Training
Featured CourseView All Courses
Get a Free Hour of SANS Training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training, Courses, and Resources
Can't find what you are looking for?

Let us help.

Contact us
Community Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

AI Risk & Readiness

Explore expert-driven guidance, training, and tools to help defend against AI-powered threats and adopt AI securely.

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk With an Expert
Talk With an Expert
New

FOR563: Applied AI for Digital Forensics and Incident Response: Leveraging Local Large Language Models

FOR563Digital Forensics and Incident Response, Artificial Intelligence
  • 1 Day (Instructor-Led)
  • 6 Hours (Self-Paced)
Course authored by:
Mari DeGrazia
Mari DeGrazia
FOR509: Enterprise Cloud Forensics and Incident Response
Course authored by:
Mari DeGrazia
Mari DeGrazia
  • 6 CPEs

    Apply your credits to renew your certifications

  • 4 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

FOR563 teaches DFIR professionals to harness private, local AI using Large Language Models (LLMs) for secure, hands-on investigation and analysis at scale.

Course Overview

FOR563 empowers DFIR professionals to integrate AI by teaching how to run private, local Large Language Models (LLMs) without exposing sensitive data to third parties. This one-day, hands-on course moves beyond generic use cases to show how LLMs can be used in a forensics and incident response context: building custom agents, analyzing logs, forensics artifacts, and databases with natural language, and fine-tuning models for specialized investigations. While focused on local models, the techniques taught can be adapted for cloud or API-based LLMs. You'll gain practical skills you can immediately apply to real-world DFIR workflows, using AI effectively and at scale.

What You'll Learn

  • Configure and deploy local Large Language Models (LLMs) through both GUI and programmatic methods
  • Build and implement custom AI agents for forensic and incident response use cases
  • Analyze structured data—including logs, text messages, and databases—using natural language
  • Fine-tune LLMs for specialized DFIR tasks using custom datasets

Business Takeaways

  • Reduce the risk of data exposure by enabling AI-assisted analysis without sending sensitive data to third-party cloud services
  • Improve incident response workflows by equipping DFIR teams to use natural language interfaces for analysis
  • Lower reliance on proprietary AI platforms by training analysts to deploy and manage local, self-hosted Large Language Models (LLMs)
  • Expand investigative capabilities with custom AI agents tailored to your organization's specific forensic needs
  • Accelerate adoption of AI-driven workflows without compromising internal security or compliance requirements
  • Support knowledge retention and skill development by standardizing repeatable, scalable AI-driven forensic processes
  • Future-proof DFIR operations by preparing staff for integrating AI solutions across evolving data sources and forensic tooling

Meet Your Authors

Mari DeGrazia
Mari DeGrazia

Mari DeGrazia

Certified Instructor

Mari DeGrazia loves the satisfaction of solving a good puzzle. That fascination paired with her technical abilities has made digital forensics the perfect career fit. She has 20 years of experience in the IT industry, including 10 years in DFIR.

Read more about Mari DeGrazia

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in FOR563: Applied AI for Digital Forensics and Incident Response: Leveraging Local Large Language Models.

Section 1Applied AI for Digital Forensics and Incident Response

Section 1 introduces students to the real-world application of Large Language Models (LLMs) in digital forensics and incident response. Students will learn how to deploy local models, build custom agents, and analyze structured forensic data using natural language, all in a private, GPU-backed environment.

Topics covered

  • Introduction to LLMs and their use in DFIR workflows
  • Model setup, local hosting, and parameter tuning
  • Structured artifact analysis (logs, JSON, mobile data, binary config files)
  • Creating and using LLM-powered forensic agents
  • Natural language querying at scale

Labs

  • Setting up a GPU-enabled lab environment for local model use
  • Querying and analyzing forensic data with local LLMs
  • Building and customizing DFIR-focused AI agents
  • Exploring the basics of LLM fine-tuning

Things You Need To Know

We're updating our course schedule - please check back later.

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources