±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34963
New Yesterday: 4 Visitors: 186

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Sans FOR500 - Newbie to Forensics

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Sans FOR500 - Newbie to Forensics

Post Posted: Thu Oct 18, 2018 5:16 am

Hi All,

I'm completely new to Forensics and I'm planning on taking the SANS FOR500 course (and GCFE certification) in April. Firstly, is this course good for beginners?

Secondly, could someone recommend a good beginners book(s) I could read prior to taking the course? I've seen a few being recommended elsewhere (one being The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics by John Sammons) but these are very US-centric - does that matter?

A bit of background about me, I've worked in E-Discovery in London for the last eight years but I've always been interested in Forensics and I am now planning to learn more about it and transition over to working in Forensics.

Thanks in advance for all your help!  

edman
Newbie
 
 
  

Re: Sans FOR500 - Newbie to Forensics

Post Posted: Thu Oct 18, 2018 6:02 am

- edman
Hi All,

I'm completely new to Forensics and I'm planning on taking the SANS FOR500 course


Yes, that is a good beginning. In parallel you can start with memory forensics and from my point of view, there is no way around Volatility atm.

regards,
Robin
_________________
--
All opinions are mine and are not necessarily the opinions of my employer. 

Bunnysniper
Senior Member
 
 
  

Re: Sans FOR500 - Newbie to Forensics

Post Posted: Thu Oct 18, 2018 6:02 am

It's a good overview of the variety of artefacts available on a windows system.
It depends on how you define beginner
I've sat in classes when people had really never done forensics before and they can get a bit lost because there is a lot of information given in a short period of time.

I'd have a look at the course page and see what's on each day. Generally I recommend Harlan's books wfa4 and wrf2 as a good overview of a few of the data points. I don't recall it.covering email or browsers as extensively and also doesn't cover the win10 artifacts.  

randomaccess
Senior Member
 
 
  

Re: Sans FOR500 - Newbie to Forensics

Post Posted: Thu Oct 18, 2018 6:06 am

- randomaccess

I've sat in classes when people had really never done forensics before


That happened to me in FOR508 Smile
No idea how these guys and girls define "Advanced", but I went there after 5 years in DFIR. At the same time there was a team from **** Telecom with no clues and none of them had a notebook with enough memory or hard drive space to run the SIFT workstation...so these 4 people sat around and were surfing all day until the end of the week Smile That is definetly one way to burn a lot of money!

regards,
Robin
_________________
--
All opinions are mine and are not necessarily the opinions of my employer. 

Bunnysniper
Senior Member
 
 
  

Re: Sans FOR500 - Newbie to Forensics

Post Posted: Thu Oct 18, 2018 7:03 am

500 is an excellent class, but as some said before, you could easily get lost if you don't have some security or similar exposure.

If you are VERY new to DFIR, I'd recommend the SEC 401 class. It covers lots of forensic and IR basics and is still pretty detailed. However, if your job is really focused on forensic analysis alone, the 500 is best.

If you want to prep, lots of universities offer free online material for study and review. I'd also read as many SANS whitepapers on forensic basics to prepare.  

jpickens
Senior Member
 
 
  

Re: Sans FOR500 - Newbie to Forensics

Post Posted: Thu Oct 18, 2018 7:22 am

FOR500 is a good class but it assumes certain basic knowledge about forensics. The class no longer spends time on acquisition or basics of digital forensics as it used to do when it was FOR408. That beings said, I really like this option because the money that you spend on SANS training should ideally get you more than just basics.Considering your background in e-discovery, i would say the course is an ideal start for you.

To cover the basics, you can read the following books

1. Basics of digital forensics (you already mentioned that)
2. Investigating Windows Systems - This is a new book written by Harlan Carvey and will serve as a great introduction and reference to Windows Forensics. The book will help you get more out of your SANS class in April.

I hope you enjoy your class and wish you best of luck with your career in digital forensics.

Regards,
Apurva R  

apurva.rustagi
Member
 
 
  

Re: Sans FOR500 - Newbie to Forensics

Post Posted: Thu Oct 18, 2018 8:04 am

- edman
Secondly, could someone recommend a good beginners book(s) I could read prior to taking the course?


Brian Carrier's book on forensic analysis of filesystems is still a good book IMHO. Worth a read, especially if you are just starting out.  

hectic_forensics
Member
 
 

Page 1 of 2
Go to page 1, 2  Next