SANS FOR 408 Computer Forensic Investigations

Training Course Name: FOR 408 Computer Forensic Investigations – Windows In-Depth

Name of Training Provider: SANS

Type of Course: Online

Length of Course: Three Months

Date of Attendance: Dec 2010 to May 2011

Price (UK or US price – full price, not discounted price): $4464.00 (includes GIAC examination)

URL of Training Provider Web Site: SANS OnDemand

Examination and Qualification: Open Book examination, multiple choice.  GCFE (GIAC Forensic Examiner Certification)

FOR 408 focuses on the critical knowledge that a computer forensic investigator must know to investigate computer crime incidents successfully. You learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

This course covers the fundamental steps of the computer forensic methodology so that each student will have the qualifications to work as a computer forensic investigator helping solve and fight crime. In addition to the in-depth technical digital forensic knowledge on Windows Digital Forensics (Windows XP through Windows 7 and Server 2008), you will be exposed to a number of well known computer forensic tools.  These are provided on a VM image and are called the SANS Investigative Forensic Toolkit (SIFT).  A number of tools are provided, many of which are free (open source).  You are also provided with a Tableau T35e Write Blocker together with a variety of IDE, SATA, FireWire and USB cables.The course consists of the following topics:* Forensics Primer* SIFT Kit Essentials* Forensic Investigation Methodology* Evidence Fundamentals* Working with Tableau 35s kit* E-discovery Methodology* Forensic Analysis Reports* File System Introduction* Windows File System Basics* Evidence Acquisition* Using AccessData’s FTK* String Searching/Data Carving* E-mail Forensics* Registry Analysis* Collecting User Information* Examining System Configuration* Analyzing User Activity* Analyzing USB Devices* Windows Artifact Analysis * Event Log Analysis* Windows Firewall Log* IIS Log analysis* Internet Browser Forensics* IE Forensics* Firefox Forensics* Generating a FTK Report I was one of the first (if not the first) students that went through this ‘OnDemand’ version of FOR 408.  OnDemand is the SANS brand name for their online, distance training.  Basically, it consists of voice recording of an actual F2F training course synchronized with the course slides as well as viewing recording of computer screen activity as the instructor performs a demonstration, such as, how to use a particular forensics tool.  It works particularly well and in general I was pleased about the delivery mechanism, but it was not without its problems.  I will talk about that a bit later.The live F2F course lasts 6 days and the recording I had was of Rob Lee giving that course in Las Vegas.  So, why did I choose the OnDemand version?  Simple, as an independent consultant I did not want to lose a week’s fees in attending the live F2F course.  My thinking was that having four months in which to do the training was easy: how wrong I was!  Firstly, I should explain that after each module there is an online assessment.  The assessments are designed to make sure you have understood the topic.  In normal circumstances students go through the modules, take and pass the assessments, moving on after each stage.  Each assessment can be taken three times (in case you failed it) – an 80% pass mark is required to move on.  However, in one of my modules, the assessment questions were not quite right. In fact, SANS had loaded the system with entirely the wrong questions.  Whilst SANS were very helpful and understanding, it still took them over a month to load the correct questions.  In parallel to that, OnDemand seemed to be having problems with loading the correct slides and screens for certain modules.  All in all this lost me well over a month, and truth be known, it was quite easy to use these problems as an excuse – when I should have just knuckled down and skipped the offending modules.  SANS were very understanding and I was very grateful to them in that they extended (twice) my course duration – I should have completed it at the end of March but they extended it to the end of May.All of these problems have now been fixed but I was left feeling like a guinea pig for the course after being probably the first OnDemand pupil for FOR408.However, the material is very impressive, with three separate handouts, each consisting of the presentation slides with very good notes.  FOR408 for a six-day course packs in a tremendous amount of information.  The course instructor, Rob Lee, is very enthusiastic and knowledgeable and is rightly known as one of the leading proponents of digital forensics. Some of the modules include hands-on, practical exercises and these were very useful.  Note, however, that the modules covering legal aspects of forensics are very US centric and it would be useful for SAN to internationalize these aspects.Before attending the course I thought I was quite familiar with some of the topics, for instance, the email and browser sections, but I still learnt new aspects as I went through the material.  I would definitely advise anyone attending this course to first have some technical background in Microsoft Windows. Finally, onto the exam!  The course provides access to two practice exams online, both of which I took a week before the actual GIAC exam.  The practice exams attempt to simulate the real exam in that they consist of a four-hour multiple-choice exam where you have to answer 150 questions.  Like the real exam, the practice tests are open-book. I had no problems at all with the practice tests, both of which I passed well within the time period and without really having to refer to the course notes.  So, when I came to the test centre for the real exam I was quietly confident.  At this point, I should also mention that the online exams also tell you whether you get a question right – or wrong – and a counter of the total number of questions posed so far with the total answered correctly and incorrectly.  In other words you get instant feedback and you can ascertain whether you are going to get over the pass mark.  This is certainly a recipe for increasing one’s stress levels – especially as I got the first few questions wrong! The whole four hours was like this, I would answer a few correctly – I would relax – I would then perhaps get one or two wrong – I would get stressed – and so on and so on.  At the end of the exam I was quite drained and only finished the exam with 10 minutes to spare.  But I PASSED!  I also felt that the overall difficulty of the real exam was more than the practice exams.  Yes, the GIAC exam is open book – but boy do you have to know the subject matter well to pass.  One of the reasons is that quite a few questions are based on comparing aspects of technologies or forensics methodologies.  So, to answer these types of questions, it wasn’t as simple as going to one page to get the answer.

I learnt a lot from this course, but if you do take it, do not treat it lightly.  If it wasn’t for the delivery issues I described above I definitely would have given it 5 stars!

If you want to enter the world of digital forensics this is the course for you. It is challenging, but at the same time very rewarding.

Marks: 4 out of 5