SANS: Advanced Filesystem Recovery and Memory Forensics

SANS Institute

The most trusted source for computer security training, certification and research.

select a course

Generic course descriptions, individual event descriptions may vary. Be sure to read the course description for exact training event you're interested in carefully.
>> Upcoming Events for this Course <<
Sort Within Discipline By: Popularity | Title | Course Number

Global Information Assurance Certification

Global Information Assurance Certification
Number of Certified Professionals
29,295

The fire hose strikes again! My brain hurts!
-Dean Farrington, Wells Fargo

Forensics 526

1 Day Course

Course Overview

(Portal Account Required)

Upcoming Events

Singapore, SG

SANS OnDemand

SANS OnSite

Course PDF

FORENSICS 526

Advanced Filesystem Recovery and Memory Forensics

6 CPE Credits Per Day

Laptop RequiredFree

NOTE: This course has recently changed from the SECURITY discipline to the new FORENSICS discipline. All content remains the same.

This advanced course is perfect for the diligent student familiar with core forensic methodology and techniques. If you understand forensic filesystem fundamentals, then this course is for you. It moves quickly from covering memory forensics to recovering and discovering deleted partitions from hard drives. This course focuses on innovative forensic techniques and methodologies so the seasoned practitioner can keep his skills sharp and up-to-date with the latest research areas in both live and static based disk forensics.

You will receive:

Forensic analysis workstation VMware machine equipped to investigate forensic data
Course DVD loaded with case examples, tools, and documentation

Prerequisites: This advanced course is perfect for the diligent student conversant with file system forensic techniques. If you are just beginning in digital forensics, this course is not appropriate for you, as the basics of digital forensics will not be covered.

The SANS Security Windows track was the best training course I've ever had, far surpassing my already high expectations. Seriously!
-Derek Lidbom, Trone

Author Statement

One of the most exciting areas in digital forensics is the ability to image and scrutinize physical memory collected from a live system. Starting with discovering basic memory structures, the student will learn how to recover and analyze processes that were seized from a live Windows-based system. Additionally, the student will learn how to discover and recover deleted partitions from hard drives that have corrupted partition tables or that have been formatted. Finally, new techniques in digital forensics will be covered. In the ever-changing world of digital forensics, it is essential that the prepared investigator have the right knowledge combined with new techniques.
- Rob Lee

Training Events By Course

FORENSICS 526 :: Advanced Filesystem Recovery and Memory Forensics
SANS 2010	Orlando, FL	March 06, 2010 - March 15, 2010
SANSFIRE 2010	Baltimore, MD	June 06, 2010 - June 14, 2010
SANS Secure Singapore 2010	Singapore, Singapore	October 04, 2010 - October 11, 2010
SANS OnDemand	Online Training & Assessments	Anytime