UPDATE: I am excited to announce that SANS FOR408 is now FOR500. Over the last few years, we have continued to add more technical content to the class while ageing out some of the more basic material. While the class still provides an excellent framework for conducting Windows forensic analysis, the course difficulty level has shifted to the SANS “5” level. It gives us the freedom to teach some of the more complex forensic artifacts and techniques while still staying true to keeping it a “foundational” forensics course. See for yourself: FOR500.pdf
Rob Lee put together a webcast discussing some of the class updates and changes: https://www.sans.org/webcasts/103377
With the major expansion of forensic curriculum at the SANS Institute, I frequently get questions about what class(es) to take. If you are trying to decide between FOR408 (Windows Forensics) and FOR508 (Advanced Forensics and Incident Response), this is the best comparison I have seen online.
I found the following quote particularly insightful: “508 is not a more advanced version of the 408, it’s a completely different course with completely different objectives.”
— Chad Tilbury (@chadtilbury) May 23, 2013