SANS 508 Compared to 408 Part Two plus a Side of 610

I’ve now had a chance to go through the OnDemand SANS FOR 508 Advanced Computer Forensic Analysis and Incident Response course and feel a little more comfortable comparing it to FOR 408 Computer Forensic Investigations – Windows In-Depth course. I’ve also recently been exposed to the FOR 610 Reverse-Engineering Malware: Malware Analysis Tools and Techniques course content so while this post won’t cover much of the 610 I will talk about how the three courses fit together.

SANS has done a remarkable job of designing the 408, 508 and 610 as courses that stand fine on their own but fit together like pieces of a puzzle. There is virtually no overlap between the 408 and 508 (maybe a very tiny bit in the file system section) and a very small amount of overlap between the 508 and 610 in the memory analysis using Volatility section.

The following hypothetical scenario is my attempt to classify the 408, 508 and 610 to help give others an idea of what each course covers.

You’re a security analyst working for El Paso Widgets LLC and have been asked to examine Bob’s computer for evidence of inappropriate behavior and intellectual property theft. NOW is when you want to have taken the 408. You’ll cover web history analysis, program execution analysis, file activity analysis etc. If I went down to the mall right now and asked 100 people what they thought computer forensics people did they would likely all describe scenarios that the 408 covers.

You find evidence that Bob accessed proprietary information and exfiltrated the data (using a USB drive) in violation of company policy. You also found evidence of inappropriate web browsing and deleted chat history where Bob discusses his actions. Thank you 408!!!! Bob’s employment is terminated and all is right with the world.

Flash forward six months and unbeknownst to you Bob has spent the last six months turning himself into a computer hacker. He knows enough about the company’s personnel, culture and lingo to craft a brilliant spear fishing attempt. He also knows what anti-virus software El Paso Widgets LLC uses and he knows how easy it is to tweak malware in order to keep it hidden from anti-virus. One email and one misguided click later Bob now has a foothold on El Paso Widgets LLC’s network and nobody has a clue.

Over the next four months El Paso Widgets LLC bids on ten contracts and loses every one of them because their competition always bids 2-3% under their sealed bid. This obviously has a huge impact on their business and management starts to suspect an insider threat is revealing sensitive data from their bidding process.

You are approached by management and asked to examine the network in excruciating detail looking for malware which is avoiding detection from anti-virus. NOW is when you want to have taken 508. You examine several memory dumps and on one system you find a process which is actively hiding itself from normal system monitoring utilities. You perform timeline analysis and determine that the system became infected four months earlier. 508 just made you look like a genius!! El Paso Widgets LLC has no idea why you’re working for them instead of some mega company making triple what they pay you. You go home, brag to your spouse about your insane skills and sleep like a baby.

Your hero status is short lived however as the next morning management asks you to examine the malware to find out what it does and how to defend against it NOW is when you need 610. 610 will teach you how to analyze the malware’s behavior and code to figure out what it does and help you determine how to locate it and defend against it.

That is an honest assessment on how I see the three courses fitting together. The 508 is not a more advanced version of the 408, it’s a completely different course with completely different objectives.

In the first post on this topic there were some great comments where we discussed if someone would feel lost taking 508 if they didn’t take 408. As I said back then if you’ve been doing forensics on Windows boxes for a few years and know MRU, Prefetch, LNK files and the registry like the back of your hand than 508 may very well be the course for you. You would probably learn some great tips from the 408 course (and get a write blocker) but the course would likely be rounding out your knowledge rather than giving the true SANS ‘drinking from a fire hose’ experience.

If the above paragraph doesn’t apply to do but you still REALLY want to take 508 than go for it but here’s what may be in store for you.

Day one is a seriously in depth look at file systems. 408 would help you a bit in this section but when the hard core hex starts it will hurt no matter what.

Day two is the memory analysis day. Not having 408 wouldn’t hurt you too bad here but the instructor may talk about acquiring some things that you’re not familiar with.

Day three would probably be the day you would miss 408 the most. Throughout 408 you do a timeline by hand where you learn about each of the artifacts in great detail. In 508 you spend all day pouring over automated timelines looking for anomalies. It would be nice to have a firm grasp of what each of the artifacts means and what a normal looks like before you try to identify anomalies.

Day four and day five would have a similar downside of day two. You wouldn’t lose out on any of the “how” that 508 covers but you might not have the “why” understanding that a lot of your classmates possess.

Hopefully this post helps somebody make an informed decision on deciding between 408 and 508. My next post will likely be a short 508 review but if you have any questions about anything I talked about here ask away and I’ll do my best to answer.

Comments

Post a Comment

Popular posts from this blog

SANS Index How To Guide with Pictures

Image
I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others. I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable. A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index. Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS
Read more

Introducing FaviconLocator: The Eazy Button to Searching by Favicon

Image
  Favicons (short for favorite icons) are the cute little pixelated images that appear next to the site name in web browser tabs, bookmarks, etc. In the image below we can see the iconic GitHub logo on their site and the KFC logo on a bucket of chicken on their site. Originally, favicons were designed to add a touch of professionalism and branding, but for anyone who is like me and has over a dozen tabs open at any time, favicons are the only thing displayed and how I navigate tabs. Most of us rely on favicons on a daily basis but many never think of them as a tool we can use in OSINT and CTI investigations. That’s what we’re doing to talk about here as well as introduce a new tool. In addition to branding and aiding in navigation between tabs, favicons can serve as unique identifiers for websites. These unique identifiers can help us: Trace the online presence of organizations and discover obscure digital assets Map the online infrastructure of potential threats Potentially de-ano
Read more

Automating Domain Squatting Detection with DNSTwist and Python

Image
  There’s a good chance that, at some point, you’ve received a spam email with a link that looked close to the name of a popular domain but was just a little off. Payapl.com instead of Paypal.com or similar. Domain squatting is a malicious activity where attackers register domain names similar to legitimate ones. Attackers may use these domains to deceive users into believing they are visiting a legitimate website, which can lead to phishing and other attacks. DNSTwist (available here: https://github.com/elceef/dnstwist ) is a popular tool that helps identify domain names that are similar to a given domain name. It generates a list of potential domain names by applying various fuzzing techniques to the given domain name and then checks if these domains are registered. Check out the list of Bank Of America copycat domains: DNSTwist is an amazing tool that should likely be a part of every organization's Cyber Threat Intelligence monitoring efforts, and I wanted to automate it
Read more