eLearnSecurity: Digital Forensics Professional

Finding comprehensive, up to date, and well-regarded Incident Response / Forensics certifications is tough. There are a load of vendor-tool specifics, as well as the SANS Forensics path, however, due to the mad cost of SANS and Covid-19 putting a stop to instructor-led courses, I thought I’d try something different — eLearnSecurity.

I’d heard a lot about eLearnSecurity, and I was initially sceptical and wasn’t convinced that the certification held as much weight as something like SANS. Trying to draw comparisons from the face of the two, SANS FOR508 (Advanced Incident Response and Threat Hunting) and eDFP (Digital Forensics Professional) seemed pretty comparable, though would have initially taken FOR508 over eDFP every time given the option.

However, my options were limited so I decided to go (cheaper) off recommendations of friends, colleagues, and even other faculty I met during my time facilitating SANS SEC504. The reoccurring comment from everyone I’d spoken to was that ‘eLearnSecurity is generally a hands-on training course, which is very practical heavy, and not just multiple-choice theory questions in the exam’ — the penetration testing certs had you writing a report which is marked by someone, so I was feeling pretty hopeful.

Overview and structure

Digital Forensics Professional covers the basics of digital forensics (shock), starting theoretically, then going through the stages of an investigation starting with data acquisition through to reporting. The main topics seemed to be focused on data, disks, and filesystems, as well as windows and network forensics. The others, logs, timelines, and reporting were a bit light but covered what they needed to. Each module was a few 100 slides covering the content, with the chance of some videos or labs at the end to reiterate some of the points discussed.

Each topic led to the next one quite nicely, and it was clear to see how each new section was building off the last. This was particularly apparent in the File & Disk Analysis section, which progressed in layers of abstraction, starting with a look at binary and hexadecimal, moving to HDDs & SSDs (including volumes and partitions), to FAT/NTFS file systems and even carving files from them.

File & Disk Analysis section

Quality

One thing worth noting is that despite the learning not being affected, there was a regular issue with the ‘polish’ of the slides. I’m not perfect myself, but there were a lot of mistakes in both the spelling and some of the information, sometimes needing a quick google or calculate myself to verify. A frequent example that comes to mind was regularly ‘cash’ instead of ‘cache’. Maybe an extra proof-read of content would have caught these and prevented any mild frustration and disappointment when going through a £1k+ course.

CACHING

Labs

The labs were pretty solid, and I found them useful to reinforce the topics discussed in the content. On first attempts, I almost always had to go straight to the well-explained solutions at the back, as the initial questions were so vague I often had no idea where to start. However, on repeat efforts for revision I had a better understanding of what I was supposed to do, and the way the labs are configured with a range of tools, I was able to complete it my way with a little bit more exploring. This helped in managing investigations myself.

Exam

The exam multiple choice, split into general theory questions, as well as questions based upon various lab-style scenarios. Most of the theory questions were reinforcing what was learnt in the slides, though there were 1 or 2 which were not taught so had to make the best guess, and some of the lab-based ones of them were a bit based upon contextual understanding to infer the correct answer — still a good way to teach while still testing.
One thing I did notice, was almost EVERY answer was the same option in a choice of A-D… which is a similar manner to the lack of proofreading in the content, and made completing the exam a little underwhelming and more a mental challenge of not wanting to choose the same option too many times.

Conclusion

Overall, Digital Forensics Professional has given me a really solid baseline understanding of concepts and tools used for digital forensics and now acts as a really useful set of resources which I have referred back to many times.
Whilst the learning was always there, the final touch of polish and a bit of variation on the exam answer choices would have left me feeling more comfortable in splashing out for something else like THP or MAP. That said, I think DFP is one of their earlier ones so potentially the renewed courses have a bit more about them.