Investigations
Apr 22nd, 2007 by John Gerber
“Perhaps when a man has special knowledge and special powers like my own, it rather encourages him to seek a complex explanation when a simpler one is at hand.” — Sherlock Holmes (written by Sir Arthur Conan Doyle), The Adventure of the Abbey Grange
No, I have not been abducted. No need to call in Gustav and Otto Amlingmeyer (better known as Old Red and Big Red, respectively). Sorry for my long absence from writing. I have several blogs started. Unfortunately, I began referencing so many different sources, the blogs became more research papers. Being tight on time, I have not got around to finishing them. Shoot, I have not gotten around to sleep.
I am going to try something different. I will make every attempt to write more frequently, just on less in-depth topics. The original purpose of this blog was to post interesting topics I came across. By the way, I have updated, over on the right, the “Recent Podcast” area. If you have not listened to these specific podcast, I do highly recommend them. They cover some very interesting topics. For tonight, let me just address what I have been doing recently.
I attended a SANS course System Forensics, Investigation & Response. I’ll follow this up with taking the certification to become a GIAC Certified Forensics Analyst (GCFA). I took the course by volunteering at SANS. It is a great program if your company is a little tight on training funds. Let me quote SANS description of the program:
If you are selected to facilitate for a SANS conference, you will pay a nominal fee of $500 and earn the remainder of your tuition in exchange for facilitator services you provide onsite. This fee includes attendance to the entire track the facilitator is selected to monitor, all course materials, and admission to evening sessions.
To be honest, I prefer volunteering over just attending. You get to interact more with the instructors, students, and the folks who work for SANS. Do not get me wrong, there is work involved. Volunteering for SANS just makes me feel more plugged in to the course and I get more out of it.
I have been asked if it is possible to take the certification exams without taking the course. I volunteer occasionally for SANS, I do not work for them. That is my disclaimer. Still, looking through their site, this is what I have found. If you know the subject mater very well, you can take the exam without taking the course. It is called a GIAC Challenge.
I don’t recommend it unless you are truly an expert on the subject matter. SANS exams are open book. The problem is that the the exam questions will be based on the material in the course. Now, at the conferences I have attended, SANS has allowed students to purchase copies of any of the courses held at the conference. Those course books could be very helpful in passing the exam.
When studying for the SANS exam, I recommend people make a good outline of the course material. That outline will helps a person find the material they do not remember from the course. You can count on there being some specific questions on more obscure material than you will ever be able to memorize.
The GIAC Challenge does include two practice exams. The practice exams are very valuable. They will help one figure out the pace of the exam and will point out areas where further studying is needed. SANS does allow you to purchase the exams separately.
I would point out that the course material is only part of the value of attending a SANS course. I find the interactions with the instructors and students just as valuable as what might be in the course material. If you can make it work, I would try volunteering with SANS before doing the GIAC Challenge.
