+ Reply to Thread
Results 1 to 9 of 9
  1. Senior Member
    Join Date
    Nov 2016
    Location
    Iowa
    Posts
    138

    Certifications
    OSCP, OSWP, CISSP, CCNA Cyber Ops, Sec+
    #1

    Default any tips for taking FOR508 live this year?

    Hoping to take the SANS FOR508 live course this year, and was wondering if anyone had any tips or experiences to share about it? I know the course has extensive laptop requirements, but any gotchas or recommendations hardware-wise or even just preparatory studies I could pursue? Anything I should not forget to bring? I haven't decided whether I will do NetWars DFIR or standard. I am leaning to standard as I think I'd have the most fun with that one.
    -------------------------------------------------------
    Security Engineer/Analyst/Geek, Pen Testing
    Reply With Quote Quote  

  2. SS
  3. Member
    Join Date
    Sep 2017
    Location
    Some Continent
    Posts
    55

    Certifications
    Knowledge is Power
    #2
    Quote Originally Posted by LonerVamp View Post
    Hoping to take the SANS FOR508 live course this year, and was wondering if anyone had any tips or experiences to share about it? I know the course has extensive laptop requirements, but any gotchas or recommendations hardware-wise or even just preparatory studies I could pursue? Anything I should not forget to bring? I haven't decided whether I will do NetWars DFIR or standard. I am leaning to standard as I think I'd have the most fun with that one.
    Easily one of my favorite classes!

    The class has gone over a major revamp though from when I took it as an Advanced Forensics course and is almost entirely dedicated to Incident Response now, which is good in some ways. I'll get to that in a second.

    But for what you should be doing before the course:

    - Get into Volatility and Rekall both for memory analysis. Learn how to use them and how to set the profiles up as well. Depending on who you have an instructor, will predicate how in-depth they'll take this tool. If you haven't played with memory or hibernation file before, start! Also I would suggest dabbling into the SIFT 3 they provide on SANS's website in general.

    - Log2timeline is something that many students have issues with for some reason. I think it really just is because there are more than just that command to run a timeline. Go look at the Plaso website and just read up on it. There are SANS videos out there on the tool if you want dabble into this too before the course. All things time related....: What flies there? What fares there? Or moves through the air? Plaso 1.5 - Gná released

    - One of my analysts is in the course right now and he's having issues with NTFS attributes. You'll get the File Systems book by Carrier, but if you can find it beforehand I would strongly suggest you take a look at it! It will go a VERY long way when you do the only day that is really "forensics."

    - They will provide some snippets from FOR500 for artifacts. If you haven't taken 408/500, then I would at least brush up on Wikiforensics at the very least just to get an idea of what artifacts are what and WHERE they are

    - You're going to be using Sleuthkit a lot on the last couple days. Everything about this class is CLI basically, so take a gander at this: Index of /sleuthkit/man to get a headstart on what commands do what


    Now onto the other piece, what instructor:

    If you get a chance, I would only take this course with either Alissa Torres, Eric Zimmerman or Rob Lee. Nothing against the other ones who teach it, but they seem to understand the material the absolute best and don't get so far into the weeds with their own gloating that it distracts from the class.

    Good Luck!!
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Nov 2016
    Location
    Iowa
    Posts
    138

    Certifications
    OSCP, OSWP, CISSP, CCNA Cyber Ops, Sec+
    #3
    Thank you for the information; it's far more than I was expecting to hear! And yeah, Zimmerman will be teaching my session.

    This will be my first SANS course, let alone my first in the FOR track.
    -------------------------------------------------------
    Security Engineer/Analyst/Geek, Pen Testing
    Reply With Quote Quote  

  5. Member
    Join Date
    Sep 2017
    Location
    Some Continent
    Posts
    55

    Certifications
    Knowledge is Power
    #4
    Quote Originally Posted by LonerVamp View Post
    Thank you for the information; it's far more than I was expecting to hear! And yeah, Zimmerman will be teaching my session.

    This will be my first SANS course, let alone my first in the FOR track.
    You'll enjoy having Eric as your teacher. He has a great background of both LE and Programming. Don't be afraid to ask questions as well. This course can seem a little too much at times, but they'll slow down during certain spots to make sure the course is really grasping the material.
    Reply With Quote Quote  

  6. Junior Member Registered Member
    Join Date
    Dec 2017
    Posts
    2

    Certifications
    GCIH
    #5
    Hey all - I'm to take FOR508 in Austin, TX is just a few weeks, and I am happy to have found this thread! Regarding Volatility & Rekall, should I learn both, or is just learning Volatility sufficient? I don't know if both are used in class, so I was just wondering. This is my first Forensics class, and I want to be as ready as I can for both the class, as well as NETWARS - so any tips now can only help me. Thanks!
    Reply With Quote Quote  

  7. Member
    Join Date
    Sep 2017
    Location
    Some Continent
    Posts
    55

    Certifications
    Knowledge is Power
    #6
    Quote Originally Posted by lucky4life View Post
    Hey all - I'm to take FOR508 in Austin, TX is just a few weeks, and I am happy to have found this thread! Regarding Volatility & Rekall, should I learn both, or is just learning Volatility sufficient? I don't know if both are used in class, so I was just wondering. This is my first Forensics class, and I want to be as ready as I can for both the class, as well as NETWARS - so any tips now can only help me. Thanks!
    Volatility and you'll be fine. If this is your first DF course, make sure you are familiar with Windows artifacts! LNK, Shellbags, Registry, Jumplists, Email, Prefetch, SHIMCACHE, etc. They will expect you already know what they are AND where they are.
    Reply With Quote Quote  

  8. Member
    Join Date
    Jun 2011
    Posts
    79

    Certifications
    GCFA, GCFE, GCIA, GICSP, and some other junk.
    #7
    Quote Originally Posted by lucky4life View Post
    Hey all - I'm to take FOR508 in Austin, TX is just a few weeks, and I am happy to have found this thread! Regarding Volatility & Rekall, should I learn both, or is just learning Volatility sufficient? I don't know if both are used in class, so I was just wondering. This is my first Forensics class, and I want to be as ready as I can for both the class, as well as NETWARS - so any tips now can only help me. Thanks!
    Hey, there. Things have changed since I took the class last year (There was talk of dropping redline) so I may be a bit out of date. For class prep, you can probably just focus on Volatility. My best advice for getting a jump on the class is to take a look at the SANS DFIR posters:
    https://www.sans.org/security-resources/posters/dfir
    I think for this class pay attention to Hunt Evil, Sift Workstation, Memory Analysis, and the Windows Forensic Analysis posters. The Sift workstation is the environment you will be using and the rest all cover the major topics of the class.

    Even if you come into the class relatively new to DFIR you should be able to keep up if you work hard so don't get discouraged if you are really struggling with one topic. Just remember to take a deep breath and enjoy the ride.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Nov 2016
    Location
    Iowa
    Posts
    138

    Certifications
    OSCP, OSWP, CISSP, CCNA Cyber Ops, Sec+
    #8
    I wanted to come back around to this thread now that I have returned from SANS West.

    First, I think coming to this class without much advance prep is absolutely just fine. Granted, I have been a (largely) Windows administrator for 13+ years, so I've seen lots of things and am pretty comfortable troubleshooting the OS, which includes looking at some similar places that you look into for forensics purposes. And while I've done some homegrown malware incident response and such, nothing at the level where I'm examining memory dumps or disk images.

    Second, you don't really need to know anything else. I had 0 experience with any of the above tools, including volatility and SIFT. Redline is no longer a part of the course. We didn't do anything with ReKall, either. Everything I needed to know was taught in the class during the lab exercises. Having a decent grasp of Linux command line will help, but you don't really need much beyond being able to cd around and move or read files.

    Third, the course went over shimcache, prefetch just fine for someone like me who knows Windows, but hasn't ever dug into those things specifically. That said, knowledge of the RED DFIR poster would have been useful. We had access to it, but I had to consume it right there. The blue DFIR posters (there's a newer Hunt Evil one now) are wonderful.

    Ultimately, some in my class clearly had some forensics experience in the past, and others like myself had not. I feel like I was able to grasp and at least begin to understand everything presented, even the dense Day 5 NTFS topics.

    And I'd also say there's no need to have had any forensics tools exposure beforehand. Though some may have an advantage if they've used F-Response, Autopsy, or Redline in the past.

    Edited to add: I do think it helps a lot if someone has taken a course or has some background or knowledge of red team/pen testing tactics. It certainly helps when digesting the things we didn't define, like persistence, lateral movement, hash dumping (pillaging/looting), and initial exploitation. Having some offensive exposure helps understand why these attacks worked and how they worked. Thankfully I'm strong in that regard, but others were not.
    Last edited by LonerVamp; 05-21-2018 at 07:39 PM.
    -------------------------------------------------------
    Security Engineer/Analyst/Geek, Pen Testing
    Reply With Quote Quote  

  10. Reticulating splines... iBrokeIT's Avatar
    Join Date
    Jul 2013
    Location
    Twin Cities, MN
    Posts
    1,074

    Certifications
    GCIH, GSEC, VCAP5-DCA, VCP5-DCV, MCITP:EA, MCSA 2003/08
    #9
    GJ on that NetWars finish too
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks