2020-01-07

Evaluating SANS Courses

I've only taken one DFIR training course, the EnCase Advanced class back in 2003, the third week into my new job at Guidance Software at their old Green Street location. It was taught by Jessica Bair and Ric Stonesifer, and, knowing nothing about forensics or EnCase, it was a good fast-paced introduction to the field. From there, I learned by doing, maintaining Guidance's core set of artifact EnScripts and then supporting the company's professional services examiners in their casework.

I've forgotten a great deal about old artifacts since then, and have not kept up on new artifacts as much lately. And, of course, there are far more systems and approaches to forensics than existed 15 years ago—macOS, iOS, Android, memory forensics, malware analysis, etc. My dimly-recalled Windows 98 artifact knowledge no longer applies.

Live training is a good option for me because I can turn my phone and email off and simply focus for a week. So, I'm thinking about taking a SANS course this year. Which one should I take? These are the possibilities:
  • FOR500, Windows Forensics. I do know a lot about Windows forensics, so I'm worried I might get a little bored, but this would also be a good tune-up.
  • FOR 508, Advanced IR & Threat Hunting. I've assisted on a number of large-scale IR scenarios, but always in a focused, limited capacity where I've been asked to write code to do a specific thing (usually at scale). Working through the complete chain of an investigation could give me new insight into current problem areas to focus on as a developer, and especially provide me with greater intuition into the needs of IR examiners.
  • FOR 572, Network Forensics. I've focused almost exclusively on host-based forensics, and have always thought that network forensics is not well integrated into traditional forensics investigations (especially IR and IP theft scenarios). I did a bit of libpcap network programming in 2002, but there'd be much here that'd be new to me.
  • FOR 578, Cyber Threat Intelligence. I'm trying to learn much more about threat intelligence and see it as directly applicable to my job. OTOH, the course seems a bit thin; working more hands-on with threat intel data sets would be good practice, but I worry about there being too much focus on jargon (I still am skeptical that "kill chain" means anything that isn't obvious) and on high-level intelligence analysis and techniques (e.g., ACH) and less on tech. It's fine for training classes to address non-technical aspects of a subject, but I personally would get bored and then not get much out of the class.
  • FOR 610, Malware Analysis. Here's something I don't know much about. But would I be better off taking a more in-depth reverse-engineering course from a different organization? Spending time on little utilities like pescan and pdfid would not be useful to me; fundamental deep dives into PE and ELF, unpacking, reverse engineering, call graph analysis, and so on, definitely would be great.
  • FOR 498, Battlefield Forensics. I worked on bulk_extractor and a few other MEDEX projects, and a lot of this seems specific to acquiring different devices and whatnot. Probably not for me.
  • FOR 518, Mac and iOS Forensics. I know a few macOS artifacts and use a Mac as my daily computer, but there'd be a lot here for me to learn.
  • FOR 585, Smartphone Forensics. I know next to nothing about smartphone forensics. This might be inspiring, as my impression of existing mobile forensics tools has not been favorable.
  • FOR 526, Memory Forensics. I also know very little about memory forensics. I do have a pretty good sense of how operating systems and the memory hierarchy work. The fact that this covers multiple operating systems and associated techniques is promising, though.
Are there other courses I should look at, including outside of the SANS curricula? Training works best for me when it's very fast-paced and requires hands-on work. Otherwise, my ADD-addled brain will stop paying attention and I'll just daydream.

No comments:

Post a Comment