Years ago, when SANS split the Forensics 508 course into two separate courses (500 and 508), I took both courses and wrote a blog post to help potential students determine which course would better fit them. I never thought I would write a similar post again, let alone for two courses I wrote.
Background
When I wrote the SEC497 Practical OSINT course for SANS, they already had a SEC587 Advanced OSINT course written by three fantastic individuals, all of whom I’m proud to call friends. While I was writing the SEC497, I avoided looking at the SEC587. I didn’t want anything I saw in the advanced course to affect what I put in the SEC497. I’ve often described the SEC497 as the challenges that I’ve run into performing OSINT operationally for both the Government and private sectors and how I’ve solved them. That was always my mindset.
Anyone who’s taken a course with me knows they’re jam-packed with information, and we’re going until the end of the day. The SEC497 was me packing in what I thought was most important, but there is only so much you can cover in a day, so unfortunately, there wasn’t room for every topic I could have covered.
Fast forward to 2024 when I was asked to take over authorship of the SEC587 Advanced OSINT course. One of the primary reasons I accepted was to have a chance to cover topics that there wasn’t room for in the SEC497.
Now that I’ve had a chance to make wholesale updates to the SEC587, I wanted to write a post to help potential students understand which may be a better fit to match their current position in their OSINT journey.
Foundational Vs. Advanced
Years ago, a Brazilian Jui-Jitsu instructor told me, “The advanced stuff is usually just the basics done very well.” Anyone who has ever practiced the art knows how true that is, but I think it’s true in many things. Many think, “I know the basics; I want the advanced.” That may be true, but it’s worth taking a few minutes to discuss the differences in the courses. The SEC497 is not and never will be a mandatory “pre-requisite” for taking the SEC587, but I’ve worked very hard to avoid duplicating content, so some knowledge from the SEC497 is assumed.
Key Pieces in SEC497
The SEC497 is packed full of great content, but here are some key parts that interest many prospective students and fill common gaps with practitioners with experience.
Day one discusses OPSEC, managing attribution, and ways to overcome hurdles with creating accounts, such as getting a “real” phone number and having a face that isn’t detected as AI-generated.
Day four is what I lovingly refer to as a “technical day.” When you’re trying to figure out where in the world an IP address is, and if they’re there, or using a VPN/Proxy/Tor. When you’re trying to figure out who owns a website or how to find the actual location of a website trying to hide behind a content delivery network (CDN). If email headers, DNS records, etc, look like a plate of mom’s spaghetti, this day will be a HUGE help as we explain why you should be looking at them and how to understand them.
There are a lot of other fun sections, like business OSINT, breach data, dealing with large datasets etc. but one of the best examples to differentiate between the SEC497 and SEC587 is the dark web.
In SEC497, we explain the dark web, how it works, how to find things on it, and low-tech methods for de-anonymizing users. In SEC587, we pick up where we left off and discuss technical methods for revealing a site’s true location on the dark web and methods for automated searching and monitoring.
I’m always happy to answer questions about the differences between the two courses, but I wanted to get a few thoughts posted here to help others understand the benefits of both options!