As someone in the cyber/digital forensics community, I always looked at forensics training programs partially as a waste of time and (lots of) money (caveat: for someone already knowledgeable in the field). However, after some convincing from colleagues, I decided to give one a shot in December 2015. The class I participated in was SANS FOR508 (Advanced Digital Forensics and Incident Response) in Washington D.C. In addition, I signed up for the GCFA (Certified Forensic Analyst), taken in January 2016. Here are some of my thoughts now that I've gone through both of them. |
Positives
- Good lecture flow/structure
- Decent content
- Too focused on some very specific or outdated tools (The Sleuth Kit)
- Provided workbook was less training and more "fill-in-the-blank"
- Focus more on concepts and less on specific tool use
- Expand on the workbook exercises to explain results to a user
Course: SANS FOR508
The FOR508 class is a six day (Live or Online) training program that attempts to build on an incident responders previous knowledge, either from the prior SANS FOR courses or general educational or working experience. While the lower level FOR course provides a foundation for (mostly Windows) forensics, FOR508 attempts to show analysts more advanced concepts, such as memory forensics, timeline analysis, anti-forensics, and the examination of additional Windows artifacts.
At the beginning of the course, you're provided with five books. Four of the books include all of the slides (and additional details for the slides) discussed during each day's lecture. The fifth book is an exercise workbook, with both questions and answers that will be discussed during the lecture. The books are actually quite good regarding content and flow, even if some of the content is very tool specific (to be expected given the subject matter). Structurally the books work well for the lecture provided, introducing and explaining a concept (e.g., Windows artifacts, techniques) followed by tools or methods to dig deeper, even providing the student with a tool or two to analyze the concept. While I found the four content books to be well done, I found myself ignoring the exercise workbook after the class was completed. The exercises provided (and some of the content discussed in the books) were very straightforward and I found them to be a decent walkthrough in regards to some of the tools, but I thought they were less about explaining why a tool or command works and just focused on telling the user to either "type command A" or "click button B". While the work was discussed during the lectures, as a standalone workbook I see little reason to go back to it. The fourth content book (Days 4 and 5), includes an index for many of the tools and concepts covered throughout the books. As the GCFA exam (discussed below) is open book, making this index a somewhat useful foundation for studying (and frantically searching for the concept) during the exam.
You're also provided with several additional items at the beginning of the course. The first is the SIFT Workstation, a virtual machine that has many of the tools preloaded. This VM is what you'll be using to go through many of the exercises and as a standalone, it's a decent collection if an examiner doesn't already have an analysis VM. Students also receive a 64 GB USB filled with most of the content discussed in the class (e.g., tools, white papers). You're also provided with a trial version of "F-Response Enterprise", an enterprise based IR tool (I understand, but meh). After the course is completed, you're provided with audio files of the complete course lecture. That's about 40 hours of audio for the lecture you just went through. This could be good if you have a long commute and you're trying to passively brush up on the material for the GCFA, but otherwise I don't see the point.
Overall, the training was decent. The lecture was delivered well, with enthusiasm and high energy by our trainer (Alissa Torres), to be commended for trying really hard to make a gigantic data dump more interesting, and the content itself introduced me to a few artifacts and ideas that I ignored prior to the training. I was unable to attend the day six challenge (which I hear is the best part), so that may be a big bonus that I missed out on. That said, it was still a great data dump of digital forensics knowledge. With a high price tag, I would recommend it for employees of companies that provide both time off for training and assistance in paying for it - but I have a hard time saying "go for it" if you were to pay out of pocket. Recommended (Kind of).
At the beginning of the course, you're provided with five books. Four of the books include all of the slides (and additional details for the slides) discussed during each day's lecture. The fifth book is an exercise workbook, with both questions and answers that will be discussed during the lecture. The books are actually quite good regarding content and flow, even if some of the content is very tool specific (to be expected given the subject matter). Structurally the books work well for the lecture provided, introducing and explaining a concept (e.g., Windows artifacts, techniques) followed by tools or methods to dig deeper, even providing the student with a tool or two to analyze the concept. While I found the four content books to be well done, I found myself ignoring the exercise workbook after the class was completed. The exercises provided (and some of the content discussed in the books) were very straightforward and I found them to be a decent walkthrough in regards to some of the tools, but I thought they were less about explaining why a tool or command works and just focused on telling the user to either "type command A" or "click button B". While the work was discussed during the lectures, as a standalone workbook I see little reason to go back to it. The fourth content book (Days 4 and 5), includes an index for many of the tools and concepts covered throughout the books. As the GCFA exam (discussed below) is open book, making this index a somewhat useful foundation for studying (and frantically searching for the concept) during the exam.
You're also provided with several additional items at the beginning of the course. The first is the SIFT Workstation, a virtual machine that has many of the tools preloaded. This VM is what you'll be using to go through many of the exercises and as a standalone, it's a decent collection if an examiner doesn't already have an analysis VM. Students also receive a 64 GB USB filled with most of the content discussed in the class (e.g., tools, white papers). You're also provided with a trial version of "F-Response Enterprise", an enterprise based IR tool (I understand, but meh). After the course is completed, you're provided with audio files of the complete course lecture. That's about 40 hours of audio for the lecture you just went through. This could be good if you have a long commute and you're trying to passively brush up on the material for the GCFA, but otherwise I don't see the point.
Overall, the training was decent. The lecture was delivered well, with enthusiasm and high energy by our trainer (Alissa Torres), to be commended for trying really hard to make a gigantic data dump more interesting, and the content itself introduced me to a few artifacts and ideas that I ignored prior to the training. I was unable to attend the day six challenge (which I hear is the best part), so that may be a big bonus that I missed out on. That said, it was still a great data dump of digital forensics knowledge. With a high price tag, I would recommend it for employees of companies that provide both time off for training and assistance in paying for it - but I have a hard time saying "go for it" if you were to pay out of pocket. Recommended (Kind of).
The GCFA certification is a challenge of the information and concepts taught in the FOR508 lecture and found in the provided materials. While you don't have to take the FOR508 class as a prerequisite for taking the exam, I would recommend to do so (or at least go through one of the few GCFA books that are out there). The test covers general Incident Response, Windows Artifacts, Timeline Analysis, Memory Forensics, and some advanced forensics topics - and I'm unsure how one would pass this exam without understanding the specific concepts discussed in this course.
The exam itself is a decent attempt at challenging users. You are currently given three hours to complete the exam. At 115 questions, that leaves around a minute and a half per question - not bad. However, you will likely use all three hours, and that may not be because you need it - but because of how the exam is structured. You are provided one break and about 5-10 "flags". You are unable to use this break unless you go back to these flags and clear the question. Once you answer a question, it's done. This comes as a disappointment as someone who typically likes to go back through the exam at the end and double check my answers. I understand why it's done, but it makes the user focus less on pacing and more on possibly forcing an answer just to move on. The biggest offender is the practice exams. These practice exams have the same structure, however they provide you with detailed explanations of the correct answers. This is odd considering you cannot pause the exam to really understand what you got wrong. These are practice exams, shouldn't I be able to focus on understanding the concepts rather than understanding the exam?
The questions provided in this exam are varied enough, ranging from tool usage, to definitions, to open ended scenarios. I felt like the majority of them challenged me in my understanding of the material, but a few of them seemed out of place (can't go into detail, sorry). If I had one main complaint regarding the exam, it would be that some (just a few) questions seemed to have multiple answers, and the correct answer is the one defined by SANS in the course material.
I know I've listed a few negatives, but overall I would still recommend this certification. It was challenging and after passing it, gave me a feeling of satisfaction, one I've only gotten from completing the CISSP and EnCE certifications. While the price tag is high and some of the exam's content and structure is questionable, I'd say give it a chance. Recommended.
The exam itself is a decent attempt at challenging users. You are currently given three hours to complete the exam. At 115 questions, that leaves around a minute and a half per question - not bad. However, you will likely use all three hours, and that may not be because you need it - but because of how the exam is structured. You are provided one break and about 5-10 "flags". You are unable to use this break unless you go back to these flags and clear the question. Once you answer a question, it's done. This comes as a disappointment as someone who typically likes to go back through the exam at the end and double check my answers. I understand why it's done, but it makes the user focus less on pacing and more on possibly forcing an answer just to move on. The biggest offender is the practice exams. These practice exams have the same structure, however they provide you with detailed explanations of the correct answers. This is odd considering you cannot pause the exam to really understand what you got wrong. These are practice exams, shouldn't I be able to focus on understanding the concepts rather than understanding the exam?
The questions provided in this exam are varied enough, ranging from tool usage, to definitions, to open ended scenarios. I felt like the majority of them challenged me in my understanding of the material, but a few of them seemed out of place (can't go into detail, sorry). If I had one main complaint regarding the exam, it would be that some (just a few) questions seemed to have multiple answers, and the correct answer is the one defined by SANS in the course material.
I know I've listed a few negatives, but overall I would still recommend this certification. It was challenging and after passing it, gave me a feeling of satisfaction, one I've only gotten from completing the CISSP and EnCE certifications. While the price tag is high and some of the exam's content and structure is questionable, I'd say give it a chance. Recommended.
Certification: GCFA (GIAC Certified Forensic Analyst)
Positives
- Good knowledge check on course / conceptual materials
- Well developed
- Cannot review answers at end of exam
- Practice exam structure restricts learning
- Some questions feel like they have several answers, but you must select the one based on SANS
- Reduce amount of questions or remove break, but allow users to review answers
- Reduce questions that ask what functions tool switches/arguments perform
GCFA Certification Tips
- Make your own Index. The one provided in the book is a decent start (even with incorrectly assigned pages and duplicate entries, but in order to further understand the material (and create a better index), you should really go through the book several times and create your own.
- Pace yourself during the exam. Take the break. Don't bother flagging questions unless you're really stuck.
- Much of the information in the book is supplemental, focus on the concepts and tools first and how they're defined, followed by exceptions and additional detail.
Questions about the exam? Let me know below.