AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

SANS FOR508: A Review


I recently attended the SANS DFIR Summit 2020 and took FOR508 with Chad Tilbury. I elected to take the GCFA certification which I am currently preparing for and creating my index similar to how I laid out in a previous blog post. At Kroll, FOR500 and FOR508 are our daily bread and butter so I was very excited to finally take FOR508.

LiveOnline Review

First things first, let’s cover the new format SANS is offering as of the onset of COVID-19. I’ll admit I was pretty weary about taking a SANS class online as I know the value of in person instruction is unmatched when dealing with advanced concepts. However I’ll say the LiveOnline format was a lot better than I expected. 

For the live instruction, GoToTraining is what students use with the LiveOnline format. It works well enough as do any of the other online video meeting software offerings out there. One really nice thing about LiveOnline  is that not only do you get access to the MP3 files for the class you took, but you also get access to the recording of your class for the 4 month period. I really look forward to taking advantage of this because it’ll be nice to review Chad’s take on the course material while also hearing Rob Lee‘s take on it as well via the MP3 files.

One minor annoyance with the recorded sessions was at lunch you have to disconnect from the morning training session and log back in to your SANS portal for the afternoon training session link. This happened during each of the 5 main instructional days of the class. A minor annoyance, but ultimately I simply kept a logged in session of my SANS portal up all week to minimize the inconvenience. The payoff is worth it considering I’ll get access to the recordings for the next few months.

Slack was utilized during class to interact with the TA/Moderator as well as the instructor and other classmates. It worked out very well and separate threads were made for each exercise so all questions could stay in the respective threads. Admittedly, this was my first time using Slack in any real capacity so it took some getting used to. I’m much more of a Discord person, unsurprisingly, but I definitely enjoyed a few of Slack’s unique features. I ended up adopting Slack after the class after finding a local InfoSec chapter Slack as well as one geared towards Veterans in InfoSec.

One other thing I will say is AWESOME about LiveOnline is the ability to use more than just a laptop monitor during class. For FOR585 and FOR500, I only had a single laptop monitor. For FOR508, I had 2 27″ 1440p monitors and a 34″ ultrawide monitor using my personal desktop with which I could spread out my course material, the live lecture, SANSLiveOnline Slack channel, and the PDFs. It will be hard to go back to a single laptop monitor after this experience!


This is such a welcome change! Having signed up for the GCFA I still was shipped the physical books but having the PDFs will make indexing a lot easier. However, one thing to note, you are given a complex password for the PDF files (i.e. BqR6h)~!NeQz)5″U), your email and copy-paste from the PDFs is disabled. While this may come off initially as unfortunate given how easy it would be to copy-paste from the PDFs onto the index you create for the GCFA, I feel like I wouldn’t absorb the information nearly as well if I were taking the copy-paste shortcut. Thankfully, this forces me to manually parse through the books so the words on the pages have to go through my eyes, brain, and out to my fingertips prior to being committed to my index that will hopefully help me pass the GCFA. Also, I completely understand SANS needs to protect their intellectual property and I respect their decision to limit copy-paste because of that.

Course Content

Most topics covered in the class were completely new to me. I don’t have an IT background nor do consider myself a network ninja or malware expert. I am very much learning on the go in regards to IR as I mainly have a deadbox forensics background up until earlier this year when I started in the IR world. I saw a lot things that were familiar to me that I had seen in the wild during the course of investigations at work so the real-life relevance of the course was definitely there. I left each day with multiple things that I knew I could immediately apply to my everyday work.

Some processes I was already comfortable with I was able to learn different methods of achieving the same results. I was exposed to tools that were completely new to me and I was also exposed to tools I use everyday, like KAPE. For me personally, it was a really good mix of new and familiar material. And for familiar material, I learned a LOT more about those topics than I knew going into the week.

I really enjoyed learning about all the various credential stealing methods and various ways for adversaries to laterally move within a network. While I was already exposed to a bit of that in my daily work life, I got a MUCH deeper dive into these topics and for that I was very grateful.

Day 6 Challenge

The Day 6 challenge was a very complex case. An IR team could’ve easily spent a few weeks on all of the potential findings within the images, logs, etc that are provided to the competing teams. Chad advised us the scenario took nearly a year to put together so I won’t go into the details of it at all out of respect for not spoiling the hard work and the surprise for others. It’s a very fair assessment and 6 hours isn’t NEARLY enough time for anyone to get through it. However, our team did the best we could do in that time and thankfully it was enough to win a coin! Great teamwork all around on Team 1!

GCFA Preparation

Here is what I am hoping to accomplish in the coming months to help prepare me for the GCFA:

  • August 2020: Finish indexing.
  • September 2020: Review index/course material. Listen to MP3’s/review recorded lectures, as necessary.
  • October 2020: Hit labs hard. Practice Test #1.
  • November 2020: Continue review. Revise index as necessary from Practice Test #1. Practice Test #2. Revise/review index. Final Exam.

This is a very loose timeline with a firm deadline. I’m sure the above plan will adjust as life happens. Of course, I will do a follow up blog post once I’ve completed the GCFA. I have until December 1, 2020 to finish it so I hope sometime around late October or early November I’ll take the final exam.


FOR508 was an awesome course and I highly recommend it for anyone who has taken FOR500 and currently works in IR. For those of you who only want to do training in person, give LiveOnline a shot! It worked well enough for me to consider doing it again even when COVID-19 (hopefully) clears up.

Related Posts