Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Community Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

AI Risk & Readiness

Explore expert-driven guidance, training, and tools to help defend against AI-powered threats and adopt AI securely.

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk With an Expert
Talk With an Expert

FOR509: Enterprise Cloud Forensics and Incident Response

FOR509Digital Forensics and Incident Response
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course authored by:
David CowenJosh LemonPierre LidomeMegan Roddie-Fonseca
David Cowen, Josh Lemon, Pierre Lidome & Megan Roddie-Fonseca
Register NowCourse Preview
FOR509: Enterprise Cloud Forensics and Incident Response
Course authored by:
David CowenJosh LemonPierre LidomeMegan Roddie-Fonseca
David Cowen, Josh Lemon, Pierre Lidome & Megan Roddie-Fonseca
Register NowCourse Preview
  • GIAC Cloud Forensics Responder (GCFR)

    Learn about certification

  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 20 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Learn how to uncover new evidence sources that only exist in the cloud. Expand your ability to perform enterprise cloud forensics and incident response.

Featured Quote

FOR509 was absolutely awesome! The depth of knowledge is unparalleled. I see this becoming a very popular class in the future.
Terrie MyerchinAT&T

Course Overview

The world is changing and so is the data we need to conduct our investigations. Cloud platforms change how data is stored and accessed. They remove the examiner's ability to directly access systems and use classical data extraction methods. Unfortunately, many examiners are still trying to force old methods for on-premises examination onto cloud-hosted platforms. Rather than resisting change, examiners must learn to embrace the new opportunities presented to them in the form of new evidence sources. FOR509: Enterprise Cloud Forensics and Incident Response addresses today's need to bring examiners up to speed with the rapidly changing world of enterprise cloud environments by uncovering the new evidence sources that only exist in the cloud.

What You’ll Learn

  • Master the tools, techniques, and procedures necessary to effectively locate, identify, and collect data no matter where it is located
  • Identify and utilize new data only available from cloud environments
  • Utilize cloud-native tools to capture and extract traditional host evidence
  • Quickly parse and filter large data sets using scalable technologies such as the Elastic Stack
  • Understand what data is available in various cloud environments

Business Takeaways

  • Understand digital forensics and incident response as it applies to the cloud
  • Identify malicious activities within the cloud
  • Cost-effectively use cloud-native tools and services for DFIR
  • Ensure the business is adequately prepared to respond to cloud incidents
  • Decrease adversary dwell time in compromised cloud deployments

Meet Your Authors

  • Slide 1 of 4
    David Cowen
    David Cowen

    David Cowen

    Certified Instructor

    From tracking a data breach across five countries and 1,000 systems to pioneering file system journaling forensics, David has been relentlessly advancing DFIR through research, tools, public speaking, and frontline incident response since 1999.

    Read more about David Cowen
  • Slide 2 of 4
    Josh Lemon
    Josh Lemon

    Josh Lemon

    Principal Instructor

    Josh leads global MDR at Uptycs, defending major international brands, while also serving as an independent DFIR expert advising legal, government, and commercial clients in Australia.

    Read more about Josh Lemon
  • Slide 3 of 4
    Pierre Lidome
    Pierre Lidome

    Pierre Lidome

    Certified Instructor

    Pierre Lidome is a cyber threat hunter with over 25 years of experience in network engineering, security services, and DFIR, including cases involving insider threats and nation-state actors.

    Read more about Pierre Lidome
  • Slide 4 of 4
    Megan Roddie-Fonseca
    Megan Roddie-Fonseca

    Megan Roddie-Fonseca

    Certified Instructor Candidate

    Megan is a Senior Security Engineer at IBM and SANS course author, combining her expertise in digital forensics with a fierce competitive edge as a Muay Thai fighter with 7 sanctioned bouts.

    Read more about Megan Roddie-Fonseca
Slide 1 of 0

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in FOR509: Enterprise Cloud Forensics and Incident Response.

Section 1Microsoft 365 and Graph API

Before you can begin exploring the universe of cloud data, you must learn where and how it exists. In this section, you will explore common cloud concepts such as snapshots and cloud flows. You will understand what kind of logging and data access is provided by each cloud architecture and how to extract and process this data.

Topics covered

  • SOF-ELK
  • Key Elements of Cloud for DFIR
  • Microsoft 365 Unified Audit Log
  • Microsoft Graph API

Labs

  • Visualize Data in SOF-ELK
  • Suspicious Email
  • Extortion
  • Privilege Escalation with Graph API

Section 2Microsoft Azure

One of the most popular cloud providers for large enterprises is Microsoft Azure. Azure offers an impressive array of services and with that comes numerous data sources for us to explore. In this section, we will learn about the various Azure activity and diagnostics logs. Finally, we will find out how to deploy our own analysis tools in the cloud.

Topics covered

  • Understanding Azure
  • VMs, Networking, and Storage
  • Log Sources for IR
  • Virtual Machine Logs
  • In-cloud IR

Labs

  • Using SOF-ELK with Azure Logs
  • AAD Password Spray
  • Tracking Resource Creations
  • Detecting Data Exfiltration

Section 3Amazon (AWS)

Now it's time to turn to the market leader in cloud services. In this section we will explore how AWS can be used for the responder, how to deploy your own analysis system into your region, the new and relevant log sources for your investigation and how to bring it all together in lab scenarios designed to help you quickly solve the most common AWS cases.

Topics covered

  • Understanding IR in AWS
  • Networking, VMs, and Storage
  • Log Sources for IR
  • Event Drive Response
  • In-cloud IR

Labs

  • Reviewing CloudTrails Logs
  • Finding Rogue VMs
  • VPC Flow Logs and Route 53 Logs
  • S3 Analysis
  • Tracking Lateral Movement

Section 4Google Workspace

This section will start with a high-level overview of Kubernetes and the logs available in each of the cloud providers. As one of the first SaaS solutions for organizations dating back to 2006, Google Workspace has a wide array of evidence artifacts for investigators to use when conducting incident response or internal investigations.

Topics covered

  • Kubernetes Forensics and IR
  • Understanding Google Workspace
  • Google Workspace Evidence
  • ATT&CKing Workspace

Labs

  • Kubernetes Log Analysis
  • Google Workspace Admin BEC
  • OAuth Abuse with Third-Party Apps
  • Google Workspace Data Exposure
  • Collecting Workspace Logs in GCP via CLI

Section 5Google Cloud

Google Cloud fundamentally changes how identity access management is treated compared to AWS and Azure. Using a combination of the GCP platform, its built-in auditing, agent-based logging, and external log analysis tools like ELK, this section will teach DFIR professionals with limited knowledge of GCP how to conduct investigations into common attacks.

Topics covered

  • Understanding Google Cloud
  • Log Sources, Collection, & Log Routing
  • VM & Storage Investigations
  • Google Cloud Network Forensics

Labs

  • Google Cloud IAM and Access Tracking
  • Collecting Logs in Google Cloud via CLI
  • Google VM and Ops Agent Log Analysis
  • Storage Abuse and Exfil
  • Google Cloud: Network Forensics

Section 6Multi-Cloud Intrusion Challenge

In the final section, students will form teams to solve an intrusion that spans all three major cloud providers. Students will need to refer to all their new knowledge for the week and divide and conquer the evidence to find out how the intrusion occurred. Multiple interconnected cloud systems will be examined as students work to determine what happened.

Things You Need To Know

Relevant Job Roles

Cyber Incident Responder

European Cybersecurity Skills Framework

Monitor the organisation’s cybersecurity state, handle incidents during cyber-attacks and assure the continued operations of ICT systems.

Explore learning path

Insider Threat Analysis

NICE: Protection and Defense

Responsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.

Explore learning path

Threat Detection & Response

Cloud Security

Monitor, test, detect, and investigate threats to cloud environments.

Explore learning path

Digital Forensics (OPM 212)

NICE: Protection and Defense

Responsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.

Explore learning path

Military Operations / Law Enforcement Agents

Digital Forensics and Incident Response

Execute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.

Explore learning path

Intrusion Detection/SOC Analysts

Digital Forensics and Incident Response

Analyze network and endpoint data to swiftly detect threats, conduct forensic investigations, and proactively hunt adversaries across diverse platforms including cloud, mobile, and enterprise systems.

Explore learning path

Incident Response Team Member

Digital Forensics and Incident Response

This dynamic and fast-paced role involves identifying, mitigating, and eradicating attackers while their operations are still unfolding.

Explore learning path

Intrusion Detection / (SOC) Analyst

Cyber Defense

Security Operations Center (SOC) analysts work alongside security engineers and SOC managers to implement prevention, detection, monitoring, and active response. Working closely with incident response teams, a SOC analyst will address security issues when detected, quickly and effectively. With an eye for detail and anomalies, these analysts see things most others miss.

Explore learning path

Cybersecurity Analyst/Engineer

Cyber Defense

As this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.

Explore learning path

Digital Evidence Analysis (OPM 211)

NICE: Investigation

Responsible for identifying, collecting, examining, and preserving digital evidence using controlled and documented analytical and investigative techniques.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us

GIAC Certification Attempt

Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.

OnDemand Course Access

When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.

Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by David Cowen
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    Self-Paced
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by Terrence Williams
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Prague, CZ & Virtual (live)

    Instructed by Megan Roddie-Fonseca
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Denver, CO, US & Virtual (live)

    Instructed by Terrence Williams
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Riyadh, SA & Virtual (live)

    Instructed by David Szili
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Amsterdam, NL & Virtual (live)

    Instructed by David Szili
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Virtual (live)

    Instructed by Joshua Lemon
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Registration Options
    Virtual
  • Location & instructor

    Singapore, SG & Virtual (live)

    Instructed by Joshua Lemon
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
Showing 8 of 20

Learn Alongside Leading Cybersecurity Professionals From Around The World

  • Slide 1 of 3
    FOR509 is very much needed in the industry as there is very little training out there for Cloud DFIR. So the fact that this course exists and is huge.
    Chester Le Bron Jr.Northwestern Mutual
  • Slide 2 of 3
    Thanks a lot for FOR509 course. I believe this course provides a great way to get a really compressed introduction into the different cloud service providers and what is forensically possible there.
    Marc StroebelHvS-Consulting AG
  • Slide 3 of 3
    I love SANS - the training you all provide is world class! I hope that I am able to earn another certification and attend again next year!
    Menthorn WilliamsProtective Life Insurance Company
Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources