February 8, 2006

SANS Forensic Training (SANS SEC 508)

I attended SANS forensic training (SEC 508) in Baltimore in November, 2005. The instructor was David Hoelzer. The URL of this course is

Even though Rob Lee appears to be the principal author of the course, David did an excellent job teaching the material, and clearly is well qualified to teach the subject matter. The course covered appropriate material, and was well-suited for people with little to some forensic experience.

Note that the University of Missouri is trying to host this course at a very reduced price ($1,000 for .EDU employees or law enforcement personnel). The dates are June 12 - 17, 2006. The registration URL is Rob Lee is slated to teach the course, so I suspect it will be well worth your time and your employer's money to go. Unfortunately, they may not have enough registrations to hold the class, and they will have to make that determination soon, so if you want to go, you will need to register soon, and perhaps wait to book your flight and hotel room, or else make sure they can be cancelled without penalty (or that your work is willing to pay for the penalty if needed).

I would certainly recommend this course to folks who expect to perform forensic investigations, and who have little to no experience with using forensically-sound methodologies searching for evidence, and especially for working with deleted evidence. I believe even folks with a moderate amount of experience will find it worthwhile, but folks who have done this for years probably know enough of the material to look elsewhere.