SANS FOR 508 Advanced Incident Response, Threat Hunting, and Digital Forensics

Created in February 17, 2025

2025   ·   notes   learning

After passing FOR500 Windows Forensic Analysis, I wasted no time and started the next companion course, FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics. These courses build off each other, with similar topics being covered in both courses but more in-depth in one of them. For example, FOR500 deeply covers things like Windows Prefetch files, but in FOR508, it’s quickly touched on and then used as part of a larger timeline. The opposite can be said for things like memory forensics or NTFS journals, which are much more deeply covered in FOR508 but are mentioned briefly in FOR500.

Taking FOR500 first makes FOR508 a bit easier, as you have a bit more background on the WHY you would want that forensic artifact. Day 1 of 508 focuses on applying incident response techniques at scale for multiple machines, common malware persistence mechanisms, and evasion techniques, and then a large section on credential theft and lateral movement using those credentials. I was well versed in most of this content from my identity work and previous SANS courses. Day 2 focuses on lateral movement using things like PowerShell and WMI, different attacks using these tools, and some Windows log analysis with Event IDs. Again, this, having FOR 500, had some overlap with previous SANS courses.

Day 3 is probably the most challenging, a deep dive into memory forensics. This can be a lot if you aren’t familiar with processes, threads, and DLLs. I took the FOR 610 Reverse-Engineering Malware (GREM) course several years ago, focusing deeply on these topics. It took a few read-throughs, but it came back to me quickly, and some of the toolings, like MemProcFS, are just incredible to use for this. Day 4 is really just about timelines and putting all the evidence together. I think having FOR500 previously helped as you do something similar, but instead of looking at one machine, you are looking at several here. Day 5 is a deep dive into the NTFS file system and some advanced evidence recovery techniques. This was probably the second most difficult day, but you really learn a lot, and when you combine this with day 3, it makes for extremely powerful types of hunting.

This exam also requires hands-on exam questions, but the practice tests do as well. I’ve always used all the practice tests for all my GIAC exams, and they are a huge help. I felt this exam once again was similar to the practice tests but perhaps a touch more difficult than the practice, so I was very prepared for the exam. I recommend both FOR500 and FOR508 if these are areas of focus as a defender, as there is a lot of real-world practical material in therm.

This will be my last SANS course for a while. Luckily, we have a tuition reimbursement program at Microsoft, but it only covers so much per calendar year, and I’ve used my full amount already. I’ll continue the next course in the Incident Response program either at the end of 2025 or sometime in 2026. For now, I’m looking forward to a break from these forensic courses and getting to focus on some other things.