I am teaching the Security 508, SANS System Forensics course in Boston, on January 13th - March 17th 2009. I would like to take this opportunity to invite you to attend this course. Even if you are not interested in this course, I would really appreciate it if you could pass along this invitation to your friends and colleagues.

With the steep rise in e-discovery requests and other internal investigations involving technology, the need for digital forensic skills has never been higher. It seems no matter what your role is related to Information Security these days, it will now touch on forensic investigations on a regular basis. As security breaches continually make headlines and hacking is becoming a business, many security teams are getting inundated with investigative work. Whether it is an employee surfing pornography at the office, sensitive data being leaked through email, allegations of internal financial fraud, a malware outbreak of unknown origins, or server compromise, forensic investigative skills have become vital.

With that said, this course is great for incident responders who need to get deeper into incident analysis and diagnosis, and is one of the few fully mature training options for aspiring forensic investigators. I think it is also appropriate for those in peripheral or supportive roles to the investigation team. Many of my past students have been the network engineers and system administrators who are constantly being asked to produce evidence from the networks or systems they manage.

I truly believe that this course is unparalleled in terms of the topics that are covered and the wealth of additional resources, such as technical guides and open source tools, on the course DVD. During the course, we will take you through a process oriented work flow for approaching investigations, while always preserving evidence along the way. I found the course particularly appealing because it is built completely on the use of freely available tools. No expensive hardware or specialized software is needed. Just a laptop and a copy of VMWare workstation. All the labs utilize pre-built images and copies of live environments so that students get a real feeling for what a genuine investigation will be like. I have found the course to be very balanced, focusing not only on file system and network forensic analysis concepts, but also topics specific to Linux and Windows environments. There is even a broad coverage of the legal topics that affect they everyday work and constraints on forensic professionals. Combine this with real world hands on examples of malware and server compromise analysis using images from the Honeynet Project, and you have a must have class!

As a mentor, I try to provide context for the material by calling upon my experience investigating cases for organizations in many fields including the federal government, financial services, institutions of higher education, and many others. The mentor format allows us to take a massive amount of content that is traditionally squeezed into 6 intensive days of class, and stretch it across 10 weeks. This not only allows more time for the material to sink in, but it allows students plenty of time to really push the boundaries of the hands on lab exercises and get familiar with the tools.

Each session will start by answering any student questions, and then proceed to highlight the important concepts from the book materials. Having mentored this class before, I will also try to explain any of the topics that students have found difficult in the past. I find the mentor format to be particularly attractive to students, because we can focus our class time on live demonstrations of the tools to supplement the lab exercises in the books, and we can discuss current events that are affecting digital forensic professionals.

This year I am planning to establish an online wiki site for the class that will allow me to share additional resources with the students, and provide a forum for the students to interact with each other outside of class.

If all this wasn’t enough, SANS provides students with access to live recordings of the course’s author presenting this material at a SANS conference for you to download and listen to at your convenience. This provides an essential tool for students who are preparing for the certification exam, or those who just don’t have much time to read during the week.

For anyone who believes that digital forensic work may become a significant portion of their job responsibilities, I strongly encourage you to sign up for the GIAC Certified Forensic Analyst (GCFA) certification exam as well. I have found this credential to be extremely well respected in the field, and it can really help to lend credibility to your investigative work.

I really hope to see you all in Boston on January 13th.


This advanced course is perfect for the diligent student conversant with Linux System Administration, Windows System Administration, TCP/IP, and Intrusion Detection Methodologies. If you are just beginning in information security, this course is not appropriate for you, as the basics of the Linux and Windows operating systems are not covered in this program.

Why Choose the Mentor Program?
The Mentor Program, consists of small, locally run, 10 week classes utilizing the same great SANS courseware presented at the larger conferences. This unique program opens SANS training up to students with family or work commitments necessitating a more flexible option. Mentored students report several major benefits of this format including: cost savings, time to digest the material, convenient evening classes, small groups, a Mentor “coach”, and community networking.

Mentor: Evan Wheeler
Date: Tuesday, January 13, 2009
Meeting Time: 6:30 PM - 8:30 PM

55 Thomson Place
Boston, MA 02210

