Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Community Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

Solutions for Emerging Risks

Discover tailored resources that translate emerging threats into actionable strategies

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk With an Expert
Talk With an Expert

Lethal Forensicator Coins

Hundreds of SANS Institute digital forensics students have mastered the concepts and skills, beat out their classmates, and proven their prowess. These are the elite, the recipients of the SANS Lethal Forensicator Coins, awards given to a select few among the thousands of students who have taken any SANS DFIR courses.

Challenge CoinsCoin Holders Winners
Jump to:

Lethal Forensicator Coins are awarded to individuals who demonstrate exceptional skill, make significant contributions to the field, or show leadership in the digital forensics community. These coins are not easily earned - they're a challenge to win and a true honor to receive. Their rarity is intentional, reflecting the high standards they represent.

Coin Challenges take place on the final day of select SANS courses. To earn one, students must prove their proficiency by overcoming a series of timed, hands-on scenarios. These challenges involve direct competition with peers and are designed by top SANS instructors - industry veterans who are practitioners, educators, and leaders in digital forensics.

At the end of the challenge, the instructor announces the winner(s) and presents the coin in recognition of their achievement.

Lethal Forensicator Coin holders are highly capable incident responders and investigators. In many cases, they are the frontline defense during cyber incidents or complex investigations. These professionals not only stay ahead by expanding their own expertise - they actively support the broader DFIR community. They share knowledge, encourage learning, and lead by example.

Simply put, earning a coin means more than passing a challenge - it signifies excellence in the field.

Lethal Forensicator Coin Holders

Already been awarded a coin in the Digital Forensics & Incident Response Curriculum? Find your name on our list of winners.

View Coin Holders
Lethal Forensicator Coin Holders

DFIR Course Challenge Coins

Each DFIR Coin represents mastery of a different topic and reflects a unique skill set tied to its associated course, making these coins rare, respected, and highly sought after within the DFIR community.

FOR498: Digital Acquisition and Rapid Triage

"Consector Scientia Intro Strepitus:" Seek Knowledge in the Noise. The holders of this coin have mastered how to seek the data in the noise and arm themselves with the knowledge to win in the battlefield of forensics.

View Course
DFIR Challenge Coin: FOR498

FOR500: Windows Forensic Analysis

"Ex Umbra in Solem:" From the Shadows into the Light. The holders of this coin have master knowledge of Microsoft Windows operating systems and to mine the mountain of evidence within.

View Course
Challenge Coin: FOR500

FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics

"Non Potestis Celare:" You Cannot Hide. The holders of this coin include incident response masters that have learned the tools and techniques to evolve rapidly to defeat the ever-changing threats.

View Course
Challenge Coin: FOR508

FOR509: Enterprise Cloud Forensics and Incident Response

"Inveniere nubes in tempestate:" Find the storm in the cloud. The holders of this coin understand the rapidly changing world of enterprise cloud environments and have mastered the challenges of uncovering the new evidence sources that only exist in the Cloud.

View Course
Challenge Coin: FOR509

FOR518: Mac and iOS Forensic Analysis and Incident Response

"Impera Magis. Aliter cogita:" Command More and Think Differently. The analysts who hold this coin take command of their forensic analysis and appreciate looking at the raw data and interpreting it correctly without the necessity of superfluous tools.

View Course
Challenge Coin: FOR518

FOR528: Ransomware and Cyber Extortion

"Venator Repetundarum:" Extortion Hunter Holders of this coin master the detection methods for each phase of the ransomware attack lifecycle. They have shown proficiency to prepare for, detect, hunt, response to, and deal with the aftermath of ransomware.

View Course
Challenge Coin: FOR528

FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

"Malum Loquitur, Bonum Auscultat:" Evil Must Talk, So Good Must Listen Holders of this coin are hunters with great vision who can find a target amidst a mass of camouflaging data. No matter how crafty adversaries may be, these hunter can identify, find, and ultimately eliminate their presence.

View Course
Challenge Coin: FOR572

FOR578: Cyber Threat Intelligence

"Hominem Unius Libri Timeo:" I Fear the Man of One Book. The holders of this coin have achieved the tactical, operational, and strategic level of cyber threat intelligence skills required to perform proactive threat hunting in an evolving threat landscape.

View Course
Challenge Coin: FOR578

FOR585: Smartphone Forensic Analysis In-Depth

"Omnis Tactus Vestigium Relinquit:" Every Contact Leaves a Trace. There are traces of evidence hiding on smartphone devices, and the holders of this coin know how to find them.

View Course
Challenge Coin: FOR585

FOR589: Cybercrime Intelligence

"Lucem Ex Tenebris:" Light from Darkness. The holders of this coin have mastered the craft of extracting actionable intelligence from the cybercrime ecosystem, profiling criminal adversaries, and tracing cryptocurrencies.

View Course
Challenge Coin: FOR589

FOR608: Enterprise-Class Incident Response & Threat Hunting

Challenges Abound - Knowledge to Overcome The holders of this coin have mastered how to overcome challenges in a wide range of platforms and operating systems found in modern enterprise networks complex cases.

View Course
Challenge Coin: FOR608

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

"R.E.M.:" Reverse-Engineering Master R.E.M. professionals holding this coin can isolate the most appropriate Indicators of Compromise to identify and stop malware.

View Course
Challenge Coin: FOR610

FOR710: Reverse-Engineering Malware: Advanced Code Analysis

Dive Deeper! Deobfuscate, Automate, Correlate The malware specialists who hold this coin have mastered the process to dissect sophisticated Windows executables and have shown proficiency in tackling real-world reverse engineering scenarios.

View Course
for710

DFIR Challenge Coin Back Design

Each Lethal Forensicator Challenge Coin features the same back design, it shows digital forensicators fighting evil in their superhero form.

DFIR Challenge Coin Back Design

DFIR NetWars

Staying up to date on the latest challenges in the digital forensics field demands analytical skills that cannot be gained by just reading a textbook. Just like firefighters could never learn the skills to combat a fire by just studying theory, incident responders, threat hunters, and digital forensic investigators must test their skills in action, as they do with DFIR NetWars.

Learn More
DFIR NetWars

Legacy SANS DFIR Challenge Coin

The original DFIR Lethal Forensicator coin has been retired with the release of the class-specific coins listed above. However, the holders of this coin are still as worthy of respect for their accomplishments. If you encounter a holder of this coin in the field, you've found an original.

DFIR Legacy Challenge Coin

History of the SANS Challenge Coins

SANS Challenge Coins were initially created to recognize students who demonstrate exceptional talent, make outstanding contributions, or serve as leaders in the digital forensics profession and community. The coin is meant to be an honor, and it is intended to be rare. The SANS Institute uses the coins to identify and honor those who excel at detecting and eradicating threats, understand the critical importance of cybersecurity, and continually strive to further not only their own knowledge but also that of the entire digital forensics field. They proactively share their experience and encourage learning through participation in the community, and they are typically leaders in the digital forensics and incident response community.

History of the Word "Forensicator"

The term "forensicator" was coined by BJ Lachner and popularized when it was used in the legendary "Forensicator Pro" Cyberspeak Podcast on 1 April 2007 with SANS instructor Ovie Carroll and Brett Padres. In that tongue-in-cheek podcast, Ovie and Brett described a tool called "Forensicator Pro" that would put forensic analysts out of business and was "viewed by many in the community as the end of human involvement in computer forensics examinations." As Brett described it: "Basically you press a button, you point it at an image, and the tool outputs a full forensic examination and report that is perfect." The episode was released as an April Fools' Day joke about what many in the field call "Nintendo Forensics" that rely too much on automated examinations versus traditional analysis, resulting in poor reports. But to this day, Brett and Ovie still receive emails asking where "Forensicator Pro" can be purchased and downloaded!

The term "forensicator" stuck and today is used by many computer forensics and incident response firms to describe individuals who essentially perform the same type of work as the mythical "Forensicator Pro" would have done. The forensicator label has grown in popularity among digital forensic professionals in the workplace, at conferences, and while sharing a cold one with a friend. Here are a few examples:

"Coin Check" Challenge

Initiated by one coin holder to another, a coin check typically begins by a challenger holding his or her coin in the air or slamming it on a table and yelling "coin check!" All who are challenged must respond by showing their coins to the challenger within 10 seconds, and whoever fails to do so must buy everyone a round of drinks. If all the challenged coin holders produce their coin, the challenger must buy the round of drinks. (By the way, if you accidentally drop your coin and it makes an audible sound on impact, then you've "accidentally" initiated a coin check. And, there are no exception to the rules!)