"We had to deal with a DDoS where the only available data was a 600GB PCAP file. We reduced to NetFlow and loaded that to the SOF-ELK VM. It quickly showed the waves of attack and how effective the countermeasures were." -David D.
"You won't get exposure to the breadth of info on network forensics in any other course." - Devin Johnson, SaskPower
"NetFlow is Cool. We've been receiving massive NetFlow feeds but were unable to fully utilize them apart from DDoS. With this course, I'm getting so many ideas how to use them in hunting." - SANS Student, FOR572 Singapore
"I literally was alerted to a potential incident from work on day 5 and used things I'd learned in class to analyze and help remediate." - P Cake, PeaceHealth
"I feel like I have won the lottery with the wealth of information from this week! Very relevant and applicable. I have already started using in our environments with results." - Charlie H.
"This is an incredible curriculum. This class NEEDED to happen and I am glad it did." - Peter Steinmann
"Cutting edge - puts me ahead in the job market." - Anonymous
"Very good real-world material." - Jason Lawrence
"Great resource. Only true network forensics course I know of." - Jeremy Robbins
"If you are into disk/memory forensics, you will need this, too!" - Wouter Jansen
"This class is immediately applicable to my work environment." - Thomas Heffron
"No FLUFF - focused and targeted learning!" - Jackie Stokes
"Awesome! Best SANS course I have taken!" - Jim Horvath
"Although FOR572 is a network forensics class, it gets exactly right what most incident response courses get wrong. Instead of focusing on specific exploits and malware that quickly become outdated, 'Advanced Network Forensics' taught me about the full range of evidence sources available and how to effectively mine them for clues. Even more importantly, FOR572 taught me how to use different evidence sources to fill in missing gaps. This is critical, as most environments or incidents will not have every type of evidence available. A large scale APT breach will not have full packet capture available for what could be over a year of attacker activity, but making effective use of network log files can fill in those gaps. It also dove into advanced topics like analyzing unknown protocols, which is an important skill when dealing with the ever-evolving landscape of malware and odd but legitimate applications. Finally, the network forensics capstone investigation is a small but realistic simulation of an APT breach. Having to perform a realistic investigation under the pressure of limited in-class hours felt much like the pressures of investigating a live incident under the pressure of stopping ongoing data theft. It is an excellent class, and I would definitely recommend it to anyone wanting to bring their IR skills to the next level." - Alexander Bond, Mandiant
"The SANS Institute is currently the leader in the commercial IR and computer forensic training market. They have a large number of quality courses." - Luttgens, Jason; Pepe, Matthew; Mandia, Kevin. Incident Response & Computer Forensics, Third Edition - July 2014
"SANS Institute has many valuable assets - Phil Hagen is one of them." - Anonymous
"Loving the detailed and mutli-layered labs. I have been doing the walkthroughs for time sake but will revisit in depth later." - Anonymous
"FOR572 - next step in developing top notch incident response and network analysis professionals." - Tom L.
"Phil shared an example with pastesite.com extracting cached content and identifying and extracting a GZIP file. These practical analysis examples I think are extremely valuable." - Anonymous
"Material is directly relevant to what our analysts are doing daily. Highly useful." - Tom L.