SANS DFIR Course Roadmap and Job Role Matrix

FOR308: Digital Forensics Essentials: This is an introductory course aimed at people from non-technical backgrounds, to give an understanding, in layman's terms, of how files are stored on a computer or smartphone. 

This course will teach you to:

• Effectively use digital forensics methodologies
• Ask the right questions in relation to digital evidence
• Understand how to conduct digital forensics engagements compliant with acceptable practice standards
• Develop and maintain a digital forensics capacity
• Understand incident response processes and procedures and when to call on the team
• Describe potential data recovery options in relation to deleted data
• Identify when digital forensics may be useful and understand how to escalate to an investigator
• If required, use the results of your digital forensics in court and more

"The course contains good theory mixed with real-life examples." - Waldemar Blakely, DHS

FOR498: Battlefield Forensics & Data Acquisition | GBFA: With digital forensic acquisitions, you will typically have only one chance to collect data properly.  With this course you will learn to respond, identify, collect, and preserve data no matter where that data hides or resides.

This course will teach you to:

• Learn and master the tools, techniques, and procedures necessary to effectively locate, identify, and collect data no matter where it is stored
• Handle and process a scene properly to maintain evidentiary integrity
• Perform data acquisition from at-rest storage, including both spinning media and solid-state storage
• Identify the numerous places that data for an investigation might exist
• Perform Battlefield Forensics by going from evidence seizure to actionable intelligence in 90 minutes or less
• Understand the concepts and usage of large-volume storage technologies, including JBOD, RAID storage, NAS devices, and other large-scale, network addressable storage and more
  

“FOR498 provided information I can take back to my company and begin using immediately. It will be very easy to show leadership the ROI on this course." - Jennifer Welsh, CNO Financial Group

FOR500: Windows Forensic Analysis | GCFE: All organizations must prepare for cybercrime occurring on computer systems and within corporate networks. Demand has never been greater for analysts who can investigate crimes such as fraud, insider threats, industrial espionage, employee misuse, and computer intrusions. 

This course will teach you to:

• Conduct in-depth forensic analysis of Windows operating systems and media exploitation on Windows 7, Windows 8/8.1, Windows 10, and Windows Server products.
• Identify artifact and evidence locations to answer crucial questions, including application execution, file access, data theft, external device usage, cloud services, device geolocation, file download, anti-forensics, and detailed system and user activity.
• Become tool-agnostic by focusing your capabilities on analysis instead of how to use a particular tool.
• Extract critical answers and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation.
• 
  
• I have been in IT infrastructure for over 20 years and my mind is blown by how much could be learned in this training. I recommend this class for everyone." - Nick Condos, ACADIA 

FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics | GCFA: The course uses a hands-on enterprise intrusion lab -- modeled after a real-world targeted attack on an enterprise network and based on advanced threat actor tactics -- to lead you to challenges and solutions via extensive use of the SIFT Workstation and best-of-breed investigative tools.

The course will teach you to:

• Detect how and when a breach occurred
• Quickly identify compromised and affected systems
• Perform damage assessments and determine what was stolen or changed
• Contain and remediate incidents
• Develop key sources of threat intelligence
• Hunt down additional breaches using knowledge of the adversary and more

“FOR508 exceeded my expectations in every way. It provided me the skills, knowledge, and tools to effectively respond to and handle APTs and other enterprise-wide threats.” Josh M., US Federal Agency

FOR608: Enterprise-Class Incident Response & Threat Hunting: Enterprises today have thousands; maybe even hundreds of thousands - of systems ranging from desktops to servers, from on-site to the cloud. Although geographic location and network size have not deterred attackers in breaching their victims, these factors present unique challenges in how organizations can successfully detect and respond to security incidents. This course will help you identify and respond to incidents too large to focus on individual machines.

This course will teach you:

• Understand when incident response requires in-depth host interrogation or light-weight mass collection
• Deploy collaboration and analysis platforms that allow teams to work across rooms, states, or countries simultaneously
• Collect host- and cloud-based forensic data from large environments
• Discuss best practices for responding to Azure, M365, and AWS cloud platforms
• Learn analysis techniques for responding to Linux and Mac operating systems
• Analyze containerized microservices such as Docker containers and more
• 
  

FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response | GNFA: It is exceedingly rare to work any forensic investigation that doesn't have a network component. Endpoint forensics will always be a critical and foundational skill but overlooking their network communications is akin to ignoring security camera footage of a crime as it was committed. This course covers the tools, technology, and processes required to integrate network evidence sources into your investigations to provide better findings, and to get the job done faster.

This course will teach you:

• Extract files from network packet captures and proxy cache files, allowing follow-on malware analysis or definitive data loss determinations
• Use historical NetFlow data to identify relevant past network occurrences, allowing accurate incident scoping
• Reverse engineer custom network protocols to identify an attacker's command-and-control abilities and actions
• Decrypt captured SSL/TLS traffic to identify attackers' actions and what data they extracted from the victim
• Use data from typical network protocols to increase the fidelity of the investigation's findings and more