SANS Digital Forensics and Incident Response Blog

SANS Computer Forensic Essentials Course and Training

SANS is shifting from one forensic course(SEC508) to two core courses (SEC408, SEC508) to build the most complete curriculum available in the computer forensic community. Our forensic curriculum is listed here:

I would highly recommend if you are recommending SANS to your peers and it is their first computer forensic course with SANS or if they primarily investigate Windows based operating systems, they should first attend SEC408, Computer Forensic Essentials . ( If you have taken SEC508 before and want to know more in-depth about Windows forensic analysis, I also would recommend you attend this course.

SEC508, is a more advanced course for forensic professionals with some experience that will build off the skills learned in SEC408, Computer Forensic Essentials, and focus more on investigations of both the filesystems of UNIX and Windows platforms.

I just finished writing this brand new course and we have updated material covering WinXP, Vista, and even Windows 7. This course steps an investigator through a windows examination including full Windows Registry and USB key analysis (106 pages), IE and Firefox browser forensics (70 pages), email forensics (45 pages), windows artifact analysis (65 pages), and evidence acquisition utilizing FTK imager and hard drive write blockers (All of Day2). I will be teaching SEC408 at SANSFIRE 2009 starting June 15.

SEC408, Computer Forensic Essentials, will include, as a part of the tuition of the course, the brand new SIFT KIT Essentials. Included in this kit will be a Tableau T35e Write Blocker. The kit will include adapters for most hard drives you might encounter. The full description of this kit is found here:

If anyone is taking SEC508,SEC526,SEC606 and would like to receive the SEC408 SIFT Kit Essentials in addition to your course, we now have an order form where you can order the kit for an additional fee. The order form is found here: .

If you have any questions or would like to discuss which course might be more appropriate for you or your peers, email me and we can set up a time to chat/email so I can discuss the differences in the course. I would be more than happy to answer any questions.

SEC408 Computer Forensic Essentials is going to rock. If you have taken 508 before and think this course might make you a better investigator, you should not miss out. There are items in the new course that I found out that no one has discussed prior. It will be exciting.


Rob Lee


Posted May 22, 2009 at 10:07 AM | Permalink | Reply


What exactly will I be missing out on if I sign up for the upcoming 508 @Home course without taking the 408 course first? Is there content that is being dropped from 508? Has the 508 NOT been updated with the newer OS info?
At this point I've taken Security Essentials (401), Securing Windows (505) and Incident Handing (504) and I've been in the forensics kiddie-pool with knowledge gained from those courses. Should I jump straight in to 508?