SANS FOR500 Windows Forensic Analysis

Created in January 05, 2025

2025   ·   notes   learning

In my new role, I’ve had to be more hands-on than ever with Windows forensic images, which is a gap in my knowledge. SANS has several forensic courses, and I’ve successfully avoided taking the FOR 500 Windows Forensic Analysis course so far. I say that jokingly, mostly when looking at this course material; it’s just a topic that isn’t of great interest to me. I understand why it’s important and needed, and some people are great at tearing these images apart. I have recently enrolled in the SANS Incident Response Graduate Certificate, with FOR 500 being the first core required course. I had also heard that FOR 500 and FOR 508 Advanced Digital Forensics, Incident Response & Threat Hunting build on each other. The perquisites for FOR 508 state that you should have a background of FOR 500. I am more interested in FOR 508 than FOR 500, and there are several other courses in the program I am interested in. With that being said, I jumped into FOR 500.

Overall, this course is extremely detailed and has a lot of content. This makes a lot of sense, as I’ll reference this content in the future. The first day of the course focuses on the basics of forensics and how to capture your basic forensic images. This day is pretty straightforward. The second day is deep into the registry from a system and user perspective and covers the different cloud storage providers you may encounter. The third day is different Windows shell items and everything you wanted to know about USB drives. I will say that this was probably the day I was least familiar with, and I really learned a lot. The fourth day was email, event logs, and other things like Windows Search. This day wasn’t too bad. The final day was all about web browsers and electron apps. This was a very full day of content.

Each day includes several labs like any SANS course, and they can be pretty time-consuming, but I felt they did reinforce the material. It’s very easy to get lost in the registry keys, and seeing it with your own eyes does help you learn the material. The GIAC Certified Forensic Examiner (GCFE) has a hands-on component, so you really need to understand how to complete the labs to pass the exam. The practice test also includes hands-on questions, so you should know what to expect for the real exam. I felt the exam was similar in difficulty to the practice questions. Having a good index was really helpful. I also watched the videos by Richard Davis on his YouTube page, 13Cubed and his reference guides. Richard also works for Microsoft and we are actually on the same team!

One tip I will provide is that I made a mistake. When I took the practice test, I took it at my docking station, which includes an external mouse and keyboard as well as a large 4k screen. When I took the exam, I was on a 15-inch MacBook Pro. The resolution of the virtual machine was much larger than what I usually do, and with some of these tools, there can be a lot of scrolling, which I wasn’t prepared for, but that is easy to overcome. The real issue was being able to ‘right click’ in the VM from the MacBook Pro. With a mouse, you just ‘right click’. With the touchpad, I tried all sorts of ctrl, option, and command keys while clicking, and I couldn’t get it to work. I was starting to get a little worried as I really need to be able to use that but eventually figured out that if you use two fingers to click on the touchpad, that is the same as a right-click, and THAT did work in the virtual machine.

I’m starting FOR 508 in a few weeks and will report back when done.