Talk With an Expert
Major updates

FOR509: Enterprise Cloud Forensics and Incident Response

FOR509Digital Forensics and Incident Response
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course authored by:
David CowenPierre LidomeMegan Roddie-Fonseca
David Cowen, Pierre Lidome & Megan Roddie-Fonseca
FOR509: Enterprise Cloud Forensics and Incident Response
Course authored by:
David CowenPierre LidomeMegan Roddie-Fonseca
David Cowen, Pierre Lidome & Megan Roddie-Fonseca
  • GIAC Cloud Forensics Responder (GCFR)
  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 23 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Cloud forensics is evolving. FOR509 equips examiners to embrace new evidence sources in enterprise cloud environments instead of forcing outdated on-premise methods.

Course Overview

With FOR509: Enterprise Cloud Forensics and Incident Response, examiners will learn how each of the major cloud service providers (Microsoft Azure, Amazon AWS and Google Cloud) are extending analyst's capabilities with new evidence sources not available in traditional on-premise investigations. From cloud equivalents of network traffic monitoring to direct hypervisor interaction for evidence preservation, forensics is not dead. It is reborn with new technologies and capabilities.

2025 Course Update Summary

The updated FOR509 course now delivers significantly expanded multi-cloud DFIR coverage with in-depth focus on AWS, Azure, Google Cloud, Microsoft 365, Google Workspace, and Kubernetes. New hands-on labs, a multi-cloud intrusion capstone, and enhanced tooling prepare teams to counter advanced persistence techniques, cloud-native service abuse, and cross-platform privilege escalation across today's complex environments. For a detailed breakdown of what's new and how these updates can strengthen your team, download the flyer.

What You'll Learn

  • Understand forensic data only available in the cloud
  • Implement best practices in cloud logging for DFIR
  • Learn how to leverage Microsoft Azure, AWS and Google Cloud resources to gather evidence
  • Understand what logs Microsoft 365 and Google Workspace have available for analysts to review
  • Gain a high-level understanding of Kubernetes and its log sources in each cloud
  • Learn how to move your forensic processes to the cloud for faster data processing

Business Takeaways

  • Understand digital forensics and incident response as it applies to the cloud
  • Identify malicious activities within the cloud
  • Cost-effectively use cloud-native tools and services for DFIR
  • Ensure the business is adequately prepared to respond to cloud incidents
  • Decrease adversary dwell time in compromised cloud deployments

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in FOR509: Enterprise Cloud Forensics and Incident Response.

Section 1Microsoft 365 and Graph API

Before exploring the universe of cloud data, you must understand where and how it exists. This section introduces foundational cloud concepts like snapshots and cloud flows. You will understand what kind of logging and data access is provided by each cloud architecture and the various log hierarchy to guide your investigations.

Topics covered

  • Course Introduction and SOF-ELK
  • Key Elements of Cloud for DFIR
  • Microsoft 365 Unified Audit Log
  • Microsoft Graph API

Labs

  • Analyze and Visualize data in SOF-ELK
  • Suspicious Email
  • Data Theft
  • Entra ID – UAL View
  • Graph API Application Activity

Section 2Microsoft Azure

In this section, you will learn to navigate Azure's various activity and diagnostics logs to track resources, investigate compromised virtual machines, and detect data exfiltration. We will also cover how to deploy your own analysis tools directly into the cloud for more efficient investigations.

Topics covered

  • Understanding Azure
  • Log Sources for IR
  • Virtual Machines
  • Storage and Networking
  • Resources

Labs

  • Azure View
  • Resource Tracking
  • Virtual Machines and Snapshots
  • Detecting Data Exfiltration

Section 3Amazon Web Services (AWS)

This section explores how responders can leverage AWS for investigations, covering new and relevant log sources such as CloudTrail, VPC Flow logs, and S3 Access logs. In the labs, you will work through a realistic intrusion scenario that begins with the compromise of the AWS organization via a federated user account.

Topics covered

  • Understanding IR in AWS
  • Networking, VMs, and Storage
  • Virtual Networks
  • S3 Buckets
  • AWS Native Log Searching

Labs

  • Reviewing CloudTrails Logs
  • Finding Rogue VMs
  • VPC Flow Logs
  • S3 Analysis
  • Tracking Lateral Movement

Section 4Kubernetes and Google Workspace

This section provides a foundational understanding of Kubernetes, the open-source container orchestration platform used by all major cloud providers. The course explains the evolution from traditional hardware to container deployments and breaks down the core architectural components.

Topics covered

  • Kubernetes Overview and Logs
  • Common Kubernetes Attacks
  • Understanding Google Workspace
  • Accessing Google Workspace Evidence
  • Investigating Google Workspace

Labs

  • Kubernetes Log Analysis
  • Investigating a Compromised Container
  • Google Workspace Business Email Compromise
  • Google OAuth Abuse with Third-Party Apps
  • Google Workspace Data Exfiltration

Section 5Google Cloud

This section equips DFIR professionals with the essential skills to investigate incidents within Google Cloud, starting with its unique approach to Identity and Access Management (IAM). You will learn to navigate Google Cloud's hierarchical structure of organizations, folders, and projects.

Topics covered

  • Google Cloud Overview and IAM
  • Logging
  • Virtual Machines
  • Cloud Storage and Networking

Labs

  • Roles and Service Account Tracking
  • Virtual Machines and Snapshots
  • Storage Buckets and Data Exfiltration
  • Beacons, VPC Flows, and Firewall Logs

Section 6Multi-Cloud Intrusion Challenge

In this final capstone section, you will apply the knowledge gained throughout the week to a real-world challenge. Working in teams, you will investigate a complex intrusion that spans all three major cloud providers: AWS, Azure, and GCP.

Things You Need To Know

Relevant Job Roles

Cyber Incident Responder

European Cybersecurity Skills Framework

Monitor the organisation’s cybersecurity state, handle incidents during cyber-attacks and assure the continued operations of ICT systems.

Explore learning path

Insider Threat Analysis

NICE: Protection and Defense

Responsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.

Explore learning path

Threat Detection & Response

Cloud Security

Monitor, test, detect, and investigate threats to cloud environments.

Explore learning path

Digital Forensics (OPM 212)

NICE: Protection and Defense

Responsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.

Explore learning path

Military Operations / Law Enforcement Agents

Digital Forensics and Incident Response

Execute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.

Explore learning path

Intrusion Detection/SOC Analysts

Digital Forensics and Incident Response

Analyze network and endpoint data to swiftly detect threats, conduct forensic investigations, and proactively hunt adversaries across diverse platforms including cloud, mobile, and enterprise systems.

Explore learning path

Incident Response

SCyWF: Protection And Defense

This role investigates, analyzes and responds to cyber incidents. Find the SANS courses that map to the Incident Response SCyWF Work Role.

Explore learning path

Incident Response Team Member

Digital Forensics and Incident Response

This dynamic and fast-paced role involves identifying, mitigating, and eradicating attackers while their operations are still unfolding.

Explore learning path

Intrusion Detection / (SOC) Analyst

Cyber Defense

Security Operations Center (SOC) analysts work alongside security engineers and SOC managers to implement prevention, detection, monitoring, and active response. Working closely with incident response teams, a SOC analyst will address security issues when detected, quickly and effectively. With an eye for detail and anomalies, these analysts see things most others miss.

Explore learning path

Cybersecurity Analyst/Engineer

Cyber Defense

As this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.

Explore learning path

Digital Evidence Analysis (OPM 211)

NICE: Investigation

Responsible for identifying, collecting, examining, and preserving digital evidence using controlled and documented analytical and investigative techniques.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us
Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Prague, CZ & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Denver, CO, US & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Riyadh, SA & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Amsterdam, NL & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Singapore, SG & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Registration Options
Showing 8 of 20

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources