FOR308: Digital Forensics Essentials

  • Online
36 CPEs

The Digital Forensics Essentials course provides the necessary knowledge to understand the Digital Forensics and Incident Response disciplines, how to be an effective and efficient Digital Forensics practitioner or Incident Responder, and how to effectively use digital evidence.

What You Will Learn

More than half of jobs in the modern world use a computer. The vast majority of people aged 18-30 are 'digitally fluent'; accustomed to using smartphones, smart TVs, tablets and home assistants, in addition to laptops and computers, simply as part of everyday life. Yet, how many of these users actually understand what's going on under the hood? Do you know what your computer or smartphone can tell someone about you? Do you know how easy it might be for someone to access and exploit that data? Are you fed up with not understanding what technical people are talking about when it comes to computers and files, data and metadata? Do you know what actually happens when a file is deleted? Do you want to know more about Digital Forensics and Incident Response? If you answered 'yes' to any of the above, this course is for you. This is an introductory course aimed at people from non-technical backgrounds, to give an understanding, in layman's terms, of how files are stored on a computer or smartphone. It explains what Digital Forensics and Incident Response are and the art of the possible when professionals in these fields are given possession of a device.

This course is intended to be a starting point in the SANS catalogue and provide a grounding in knowledge, from which other, more in-depth, courses will expand.


FOR308: Digital Forensics Essentials Course will help you understand:

  • What digital forensics is
  • What digital evidence is and where to find it
  • How digital forensics can assist your organization or investigation
  • Digital forensics principles and processes
  • Incident response processes and procedures
  • How to build and maintain a digital forensics capacity
  • Some of the key challenges in digital forensics and incident response
  • Some of the core legal issues impacting on digital evidence

Digital forensics has evolved from methods and techniques that were used by detectives in the 1990's to get digital evidence from computers, into a complex and comprehensive discipline. The sheer volume of digital devices and data that we could use in investigative ways meant that digital forensics was no longer just being used by police detectives. It was now being used as a full forensic science. It was being used in civil legal processes. It was being used in the military and intelligence services to gather intelligence and actionable data. It was being used to identify how people use and mis-use devices. It was being used to identify how information systems and networks were being compromised and how to better protect them. And that is just some of the current uses of digital forensics.

However digital forensics and incident response are still largely misunderstood outside of a very small and niche community, despite their uses in the much broader commercial, information security, legal, military, intelligence and law enforcement communities.

Many digital forensics and incident response courses focus on the techniques and methods used in these fields, which often do not address the core principles: what digital forensics and incident response are and how to actually make use of digital investigations and digital evidence. This course provides that. It serves to educate the users and potential users of digital forensics and incident response teams, so that they better understand what these teams do and how their services can be better leveraged. Such users include executives, managers, regulators, legal practitioners, military and intelligence operators and investigators. In addition, not only does this course serve as a foundation for prospective digital forensics practitioners and incident responders, but it also fills in the gaps in fundamental understanding for existing digital forensics practitioners who are looking to take their capabilities to a whole new level.

FOR308: Digital Forensics Essentials Course will prepare you team to:

  • Effectively use digital forensics methodologies
  • Ask the right questions in relation to digital evidence
  • Understand how to conduct digital forensics engagements compliant with acceptable practice standards
  • Develop and maintain a digital forensics capacity
  • Understand incident response processes and procedures and when to call on the team
  • Describe potential data recovery options in relation to deleted data
  • Identify when digital forensics may be useful and understand how to escalate to an investigator
  • If required, use the results of your digital forensics in court

FOR308: Digital Forensics Fundamentals Course Topics

  • Introduction to digital investigation and evidence
  • Where to find digital evidence
  • Digital forensics principles
  • Digital forensics and incident response processes
  • Digital forensics acquisition
  • Digital forensics examination and analysis
  • Presenting your findings
  • Understanding digital forensic reports
  • Challenges in digital forensics
  • Building and developing digital forensics capacity
  • Legality of digital evidence
  • How to testify in court

What You Will Receive With This Course

SANS Windows SIFT Workstation

  • This course uses the SANS Windows DFIR Workstation to teach first responders and forensic analysts how to view, decode, acquire, and understand digital evidence.
  • DFIR Workstation that contains many free and open-source tools, which we will demonstrate in class and use with many of the hands-on class exercises
  • Windows 10
  • VMWare Appliance ready to tackle the fundamentals of digital forensics

Fully working license for 120 days:

SANS DFIR Exercise Workbook

  • Exercise book with detailed step-by-step instructions and examples to help you master digital forensic fundamentals

Syllabus (36 CPEs)

Download PDF
  • Overview

    The volume of digital information in the world is growing at a scarily fast rate. In fact, 90 percent of the digital data that exists worldwide today was created within the last two years and it's not slowing down with, 2.5 quintillion bytes of new data created each and every day.

    If you are investigating any matter, whether it is a crime, an administrative or civil issue, or trying to figure out how your network was compromised, you need evidence. If you are gathering intelligence you need information. The simple reality is that these days the vast majority of potential evidence or information that we can use, whether it is for investigations, court, or intelligence purposes, is digital in nature. To effectively conduct digital investigations, one needs to understand exactly what digital evidence is, where to find it, the issues affecting digital evidence, and the unique challenges facing digital evidence. This will allow one to understand the crucial role that digital forensics plays with regards to digital evidence.


    MODULE 1.1: Understanding Digital Investigation

    • Why we need to conduct investigations:
      • Incident response and Threat Hunting
      • Regulatory investigations
      • Media Exploitation
      • Military action
      • Administrative investigations (HR/internal investigations)
      • Auditing
      • Law Enforcement investigations
      • Civil and Criminal litigation

    MODULE 1.2: Digital Forensics 101

    • The history and evolution of digital forensics
    • Defining digital forensics
    • The purpose of digital forensics

      • Asking the right questions
    • Knowledge, skills and attributes of digital forensics practitioners
      • First responders
      • Digital forensic investigators
      • Digital forensic analyst
    • Digital Forensics vs Incident Response vs Threat Hunting
    • Digital forensics tools
      • Hardware
      • Software

    MODULE 1.3: Digital Evidence Overview

    • What is digital evidence?
    • The difference between data and metadata
      • File formats and extensions
      • File system metadata and file metadata
    • The nature of digital evidence
      • Binary and hexadecimal
      • Bits, nibbles, and bytes
      • Converting data between binary, hex and ASCII
    • Disk structures
    • Data structures
      • Filesystems
      • Slack space and keyword searching
      • Memory data structures
      • Network data structures
      • Volatile and non-volatile data structures
      • Allocated and unallocated data
      • File deletion and recovery
    • Data encoding
      • ASCII and Unicode
      • Base64
    • The fragility of digital evidence
      • Understanding how easy it is to alter or change digital evidence
      • The importance of minimizing changes to digital evidence
      • Understanding when it is unavoidable to change digital evidence and how to address it

    MODULE 1.4: Sources and Digital Evidence

    • Computers and laptops
    • Servers
    • Virtual machines
    • Tablets and mobile devices
    • Removable storage media
    • RAM
    • Network devices and data
    • Embedded/IoT devices
    • Digital evidence in the Cloud
    • Drones and vehicles

    MODULE 1.5: Digital Evidence Challenges

    • Device volumes

      • Number of devices per person is increasing
    • Data volumes
      • The problem of increasing data volumes
      • Do you really need to collect everything?
    • Constantly updated operating systems/apps/services
    • Device support/locked down devices

      • Android and iOS uptake
    • Data corruption and recovery
    • IoT devices and acquisition
  • Overview

    Digital forensics is the core set of principles and processes necessary to produce usable digital evidence and uncover critical intelligence

    CSI and similar television shows has popularized forensics in the public consciousness and increased awareness of forensics. Digital forensics is the forensic discipline that deals with the preservation, examination and analysis of digital evidence. However, television and movies have created misunderstandings about exactly what digital forensics is and does. As a result, many people interested in forensics have no real understanding about what it entails.

    These misperceptions have also seen lawyers that make use of digital evidence in court, investigators that need digital evidence to solve cases, information security practitioners responding to security incidents, and even people conducting digital forensics; making mistakes in relation to digital evidence, which can have negative consequences.

    Digital forensics is crucial to ensure accurate and usable digital evidence, but it is important to understand exactly what it is, what it can do, and how it can be used. If you are a user of digital forensics and digital evidence, understanding exactly how digital forensics works will enable you to better make use of digital forensics and digital evidence. If you are a manager or supervisor of a digital forensic capacity, this will help you understand exactly how it should be functioning and how to build and maintain it. Finally, if you are a prospective digital forensics practitioner or an existing one, this will equip you with the fundamental knowledge and skills that form the core of the digital forensic profession.


    MODULES 2.1: Digital Forensics Principles

    • ACPO guidelines
    • SWGDE guidelines
    • Locard's Exchange Principle
    • The Inman-Rudin Paradigm
      • Transfer
      • Divisibility
      • Identification

        • Digital evidence categorization model
    • Classification/individualization
    • Association
    • Reconstruction
      • Relational analysis
      • Functional analysis
      • Temporal analysis
    • The philosophy of science and the scientific method

    MODULE 2.2: Documentation and Reporting

    • Understanding the need for documentation
    • Making contemporaneous notes
    • Supporting your documentation with evidence
    • Maintaining the integrity of your documentation
    • Types of documentation
    • Investigation authorization and mandates
    • Case notes
    • Quality assurance documentation
    • Tool validation documentation

    MODULE 2.3: Quality Assurance in Digital Forensics

    • The digital forensics process
    • ISO 27043
    • The scientific method in digital forensics
    • Forensic process in practice
    • Validation processes
    • Quality assurance

    MODULE 2.4: Digital Forensics Challenges

    • Rapidly changing technology
      • Moore's Law
      • Koomey's Law
      • Kryder's Law
    • Over reliance on forensic tools
    • Commercial vs free and open source tools
    • Competency & motivation of practitioners
    • Mental health issues
    • Ongoing education
    • Anti-forensics
  • Overview


    Incident Response is the core set of principles and processes necessary to allow an organization to successfully respond, react and remediate against potential attack scenarios

    Digital forensics deals with the preservation, examination and analysis of digital evidence. However, Incident Response is often the preceding activity that leads to the requirement to conduct a forensic investigation. If not executed properly, the Incident Response processes and team have the ability to inadvertently disrupt or damage subsequent forensic activities. It is therefore a vitally important aspect of an investigation.

    The Incident Response team must be adept at recognizing incidents and responding appropriately to collect and preserve evidence, whilst identifying and containing the incident. This same team are also usually involved in Forensic Readiness planning, which defines what evidence may be useful in a number of attack scenarios and ensures that systems are configured to collect and retain this evidence. Evidence that is collected in advance of an investigation can provide vital clues to a digital forensic investigator and when used in addition to subsequently acquired data, can provide insights into what data may have changed during specified periods of time that may be pertinent to the case.

    Digital Forensics and Incident Response therefore go hand-in-hand and are often referred to by the acronym DFIR. If you are a prospective or current digital forensics practitioner, understanding exactly how incident response works will enable you better leverage these teams before, during and after investigations to obtain the best and most useful evidence and improve reporting. If you do not plan to build a career in digital forensics, understanding how the Incident Response teams and processes work will demonstrate when and how to engage if you suspect an incident may have occurred and the types of actions on your part that may assist (or impair) any potential investigation, to provide you with the best possible outcome.


    MODULE 3.1: Introduction to Incident Response

    • Defining incident response
    • Incident response processes and best practice
      • Order of volatility
      • Phases of incident response
    • Knowledge, skills and attributes of an incident response team
      • SOC analysts
      • First responders
      • Management
      • Relationships and use of specialists
    • Legal considerations
    • Incident Response tools
      • Hardware
      • Software
      • Grab-bags

    MODULE 3.2: Incident Response Standards

    • ISO27035 - Security Incident management
    • NIST Incident Handling Guide
    • Government guidelines
      • UK - NCSC / Crest
      • US-CERT
      • IT Governance EU
    • Templates for policies and plans

    MODULE 3.3: Incident Response Challenges

    • Lack of suitable preparation
      • network diagrams, system details and access
      • out-of-date documentation
    • Over reliance on tools
    • Malware, antivirus and anti-forensics
      • What is malware?
      • What is antivirus?
    • Sophisticated attacks
  • Overview

    The acquisition of digital evidence is the most critical part of the digital forensics process and as such it must be done right

    Acquiring digital evidence is a crucial component in any investigation. Digital forensics is about finding answers, and if we cannot get to the evidence that we need, which is often stored on devices, in memory, on the wire or wireless, or in the Cloud, then we will never be able to get the answers we seek. Getting the digital evidence and selecting the appropriate method to obtain it can mean the difference between success and failure in an investigation.

    The acquisition of digital evidence has evolved over the years and the old way of doing it may not always be the best or most effective way of getting the evidence and may actually compromise an investigation. By understanding the various strategies and methods that we have available to us to acquire digital evidence means that informed decisions can be made as to the best method to use to acquire evidence in a given situation or environment.


    MODULE 4.1: Forensic Acquisition Principles and Standards

    • Preserving the integrity of digital data
    • Minimizing the alteration of digital data
    • Copying versus imaging
    • Forensic imaging methods
      • Live imaging versus "dead" imaging
      • Triage image, sparse image, full logical images and physical images
    • Write blocking
      • Software based write blocking
      • Hardware write blocking
    • Data verification and integrity preservation

      • Hashing
    • The forensic acquisition processes
      • ISO 27037 forensic acquisition processes
      • SWGDE forensic acquisition guidelines
      • ACPO guidelines

    MODULE 4.2: Understanding Forensic Images

    • Physical and logical images
    • Forensic image formats
    • Raw image versus forensic image

    MODULE 4.3: Forensics Acquisition Processes

    • General rules of acquisition
    • Handling and controlling physical evidence
    • Addressing encryption
    • Acquisition types
      • Live acquisitions
      • "Deadbox" acquisitions
      • Network acquisitions
      • Remote acquisitions
      • Cloud acquisitions
      • Mobile acquisition
      • Advanced Extraction Techniques
        • JTAG/ISP
        • Chip off acquisitions

    MODULES 4.4: Acquisition Challenges

    • Available space vs. drive size
    • Speed of acquisition vs. available time
    • Operating System security
    • Encryption
      • Types of encryption
        • Full Disk Encryption
        • File Based Encryption
        • Single File Encryption
      • Encryption methods
      • Encryption tools
      • Decryption options
    • Acquiring data from the Cloud
    • Damage devices
    • Unsupported devices
    • Legal authority
      • Obtaining evidence in other jurisdictions - mutual legal assistance treaty
      • Data sovereignty
  • Overview

    The only way to get answers is to ask questions, and the only way to get the right answers is to ask the right questions

    The key purpose of digital forensics is to find answers, and it is through the analysis process that digital forensics transforms raw data into either evidence or intelligence that we can use to answer the questions that we need answered. The use of technology is so integral to our day to day activities that it allows us an unprecedented opportunity to reconstruct what has happened in the past, to learn what is happening in the present, and even predict what may happen in the future, all based on the data available to us.

    By understanding digital forensic analysis, we can see how we can ask the right questions in our investigations and intelligence efforts, how we can critically examine and analyze the data at hand in a manner that can withstand scrutiny and finally, understand the types of answers we can get.


    MODULE 5.1: What Can Forensic Analysis Prove

    • What are the questions that forensic analysis can provide answers for
      • Who
        • User attribution
        • Assessing alibis and statements
      • What
      • When

        • Timelines
      • Where

        • Location information
      • Why

        • Determining intent
      • How

    MODULE 5.2: Planning the Examination

    • Understanding what you are investigating
    • Identify what artefacts can answer your questions

      • Types and examples of artefacts and techniques
    • Kitchen sink vs targeted approach (include triage)
    • Documentation

    MODULE 5.3: The Art and Science of Forensic Analysis

    • Understanding and applying critical thinking in an investigation
    • Applying the scientific method to forensic analysis
    • Gather information and make observations
    • Form a hypothesis to explain observations
    • Evaluate the hypothesis
    • Draw conclusions
    • Hypothesis formulation
    • Evaluating hypotheses

    MODULE 5.4: Forensic Examination and Analysis Standards

    • SWGDE standards
    • ISO 27042 guidelines for the analysis and interpretation of digital evidence

    MODULE 5.5: Forensic Examination and Analysis Challenges

    • Breadth and depth of required knowledge
    • Forensic artifact documentation challenges
    • Tool capability variation
    • Identifying data of interest
    • Stakeholder expectations
    • Analysis scoping and planning
    • Ongoing documentation and notetaking



    It doesn't matter how good your technical skills are, if you are not able to effectively document what you have done and report on your findings in a manner that non-technical people understand, your investigation is on shaky ground

    Digital forensics is at its core about getting answers to questions, whether as evidence or intelligence. So, it is important that we can get the answers that we find in our investigations to the right people so that they can make decisions and act on what is found in the digital forensics process.

    It is crucial that we are able to effectively communicate these answers to those people who need them, in a manner that is useful to them, and to be able to effectively support our answers. Not only must we be able to effectively communicate, but it is important that the users of these answers understand what our various reports means and how they can use them effectively. Without effective communication and understanding of what is communicated, all effort expended in the digital forensic process is lost.


    MODULE 6.1: Presenting Your Findings

    • How to communicate technical concepts to non-technical audiences
    • Educating your audience
    • Telling the story
    • Supporting your narrative with evidence
    • Written reports
    • Verbal presentations

    MODULE 6.2: Legal Evidence

    • What is evidence
    • The legal requirements for court directed evidence
    • Admissibility
      • Legality

        • Chain of custody
    • Legal processes to secure evidence
    • Consent
    • Organizational policy and contractual frameworks
    • Reliability of the evidence

      • Integrity
    • Relevance
      • Proving legal elements
      • Exculpatory evidence

    MODULE 6.3: Testifying in Court

    • Understanding the court process
    • Technical versus expert witnesses
    • The responsibility of a witness
    • The testifying process
    • How to be an effective witness
  • Overview

    Good management of a digital forensic or incident response team is key in allowing an organization to successfully respond to potential attack scenarios and investigate digital evidence

    Management of a DFIR team is crucial to the success or failure of investigations. This includes suitably preparing the team and environment, providing support throughout each case, escalating issues as required, as well as conducting reviews and providing regular feedback. If sufficient management support is not in place at any stage in the lifecycle of an investigation, it may not be possible to proceed, or insufficient analysis may be conducted. Understanding how to build, manage and prepare a DFIR capability is essential.

    Digital Forensic Readiness is the key element in preparation to allow an organization to successfully respond to potential attack scenarios and investigate digital evidence. Digital forensic readiness acknowledges and defines the tools, processes and resources that must be in place to allow an organization to suitably deal with Digital Forensic investigations and Incident Response cases. If Readiness policies and processes are not defined properly, digital evidence may be unsuitable or may not be available when required, which can hinder or entirely prevent an investigation. It is therefore a vitally important aspect of pre-investigation planning.

    MODULE 7.1: Introduction to Forensic Readiness

    • Defining forensic readiness
    • Differences between forensic readiness and incident response

    MODULE 7.2: The need for Forensic Readiness

    • Use of digital evidence in organizations
    • Forensic readiness and ISO standards
    • Legislation and regulation
    • Benefits of forensic readiness

    MODULE 7.3: Building and Managing a DFIR Capacity

    • Building a business case for digital forensics and incident response
    • DFIR service models
    • Building a DFIR capacity
    • Selecting team members
      • Roles
      • Skill sets
      • Complementary Skills
      • Specialist skills to be able to call upon when required
    • Managing a DFIR capacity


    Consolidation of the skills and knowledge learned throughout the course with a hands-on challenge

    The best consolidation of new skills and knowledge is through practice. On day 6, you will have the option to undertake an individual hands-on challenge that makes use of the SANS virtual cyber range. Your digital forensics skills are put to the test with a variety of scenarios involving mounting evidence, identifying data and metadata, decoding data and decrypting data. Knowledge of digital forensics and incident response processes and standards will also be tested when answering scoring server questions, to compete for the FOR308 Challenge Coin. These challenged strengthen the student’s understanding of digital evidence, digital forensics, and incident response fundamentals, and provide a learning opportunity where more practice on specific skills may be useful.

    • Data and metadata
    • Converting data
    • Decoding data
    • Decrypting data
    • Identifying file types
    • Mounting evidence
    • Hashing data
    • Digital forensics and incident response processes
    • Digital forensics and incident response standards
    • Documentation and reporting

    The students who score the highest on the digital forensics fundamentals challenge will be awarded the coveted SANS Digital Forensics Lethal Forensicator Coin. Game on!



FOR308 is an introductory digital forensics course that addresses core digital forensics principles, processes and knowledge.

If you wish to become a digital forensics or incident response practitioner, we recommend that you follow up this course with one or more of the following SANS courses: FOR500, FOR508, FOR518, FOR585, or FOR572.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.


  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 8GB of RAM or more is required.
  • 200GB of free storage space or more is required.
  • Bring an additional USB drive of at least 4GB.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.


  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Microsoft Office (any version) or OpenOffice installed on your host. Note that you can download Office Trial Software online (free for 30 days).
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact

Author Statement

"Digital Forensics sounds like a really cool and exciting specialist field of expertise, and whilst many people choose to build up their knowledge and experience over many years to become specialists, it is also very much applicable to everyone who uses a computer, or a smartphone, or owns a home assistant. The vast majority of jobs in the developed world now involve the use of some form of computer. It is tremendously beneficial for users to understand how their data is being stored on those systems, the fact that deleted files may be recoverable and steps they can take to improve their odds of successful recovery, as well as how to recognize and respond to any incidents they may encounter on their systems and understand when to call in the experts.

Whether you're interested in getting into the field of Digital Forensics, or you'd just like to understand more about the systems you use on a daily basis, without any prerequisite knowledge required, FOR308 will introduce you to data, how to find it, acquire it, preserve it and most importantly, how to understand it" - Kathryn Hedley

"I have been teaching digital forensics around the world for several years for the SANS Institute, and not a single class went by where I was not being asked questions by my students about areas that I considered essential digital forensic topics, such as how to structure an investigation, how core digital forensics processes work, how to write a digital forensics report, how to testify in court, the legal issues that impact on digital evidence, and so many more topics. These have not been topics we have traditionally covered within the SANS DFIR faculty. I realized that to develop fully rounded digital forensic practitioners we would need to cover these essential areas, to fill in the gaps, so to speak. This was also an opportunity to provide an introduction to digital forensics and digital evidence, not only people embarking on a digital forensics career, but to lawyers and investigators dealing with digital evidence, to managers managing digital forensics capacity in their organizations, and anyone interested in the field of digital forensics.

You can't build a house without a foundation, and this course provides that essential foundation for a career in digital forensics" - Jason Jordaan

"Digital forensics is a specialist skill the requires a solid understanding of the technical working of devices, operating systems, file systems, and applications. Typically, these examinations are going to be one component within a greater overall investigation which is where FOR308 comes in. At SANS we have trained some of the best and brightest for decades. Specifically, in digital forensics we teach students every day how to be amazing forensicators; how to understand the underlying data to process, parse, and present digital information for technical audiences. This class however will bring you right back to basics, because the fundamentals are key. The skills and processes taught in this course are applicable across the rest of the DFIR curriculum; whether you're managing a DFIR capability, getting into the field, or just need to understand how it all fits together. This class will set you up with the tools that you need to understand the processes and procedures involved from start to finish" - Phill Moore

"Kathryn and Phil are great instructors and the material was clearly presented. All this made an enjoyable experience for me." - FOR308 student


FOR308 was valuable as it filled in many gaps in my experience and it set a good foundation of the basics to which I can build upon, I enjoyed the acquisition, and validation section.
Carla Dawn
FOR308 student
FOR308 is packed with technical information and covers aspects necessary for those taking their first steps in the digital forensics as well as those who think about leading teams in the field. An overall good balance of theory to practice, delivered in a very professional manner.
Wiktor Kardacki
Gives a wonderful overview of the digital forensics field - ideal for beginners!
Isabelle Rudolf
City Police Zurich

    Register for FOR308


    All pricing excludes applicable taxes