SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsDigital Forensics and Incident Response (DFIR) is essential to understand how intrusions occur, uncover malicious behavior, explain exactly “what happened”, and restore integrity across digital environments. DFIR combines cybersecurity, threat hunting, and investigative techniques to identify, analyze, respond to, and proactively hunt cyber threats and criminal activity.
DFIR is about more than just cyberattacks—it’s about uncovering the truth behind any digital incident. Whether you’re responding to a ransomware breach, investigating insider abuse, analyzing digital evidence in criminal cases, or even performing proactive compromise assessments, SANS Digital Forensics and Incident Response training, designed by real-world practitioners, equips professionals with the technical skills and an investigative mindset to follow the evidence wherever it leads.
From intrusion response to deep-dive forensic analysis of systems, mobile devices, cloud, and memory, our curriculum balances the needs of both security operations and criminal investigations.
Master evidence collection, timeline analysis, and media exploitation by extracting and analyzing hidden artifacts, reconstructing user activity, and uncovering critical evidence in investigations.
Develop proactive techniques to uncover hidden threats, analyze ransomware tactics, and utilize intelligence to anticipate and counter cyber threats.
Examine malicious code, analyze volatile memory, and investigate cybercriminal activity to understand attacker techniques and enhance detection.
SANS DFIR offers the ultimate in quality instruction and thoughtful curriculum development. I learned so much this week and can't wait to review and apply what I learned. I hope all my coworkers will get a chance to experience this quality of training.
Steve has transformed global cybersecurity by leading complex digital crime investigations for the FBI and DoD, and by training national cyber units in over 60 countries. His work has set the global standard for incident response and threat hunting.
Learn moreHeather has 20+ years of experience working with government agencies, defense contractors, law enforcement, and Fortune 500 companies. Her case experience ranges from fraud, crimes against children, counter-terrorism, and homicide investigations.
Learn moreFor Ovie Carroll, digital forensics is all about the hunt for evidence in digital places that are hiding critical clues, followed by deep analysis to prove something that the evidence was never intended to prove.
Learn moreDavid brings 25+ years in cybersecurity, shifting from pen testing to DFIR in 1999. He’s VP at Charles River Associates, a SANS instructor and course author, and Red Team Captain for the National Collegiate Cyber Defense Competition.
Learn moreSarah Edwards is a pioneering force in Apple forensics, having revolutionized the field through the creation of APOLLO—an open-source tool that deciphers macOS and iOS pattern-of-life data.
Learn morePhil Hagen shaped network forensics with SOF-ELK® and SANS FOR572, setting standards in large-scale log analysis and response. His role in exposing a global fraud ring behind hundreds of millions in losses defines his lasting impact on cybersecurity.
Learn moreIn this session, we take a DFIRerent approach to CMS security. Instead of starting with theory, we’ll walk through real-life breach cases which we responded to (WordPress in both cases), where attackers successfully compromised the sites, achieved their actions on objectives, and left system administrators and defenders playing catch-up.
In Digital Forensics, Incident Response, and other Cyber Security topics, we're frequently tasked with consuming HUGE amounts of data and finding the "interesting" parts quickly. We've had great tools to do this for decades. But, those tools we're optimized for old computing hardware. In our modern day we have setups with multiple CPU cores and flash storage. This talk will present some techniques to speed up those old techniques fully utilizing modern hardware.
This talk will highlight pitfalls of incorporating artificial intelligence into analytical workflows, explore areas where it may add value, and aim to provide a somewhat-sceptical, somewhat-optimistic outlook on where CTI may go in the age of AI.
Eric shares the power of open-source development, how community collaboration drives innovation, and the value of creating tools that help defenders stay ahead.
Modern smartphones collect an extensive array of data that offers insights into a user's daily behavior, often without them being fully aware of it. This presentation will delve into how digital forensics can analyze such data to reconstruct an individual's actions, routines, and habits.
The SANS 2025 Detection and Response Survey webcast will delve into the current state of cybersecurity operations, questioning whether the heavy emphasis on endpoint detection is creating new blind spots.
Overview Identity has become the new battleground. From SaaS to cloud to legacy Active Directory, it is now the central control point—and attackers know it.
Join us at DFIRCON for expert DFIR training, open-source tool workshops, and meaningful connections with your community.