Digital Forensics, Incident Response & Threat Hunting Training

Digital Forensics and Incident Response (DFIR) is essential to understand how intrusions occur, uncover malicious behavior, explain exactly “what happened”, and restore integrity across digital environments. DFIR combines cybersecurity, threat hunting, and investigative techniques to identify, analyze, respond to, and proactively hunt cyber threats and criminal activity.

Jump to:

Related Courses
Instructors
Featured Content
FAQs

Investigate, Analyze, Respond, and Hunt Proactively, with Confidence

DFIR is about more than just cyberattacks—it’s about uncovering the truth behind any digital incident. Whether you’re responding to a ransomware breach, investigating insider abuse, analyzing digital evidence in criminal cases, or even performing proactive compromise assessments, SANS DFIR training, designed by real-world practitioners, equips professionals with the technical skills and an investigative mindset to follow the evidence wherever it leads.

From intrusion response to deep-dive forensic analysis of systems, mobile devices, cloud, and memory, our curriculum balances the needs of both security operations and criminal investigations.

What You'll Learn

Digital Forensics

Master evidence collection, timeline analysis, and media exploitation by extracting and analyzing hidden artifacts, reconstructing user activity, and uncovering critical evidence in investigations.

Threat Hunting, Ransomware & Threat Intelligence

Develop proactive techniques to uncover hidden threats, analyze ransomware tactics, and utilize intelligence to anticipate and counter cyber threats.

Malware Analysis, Memory Forensics & Underground Investigations

Examine malicious code, analyze volatile memory, and investigate cybercriminal activity to understand attacker techniques and enhance detection.

SANS DFIR offers the ultimate in quality instruction and thoughtful curriculum development. I learned so much this week and can't wait to review and apply what I learned. I hope all my coworkers will get a chance to experience this quality of training.
Gabrielle S.U.S. Federal Agency

Meet Your Experts

Heather Barnhart

Senior Director of Community Engagement

Heather has 20+ years of experience working with government agencies, defense contractors, law enforcement, and Fortune 500 companies. Her case experience ranges from fraud, crimes against children, counter-terrorism, and homicide investigations.

Learn more

Ovie Carroll

Director

For Ovie Carroll, digital forensics is all about the hunt for evidence in digital places that are hiding critical clues, followed by deep analysis to prove something that the evidence was never intended to prove.

Learn more

David Cowen

Vice President

From tracking a data breach across five countries and 1,000 systems to pioneering file system journaling forensics, David has been relentlessly advancing DFIR through research, tools, public speaking, and frontline incident response since 1999.

Learn more

Sarah Edwards

Head Of DFIR

Sarah Edwards is a pioneering force in Apple forensics, having revolutionized the field through the creation of APOLLO—an open-source tool that deciphers macOS and iOS pattern-of-life data.

Learn more

Phil Hagen

Principal Information Security Researcher

Phil Hagen shaped network forensics with SOF-ELK® and SANS FOR572, setting standards in large-scale log analysis and response. His role in exposing a global fraud ring behind hundreds of millions in losses defines his lasting impact on cybersecurity.

Learn more

Robert M. Lee

CEO

A former U.S. Air Force cyber warfare officer, Robert led the NSA’s first mission targeting threats to industrial infrastructure. Now at Dragos, he spearheads global defense of critical systems, shaping national policy and industry threat response.

Learn more