SANS DFIR Course Roadmap and Job Role Matrix

Whether you're seeking to maintain a trail of evidence on host or network systems or hunting for threats using similar techniques, larger organizations need specialized professionals who can move beyond first-response incident handling to analyze an attack and develop an appropriate remediation and recovery plan. Our DFIR Curriculum will teach you how to detect compromised systems, identify how and when a breach occurred, understand what attackers took or changed, and successfully contain and remediate incidents.

DFIR Course Roadmap

Here is our suggested DFIR Course Roadmap to guide you in your search for training. This is just a recommendation, and all courses can be taken in different order. However, some courses might skip over introductory and intermediate concepts so make sure you look at the pre-requisites of the course you are interested in, before hand. Click on the image to see the full SANS Roadmap.

SANS DFIR Essential Courses

More than half of jobs in the modern world use a computer. Most people aged 18-30 are 'digitally fluent'; accustomed to using smartphones, smart TVs, tablets, and home assistants, in addition to laptops and computers, simply as part of everyday life. Yet, how many of these users understand what's going on under the hood? Do you want to know more about Digital Forensics and Incident Response? If you answered 'yes' then these courses are for you!

FOR498: Battlefield Forensics & Data Acquisition

This course will teach you to:

• Learn and master the tools, techniques, and procedures necessary to effectively locate, identify, and collect data no matter where it is stored
• Handle and process a scene properly to maintain evidentiary integrity
• Perform data acquisition from at-rest storage, including both spinning media and solid-state storage
• Identify the numerous places that data for an investigation might exist
• Perform Battlefield Forensics by going from evidence seizure to actionable intelligence in 90 minutes or less
• Understand the concepts and usage of large-volume storage technologies, including JBOD, RAID storage, NAS devices, and other large-scale, network addressable storage and more

“FOR498 provided information I can take back to my company and begin using immediately. It will be very easy to show leadership the ROI on this course." - Jennifer Welsh, CNO Financial Group

SANS DFIR Endpoint Forensics Courses

The SANS Endpoint & Network Forensics courses provide you with the “must-have” skills any forensic & incident response professional should have. Whether you are seeking a trial of evidence oh host or network systems, larger organizations need specialized professionals who can move beyond-first response incident handling to analyze an attack and develop an appropriate remediation and recovery plan. These courses will help you with the skills needed to be that specialized professional!

FOR500: Windows Forensic Analysis | GCFE

All organizations must prepare for cybercrime occurring on computer systems and within corporate networks. Demand has never been greater for analysts who can investigate crimes such as fraud, insider threats, industrial espionage, employee misuse, and computer intrusions. 

This course will teach you to:

• Conduct in-depth forensic analysis of Windows operating systems and media exploitation on Windows 7, Windows 8/8.1, Windows 10, and Windows Server products.
• Identify artifact and evidence locations to answer crucial questions, including application execution, file access, data theft, external device usage, cloud services, device geolocation, file download, anti-forensics, and detailed system and user activity.
• Become tool-agnostic by focusing your capabilities on analysis instead of how to use a particular tool.
• Extract critical answers and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation.

I have been in IT infrastructure for over 20 years and my mind is blown by how much could be learned in this training. I recommend this class for everyone." - Nick Condos, ACADIA 

FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics | GCFA

The course uses a hands-on enterprise intrusion lab - modeled after a real-world targeted attack on an enterprise network and based on advanced threat actor tactics -- to lead you to challenges and solutions via extensive use of the SIFT Workstation and best-of-breed investigative tools.

The course will teach you to:

• Detect how and when a breach occurred
• Quickly identify compromised and affected systems
• Perform damage assessments and determine what was stolen or changed
• Contain and remediate incidents
• Develop key sources of threat intelligence
• Hunt down additional breaches using knowledge of the adversary and more

“FOR508 exceeded my expectations in every way. It provided me the skills, knowledge, and tools to effectively respond to and handle APTs and other enterprise-wide threats.” Josh M., US Federal Agency

FOR608: Enterprise-Class Incident Response & Threat Hunting

Enterprises today have thousands; maybe even hundreds of thousands - of systems ranging from desktops to servers, from on-site to the cloud. Although geographic location and network size have not deterred attackers in breaching their victims, these factors present unique challenges in how organizations can successfully detect and respond to security incidents. This course will help you identify and respond to incidents too large to focus on individual machines.

This course will teach you:

• Understand when incident response requires in-depth host interrogation or light-weight mass collection
• Deploy collaboration and analysis platforms that allow teams to work across rooms, states, or countries simultaneously
• Collect host- and cloud-based forensic data from large environments
• Discuss best practices for responding to Azure, M365, and AWS cloud platforms
• Learn analysis techniques for responding to Linux and Mac operating systems
• Analyze containerized microservices such as Docker containers and more

FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response | GNFA

It is exceedingly rare to work any forensic investigation that doesn't have a network component. Endpoint forensics will always be a critical and foundational skill but overlooking their network communications is akin to ignoring security camera footage of a crime as it was committed. This course covers the tools, technology, and processes required to integrate network evidence sources into your investigations to provide better findings, and to get the job done faster.

This course will teach you:

• Extract files from network packet captures and proxy cache files, allowing follow-on malware analysis or definitive data loss determinations
• Use historical NetFlow data to identify relevant past network occurrences, allowing accurate incident scoping
• Reverse engineer custom network protocols to identify an attacker's command-and-control abilities and actions
• Decrypt captured SSL/TLS traffic to identify attackers' actions and what data they extracted from the victim
• Use data from typical network protocols to increase the fidelity of the investigation's findings and more

DFIR Job Role Matrix

To further help you navigate the best courses for your DFIR career, we have created a Job Role Matrix. This matrix provides you with a guide to match the most common job roles in DFIR with the courses that best fit the different skills to learn. Click on the image to download the file

Need to justify your training? We have created justification letter templates for all the DFIR courses! Use these justification letters to share the key details of these courses and the certifications associated with each. Download them here.