can think of. All of the artifacts are examined “manually” and you write your entries into a spreadsheet. Not the quickest process in the world but it gives you a great understanding of both the artifacts themselves and how they relate to one another.

A quick look at the 508 course shows that day three is all about timelines. With a quick glace you would think that it was redundant with 408 but I’ve been told there is little overlap between the two courses. The 508 timeline section is about automating timeline creation so that instead of doing them manually (as is done in 408) you use tools to create them for you. The knowledge from 408 comes into play in several areas:

  1. Understanding what the data means. 508 assumes you have a level of understanding of artifacts and timestamps that one acquires in the 408
  2. Validating the results from the tools used in 508
  3. Performing the process manually when the tools utilized in 508 don’t work correctly for whatever reason

The timeline topic is only one example of how 408 and 508 complement each other and I’m sure I’ll have some more after I go through the updated 508 content next month.

SANS instructor Mike Pilkington (great teacher and even better human being) told our class that in his opinion SANS 408 was an intermediate class since “it teaches the basics, but then goes into some pretty advanced topics”. I couldn’t agree more.

Anyone who’s ever taken a SANS class has probably hit a point where your brain feels like it hit a short circuit. Where the material for a topic takes a complicated turn or where it’s day six and your brain is overflowing but the content keeps coming. In the OnDemand version of 408 Rob Lee is discussing a topic and he realizes it’s probably a “wait, what???” moment for a lot of students. He says something along the lines of “I know a lot of you are thinking that you thought you signed up for basic class and you’re not sure what’s going on…” .

A lot of forensics courses have students leave thinking “I can look at the internet browsing history, I can check for inappropriate pictures, I can run a dirty words list to find relevant documents etc.” . This is all really good stuff and the 408 teaches all of that. The 408 also goes MUCH further and teaches a student what’s going on behind the scenes and how instead of relying on “I ran tool X and it shows Y” the student can transition to “I ran tool X, it shows Y. We can also demonstrate Y by looking at Q, R, S, T…”.

After going through the course and subsequently going through the books while creating my index I really do feel like I can intelligently work my way through a detailed analysis of a Windows machine and not only validate what my tools are telling me but dig deeper in some areas for information that isn’t covered.

When I took the 408 course there were individuals in the class who had been performing analysis on Windows machines daily for the past decade. They both told me that they enjoyed the class and picked up some good tips but they absolutely could have skipped 408 and gone straight to 508. If that’s you and you don’t have the budget for both classes then that’s a tough decision.

If you’re where I was and you understand forensics basics, file systems, prefetch files etc. but don’t feel like you have a truly deep understanding that comes from dealing with things like jump lists, shortcut files and registry artifacts on a daily basis than I think you would love 408.

On the in person vs. OnDemand, you really can’t go wrong with either. The in person experience is always incredible and you get to meet people with similar interests but the great part about OnDemand is the ability to pause, research, practice and then come back to the content. I know it’s a crazy time commitment but for some classes (504 included) I try to watch the on demand videos in addition to the live class. The 504 on demand videos really opened my eyes to how high quality the OnDemand learning experience was. I had a slight preconceived bias that OnDemand was inferior to a live conference but it’s absolutely not and there are some serious pros to each.

Comments

Post a Comment

Popular posts from this blog

SANS Index How To Guide with Pictures

Image
I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others. I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable. A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index. Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS
Read more

Introducing FaviconLocator: The Eazy Button to Searching by Favicon

Image
  Favicons (short for favorite icons) are the cute little pixelated images that appear next to the site name in web browser tabs, bookmarks, etc. In the image below we can see the iconic GitHub logo on their site and the KFC logo on a bucket of chicken on their site. Originally, favicons were designed to add a touch of professionalism and branding, but for anyone who is like me and has over a dozen tabs open at any time, favicons are the only thing displayed and how I navigate tabs. Most of us rely on favicons on a daily basis but many never think of them as a tool we can use in OSINT and CTI investigations. That’s what we’re doing to talk about here as well as introduce a new tool. In addition to branding and aiding in navigation between tabs, favicons can serve as unique identifiers for websites. These unique identifiers can help us: Trace the online presence of organizations and discover obscure digital assets Map the online infrastructure of potential threats Potentially de-ano
Read more

Automating Domain Squatting Detection with DNSTwist and Python

Image
  There’s a good chance that, at some point, you’ve received a spam email with a link that looked close to the name of a popular domain but was just a little off. Payapl.com instead of Paypal.com or similar. Domain squatting is a malicious activity where attackers register domain names similar to legitimate ones. Attackers may use these domains to deceive users into believing they are visiting a legitimate website, which can lead to phishing and other attacks. DNSTwist (available here: https://github.com/elceef/dnstwist ) is a popular tool that helps identify domain names that are similar to a given domain name. It generates a list of potential domain names by applying various fuzzing techniques to the given domain name and then checks if these domains are registered. Check out the list of Bank Of America copycat domains: DNSTwist is an amazing tool that should likely be a part of every organization's Cyber Threat Intelligence monitoring efforts, and I wanted to automate it
Read more