SANS FOR500: I’m now a GIAC Certified Forensic Examiner

After a year in cyber security I was given the opportunity to take another SANS training course – FOR500: Windows Forensic Analysis. It was an informative and enjoyable class that culminated in another GIAC certification exam, which I passed this morning.

Having completed SEC401: Security Essentials and SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling at the SANS Cyber Retraining Academy alongside other cyber security newcomers, I wasn’t sure what to expect from my first “proper” SANS experience, and going in I was a little bit concerned the intensity might be ramped up several notches.

But I was pleased to find that SANS London – and more specifically FOR500: Windows Forensic Analysis – followed roughly the same format that I was used to: eight hours of taking in as much information as possible in the classroom followed by some interesting talks and the NetWars capture the flag competition in the evenings.

The six-day programme took students through the fundamentals of Windows forensic analysis – that is, how to figure out what somebody was doing on their computer after the fact – against the backdrop of a fictional investigation into a former employee suspected of plotting against his company and misusing its intellectual property.

Along the way, this touched upon imaging and memory acquisition, recovering deleted files, determining which applications were run, reviewing event logs, recovering email and instant messaging evidence, analysing browsing data, and much more – in many cases explaining how to find and parse this data even if efforts have been made to remove it.

As with every SANS course I’ve taken, remembering every detail would be impossible, and your index is your best friend in the exam. Really, much of this course could have been presented as a rather long list of forensic artefacts and which registry keys they can be found in, but as always the SANS instructors (in my case Lee Whitfield and David Cowen) did a great job of bringing the content to life with some fascinating demos and stories from the field.

This was the type of course where you hear about a technique and can’t wait to put it to use, but there’s so much to cover that the in-class labs can’t encompass all of the content. However, the final day of the course involved no teaching and students were given a scenario to investigate and set loose on a forensic image – a perfect chance to scratch that itch and get some hands-on experience while the instructors were still around to answer questions.

At the end of the session each group presented its findings back to the class and students voted on which best answered the questions set out in the scenario. My team were the winners and I took home a coveted SANS Lethal Forensicator coin (our class team also came second in NetWars the night before, so we were really quite a successful group!).

All that fun wouldn’t have counted for much if I hadn’t passed the certification exam, of course. I booked my test for a month later at an examination centre in London and spent the time between building my index and completing the practice exams on the GIAC website. This morning the big day finally came, and after two and a half hours in a sweltering test room I scored 93 per cent, earning the title of GIAC Certified Forensic Examiner (GCFE).

Although most of the scenarios in the FOR500 course revolved around HR and court investigations, I’d recommend it to anyone whose job involves working out what has happened on a computer. I’m sure the things I learnt over the week will be useful when I’m responding to incidents and examining artefacts to identify activity by attackers and malware.

SANS once again delivered an informative and enjoyable training experience, and I can’t wait to take another course when I have the opportunity!


Photo by MaurĂ­cio Mascaro from Pexels