SANS 508 Compared to 408 Part Two plus a Side of 610
I’ve now had a chance to go through the OnDemand SANS FOR 508 Advanced Computer Forensic Analysis and Incident Response course and feel a little more comfortable comparing it to FOR 408 Computer Forensic Investigations – Windows In-Depth course. I’ve also recently been exposed to the FOR 610 Reverse-Engineering Malware: Malware Analysis Tools and Techniques course content so while this post won’t cover much of the 610 I will talk about how the three courses fit together.
SANS has done a remarkable job of designing the 408, 508 and 610 as courses that stand fine on their own but fit together like pieces of a puzzle. There is virtually no overlap between the 408 and 508 (maybe a very tiny bit in the file system section) and a very small amount of overlap between the 508 and 610 in the memory analysis using Volatility section.
The following hypothetical scenario is my attempt to classify the 408, 508 and 610 to help give others an idea of what each course covers.
You’re a security analyst working for El Paso Widgets LLC and have been asked to examine Bob’s computer for evidence of inappropriate behavior and intellectual property theft. NOW is when you want to have taken the 408. You’ll cover web history analysis, program execution analysis, file activity analysis etc. If I went down to the mall right now and asked 100 people what they thought computer forensics people did they would likely all describe scenarios that the 408 covers.
You find evidence that Bob accessed proprietary information and exfiltrated the data (using a USB drive) in violation of company policy. You also found evidence of inappropriate web browsing and deleted chat history where Bob discusses his actions. Thank you 408!!!! Bob’s employment is terminated and all is right with the world.
Flash forward six months and unbeknownst to you Bob has spent the last six months turning himself into a computer hacker. He knows enough about the company’s personnel, culture and lingo to craft a brilliant spear fishing attempt. He also knows what anti-virus software El Paso Widgets LLC uses and he knows how easy it is to tweak malware in order to keep it hidden from anti-virus. One email and one misguided click later Bob now has a foothold on El Paso Widgets LLC’s network and nobody has a clue.
Over the next four months El Paso Widgets LLC bids on ten contracts and loses every one of them because their competition always bids 2-3% under their sealed bid. This obviously has a huge impact on their business and management starts to suspect an insider threat is revealing sensitive data from their bidding process.
You are approached by management and asked to examine the network in excruciating detail looking for malware which is avoiding detection from anti-virus. NOW is when you want to have taken 508. You examine several memory dumps and on one system you find a process which is actively hiding itself from normal system monitoring utilities. You perform timeline analysis and determine that the system became infected four months earlier. 508 just made you look like a genius!! El Paso Widgets LLC has no idea why you’re working for them instead of some mega company making triple what they pay you. You go home, brag to your spouse about your insane skills and sleep like a baby.
Your hero status is short lived however as the next morning management asks you to examine the malware to find out what it does and how to defend against it NOW is when you need 610. 610 will teach you how to analyze the malware’s behavior and code to figure out what it does and help you determine how to locate it and defend against it.
That is an honest assessment on how I see the three courses fitting together. The 508 is not a more advanced version of the 408, it’s a completely different course with completely different objectives.
In the first post on this topic there were some great comments where we discussed if someone would feel lost taking 508 if they didn’t take 408. As I said back then if you’ve been doing forensics on Windows boxes for a few years and know MRU, Prefetch, LNK files and the registry like the back of your hand than 508 may very well be the course for you. You would probably learn some great tips from the 408 course (and get a write blocker) but the course would likely be rounding out your knowledge rather than giving the true SANS ‘drinking from a fire hose’ experience.
If the above paragraph doesn’t apply to do but you still REALLY want to take 508 than go for it but here’s what may be in store for you.
Day one is a seriously in depth look at file systems. 408 would help you a bit in this section but when the hard core hex starts it will hurt no matter what.
Day two is the memory analysis day. Not having 408 wouldn’t hurt you too bad here but the instructor may talk about acquiring some things that you’re not familiar with.
Day three would probably be the day you would miss 408 the most. Throughout 408 you do a timeline by hand where you learn about each of the artifacts in great detail. In 508 you spend all day pouring over automated timelines looking for anomalies. It would be nice to have a firm grasp of what each of the artifacts means and what a normal looks like before you try to identify anomalies.
Day four and day five would have a similar downside of day two. You wouldn’t lose out on any of the “how” that 508 covers but you might not have the “why” understanding that a lot of your classmates possess.
Hopefully this post helps somebody make an informed decision on deciding between 408 and 508. My next post will likely be a short 508 review but if you have any questions about anything I talked about here ask away and I’ll do my best to answer.