FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting - My training experience

I got the chance to attend the SANS 508 training last week. A big thanks to the company I work for for letting me attend the training. It is an expensive training and I definitely would not have been able to pay for it on my own.

I thoroughly enjoyed the training. I had some familiarity with the tools that were discussed and also with some of the forensic and incident response techniques. I learned these reading books, blogs and incidents I have responded to at work. However, I was totally blown away by what I learned in the 6 days of the training.

For me the things that stood out and made me write about it are -

1. The trainers Nick Klein and Josh Lemon were amazing. They brought so much experience and were able to talk about how different tools and the artifacts that we look at helped them in real cases. Real world examples make a big difference (at least for me) as they help me remember the tool or the artifact. 
2. There is a lot of stress on the process or methodology and not the tool. The training discusses the different tools available to extract and examine a particular artifact, but came back to a select core tools that were used to their full effect throughout the course. 
3. The challenge on the last day was really tough. For me it highlighted areas that I was strong in and areas that I need to practice more. I was good at timeline analysis and analysing the memory forensics tool output. But when it came to extracting contents, dumping files and volume shadow copies, etc. I fell short. All these were things I had read about but I had never used the techniques until the course.
4. The other students at the course came from different backgrounds and they all had different ways of approaching the incident. It was good to see and hear how others are approaching incidents and the different tools and techniques that they are applying.

At the end of each day of the training my head hurt from all the things covered during the day. At the end the course after completing the challenge (which is the first I have ever attempted) I am confident that I have the skills to apply a good process that will definitely help the organisation I work for currently and any other organisation I work for in the future.