One Week Only! Get an iPad Air with Smart Keyboard, Surface Go, or $300 Off with OnDemand or vLive Training!

Cyber Defense Initiative® 2012

Washington, DC | Fri, Dec 7 - Sun, Dec 16, 2012
This event is over,
but there are more training opportunities.

FOR508: Advanced Computer Forensic Analysis and Incident Response New

Sun, December 9 - Fri, December 14, 2012

Cutting edge expertise taught by world class experts.

Joseph Murray, Deloitte

This is the real deal where real-world attacks are broken down with tools you can use come Monday.

Tim Wesley, Hillebrand, Inc.


-This course focuses on providing incident responders with the necessary skills to hunt down and counter a wide range of threats within enterprise networks, including economic espionage, hactivism, and financial crime syndicates. The completely updated FOR508 addresses today's incidents by providing real-life, hands-on response tactics. Don't miss the NEW FOR508!


DAY 0: A 3-letter government agency contacts you to say that critical information was stolen from a targeted attack on your organization. Don't ask how they know, but they tell you that there are several breached systems within your enterprise. You are compromised by an Advanced Persistent Threat, aka an APT - the most sophisticated threat you are likely to face in your efforts to defend your systems and data.

Over 90% of all breach victims learn of a compromise from third party notification, not from internal security teams. In most cases, adversaries have been rummaging through your network undetected for months or even years. Gather your team - it's time to go hunting.

FOR508: Advanced Computer Forensic Analysis and Incident Response will help you determine:

  1. How did the breach occur?
  2. What systems were compromised?
  3. What did they take? What did they change?
  4. How do we remediate the incident?

The updated FOR508 trains digital forensic analysts and incident response teams to identify, contain, and remediate sophisticated threats-including APT groups and financial crime syndicates. A hands-on lab-developed from a real-world targeted attack on an enterprise network-leads you through the challenges and solutions. You will identify where the initial targeted attack occurred and which systems an APT group compromised. The course will prepare you to find out which data was stolen and by whom, contain the threat, and provide your organization the capabilities to manage and counter the attack.

During a targeted attack, an organization needs the best incident responders and forensic analysts in the field. FOR508 will train you and your team to be ready to do this work.


Course Will Prepare You To:

  • Detect unknown live, dormant, and custom malware in memory across multiple windows systems in an enterprise environment
  • Find malware beaconing outbound to its command and control (C2) channel via memory forensics, registry analysis, and network connection residue
  • Identify how the breach occurred by identifying the beach head and spear phishing attack mechanisms
  • Target anti-forensics techniques like hidden and time-stomped malware, along with utility-ware that the attackers uses to move in your network and maintain their presence
  • Use memory analysis and forensic tools in the SIFT Workstation to detect hidden processes, malware, attacker command-lines, rootkits, network connections, and more
  • Track user and attacker activity second by second on the system you are analyzing through in-depth timeline and super-timeline analysis
  • Recover data cleared using anti-forensic techniques via Volume Shadow Copy and Restore Point analysis
  • Learn how filesystems work and discover powerful forensic artifacts like NTFS $I30 indexes, journal parsing, and detailed Master File Table analysis
  • Identify lateral movement and pivoted within your enterprise and show how attackers transition from system to system without being detected
  • Understand how the attacker can acquire legitimate credentials, including domain administrator rights in a locked down environment
  • Track data movement as the attackers collect critical data and shift it to exfiltration systems
  • Recover and analyze rar archive files used by APT-like attackers to exfiltrate sensitive data from the enterprise network

Course Topics

  • Advanced Use of the SIFT Workstation in Incident Response and Digital Forensics
  • Responding to an APT group, Organized Crime Hackers, and Hackivists
  • Incident Response and Intrusion Forensics Methodology
  • Threat and Security Intelligence
  • Remote and Enterprise IR System Analysis
  • Windows Live Incident Response
  • Memory Analysis
  • Timeline Analysis
  • System Restore Points and Volume Shadow Copy Exploitation
  • File System Analysis
  • In-depth Windows NTFS File System Examination
  • Advanced File Recovery and Data Carving
  • Recovering Key Windows Files
  • Discovering Unknown Malware on a System
  • Adversary Threat Intelligence Development, Indicators of Compromise, and Usage
  • Step-by-Step Methodologies to Respond to and Investigate Intrusion Cases


Course Syllabus

Chad Tilbury
Sun Dec 9th, 2012
9:00 AM - 5:00 PM


Incident responders should be armed with the latest tools, memory analysis techniques, and enterprise scanning methodologies in order to identify, track and contain advanced adversaries, and remediate incidents. Incident response and forensic analysts responding must be able to scale their examinations from the traditional one analyst per system toward one analyst per 1,000 or more systems. Enterprise scanning techniques are a now a requirement to track targeted attacks by an APT group or crime syndicate groups which propagate through thousands of systems. This is simply something that cannot be accomplished using the standard "pull the hard drive" forensic examination methodology. Such an approach will in fact alert the adversary that you are aware and may allow them to quickly exfiltrate sensitive information. In this section, the six-step incident response methodology is examined as it applies to response in an enterprise during a targeted attack. We will show how important development of security intelligence is in affecting the adversaries "kill chain." We will also demonstrate live response techniques and tactics that can be applied on a single system and across the entire enterprise.

CPE/CMU Credits: 6


SIFT Workstation Overview

  • Layout and Configuration
  • Programs Installed
  • Core Tools Used

Incident Response Methodology

  • Preparation - key tools, techniques, and procedures each IR team needs to properly respond to intrusions
  • Identification- proper scoping an incident and detecting all compromised systems in the enterprise
  • Containment - identify exactly how the breach occurred and what was taken
  • Eradication - determine key steps that must be taken to help stop the current incident
  • Recovery - helps identify threat intelligence to be used to see if the same adversary returns to the enterprise
  • Lessons Learned

Threat and Adversary Intelligence

  • Understanding the "Kill Chain"
  • Threat Intelligence Creation and Use During IR
  • IR Team Life Cycle Overview
  • Deep Dive IR/Forensics - All Activity Across A Specific System
  • Enterprise IR/Forensics - Specific Activity Across All Systems

Intrusion Digital Forensics Methodology

  • Volatile Evidence
  • Order of Volatility
  • Forensic Methodology/Incident Response Process Flow
  • Timelines - tracking the hackers step-by-step
  • Media and Artifact Analysis
  • Recover Data

Remote and Enterprise IR System Analysis

  • Logical and Physical System Mounting
  • Remote System Access In The Enterprise
  • Remote System Host-Based Analysis
  • Scalable Host-Based Analysis (1 analyst examining 1,000 systems)
  • Remote Memory Analysis

Windows Live Incident Response

  • Live Incident Response Kit and Tools
  • Volatile Data Collection
  • Comparison of Key Data Collected Via Live Collection, Static Drive, and Memory Analysis Techniques
  • Auto-Start Malware Persistence Checks
  • Trusted Windows Command Shells
  • Finding Evil: Automating Collection Across Enterprise
  • Remote Command Shell Usage - PsExec
  • Incident Response using WMIC
  • Live Response with Triage-IR and FGET
  • Remote Command Prompts

Chad Tilbury
Mon Dec 10th, 2012
9:00 AM - 5:00 PM


Critical to many IR teams detecting advanced threats in the organization, memory forensics has come a long way in just a few years. It can be extraordinarily effective at finding evidence of worms, rootkits, and advanced malware used by an APT group of attackers. While traditionally solely the domain of Windows internals experts, recent tools now make memory analysis feasible for anyone. Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field. This section will introduce some of the newest free tools available and give you a solid foundation in adding core and advanced memory forensic skills to your incident response and forensics armory.

CPE/CMU Credits: 6


Memory Acquisition

  • Acquisition of System Memory for both Windows 32/64 bit systems
  • Hibernation and Pagefile Memory Extraction and Conversions
  • Virtual Machine Memory Acquisition

Memory Forensics Analysis Process

  • Identify Rogue Processes
  • Analyze process DLLs and Handles
  • Review Network Artifacts
  • Look for Evidence of Code Injection
  • Check for Signs of a Rootkit
  • Acquire Suspicious Processes and Drivers

Memory Forensics Examinations

  • Live Memory Forensics
  • Memory Analysis Techniques with Redline
  • Advanced Memory Analysis with Volatility
  • Registry Examinations via Memory
  • Memory Timelining
  • Memory Event Log Parsing

Chad Tilbury
Tue Dec 11th, 2012
9:00 AM - 5:00 PM


Timeline Analysis will change the way you approach digital forensics and incident response... forever.

Learn advanced analysis techniques uncovered via timeline analysis directly from the developers that pioneered timeline analysis tradecraft. Temporal data is located everywhere on a computer system. Filesystem modified/access/creation/change times, log files, network data, registry data, and, internet history files all contain time data that can be correlated into critical analysis to successfully solve cases. Pioneered by Rob Lee in 2001, timeline analysis has become a critical investigative technique to solve complex cases. New timeline analysis frameworks provide the means to conduct simultaneous examinations of a multitude of time based artifacts. Analysis that once took days now takes minutes. This section will step you through the two primary methods of creating and analyzing timelines created during advanced incidents and forensic cases. Exercises will not only show each analyst how to create a timeline, but introduce key methods to use them effectively in your cases.

CPE/CMU Credits: 6


Timeline Analysis Overview

  • Timeline Benefits
  • Prerequisite Knowledge
  • Finding The Pivot Point
  • Timeline Context Clues
  • Timeline Analysis Process

Filesystem Timeline Creation and Analysis

  • MACB Meaning by File System (NTFS vs. FAT)
  • Windows Time Rules (File Copy vs. File Move)
  • Filesystem Timeline Creation using Sleuthkit and fls
  • Bodyfile Analysis and Filtering using the mactime tool

Super Timeline Creation and Analysis

  • Super Timeline Artifact Rules
  • Program Execution, File Knowledge, File Opening, File Deletion
  • Timeline Creation with log2timeline
  • log2timeline input modules
  • log2timeline output modules
  • Filtering the Super Timeline using l2t_process
  • Targeted Super Timeline Creation
  • Automated Super Timeline Creation
  • Super Timeline Analysis

Chad Tilbury
Wed Dec 12th, 2012
9:00 AM - 5:00 PM


A major criticism of digital forensic professionals is that many tools simply require a few mouse clicks to have the tool automatically recover data as evidence. This "push button" mentality has led to many inaccurate case results in the past few years including high profile cases such as the Casey Anthony murder trial. You will stop being reliant on "push button" forensic techniques as we cover how the engines of digital forensic tools really work. To understand how to carve out data, it is best to understand how to do it by hand and then show how automated tools should be able to recover the same data. You will learn how to perform string searches looking for specific residue from a file and learn multiple ways to recover the file data across the layers of the filesystem. If a file or registry key has been wiped or deleted, this section shows how to use Windows historical artifacts to still recover key pieces of the data that no longer exist on the system. This knowledge will allow you to see beyond most anti-forensic techniques allowing you to gain the advantage while responding to breaches in your organization where an adversary is actively attempting to hide from you.

CPE/CMU Credits: 6


Windows XP Restore Point Analysis

  • XP Restore Point Analysis
  • Restore Point Historical Registry Analysis

VISTA , Windows 7, Server 2008 Shadow Volume Copy Analysis

  • Shadow Copy Data Analysis
  • Acquiring Shadow Copy Volume Image
  • Raw and Live Shadow Copy Examination using the SIFT Workstation
  • Creating and Analyzing Shadow Volume Timelines

Deep Dive Forensics Analysis

  • Filesystem Based Analysis

    • Allocated, Unallocated, and Slack Space
    • Metadata Layer Fundamentals
    • File Name Layer Fundamentals

  • Sleuthkit Toolset
  • Partition / Volume Analysis

    • Extract Key Data From File System Partition
    • Determine Cluster/Block Size

  • Data Layer Analysis
  • Stream-Based Data Carving

    • Detecting Email, Credit Card Numbers, Phone Numbers
    • Detecting AES Encryption Keys, Search Items
    • Detecting Network Information (TCP, IP, MAC, Domain Names)
    • Histogram Analysis

  • File-Based Data Carving

    • Extract Unallocated and Slack Space
    • Determine Location of Data
    • File Carving Using File Headers/Footers
    • Carving key files from a compromised system (malware, rar files, prefetch files, and shortcut files)

  • NTFS Filesystem Analysis
    • Master File Table (MFT)
    • NTFS System Files
    • NTFS Metadata Attributes ($Standard_Information, $Filename, $Data)
    • Rules of Windows Timestamps for $STDINFO and $Filename
    • NTFS Timestamps
    • Resident vs. Nonresident files
    • Alternate Data Streams
    • Directory Listings and the $I30 file
    • Transaction Logging and the $Logfile and $UsnJrnl
    • What happens when data is deleted from a NTFS file system?

  • FAT/exFAT Filesystem Overview

Chad Tilbury
Thu Dec 13th, 2012
9:00 AM - 5:00 PM



The adversaries are good, we must be better.

Over the years, we have observed that many incident responders have a challenging time finding malware without effective indicators of compromise (IOCs) or threat intelligence gathered prior to a breach. This is especially true in APT group intrusions.

This advanced session will demonstrate techniques used by first responders to discover malware or forensic artifacts when very little information exists about their capabilities or hidden locations. We will discuss techniques to help funnel possibilities down to the candidates most likely to be evil malware trying to hide on the system.

The section concludes with a step-by-step approach on how to handle some of the most difficult types of investigations. You will learn the best ways to approach intrusion and spear phishing attacks. You will understand locations you can examine to determine if file wiping occurred. You will discover techniques to prove that privacy clearing software was utilized. Regardless of the actions hackers might take, they will always leave something that can be traced. This discussion will solidify your new skills into a working attack plan to solve these difficult cases.


Legal issues, especially liability, remain foremost in the minds of an incident handler or forensic investigator. Therefore, this section has more discussion than any other we offer. Learn to investigate incidents while minimizing the risk for legal trouble. This course is designed not for management, but for the Digital Forensic and Incident Response team leaders in charge of an investigation. The content focuses on challenges that every lead investigator needs to understand before, during, and post investigation. Since many investigations can end up in a criminal or civil courtroom, it is essential to understand how to perform a computer-based investigation legally and ethically.

We will confront many of the legal myths that have caused you to hesitate when developing your incident handling procedures and pursuing incidents. You will also gain a realistic perspective on the strengths and limitations of law enforcement assistance in the investigation of incidents and the prosecution of attackers. Written by one of the foremost computer crime lawyers, the information presented provides an essential legal foundation for professionals managing or working in incident handling teams around the world.

CPE/CMU Credits: 6



Step-by-Step Finding Unknown Malware On A System

  • Data Reduction / File Sorting
  • Data Carving
  • Indicators of Compromise (IOC) Search
  • Automated Memory Analysis
  • Evidence of Persistence
  • Supertimeline Examination
  • Packing / Entropy / Density Check
  • System Logs
  • Memory Analysis
  • Automated Malware Lookups
  • MFT Anomalies
  • Timeline Anomalies

Anti-Forensics Detection Methodologies

  • Deleted File
  • Deleted Registry Keys
  • File Wiping
  • Clearing Browsing History
  • Privacy Cleaner
  • Adjusting Timestamps

Methodology to Analyze and Solve Challenging Cases

  • Malware/Intrusion
  • Spear Phishing Attacks
  • Web Application Attacks/SQL Injection
  • Advanced Persistent Threat Actors
  • Detecting Data Exfiltration


Who Can Investigate and Investigative Process Laws

  • Internal and External Investigations
  • Authority to Investigate
  • Credentials and Training
  • Ramification Of An Incident That Involves Multiple Countries
  • Following Agency/Employer Policy and Procedures
  • Digital Forensic Ethical Standards

Evidence Acquisition/Analysis/Preservation Laws and Guidelines

  • Major Goals Associated With Acquiring Data
  • Legal Authority To Allow For Data Acquisition
  • Stored and Real Time Data
  • Evidence/Information You Can Share With Third Parties and Law Enforcement
  • Legal Authority Necessary To Collect Data

Laws Investigators Should Know

  • Criminal and Civil Law Procedures - Understanding The Laws and Procedures Related To Evidence, Search Authority and Scope.
  • Civil Privacy Laws
  • Wiretapping and Pen Register Trap and Trace Laws

Forensic Reports and Testimony

Legal Testimony

Address Scientific Process, Audience, and Legal Utility

How To Document Work So It Is Repeatable

Scientific Methods That Show Clear Conclusions Based In Factual Evidence

Chad Tilbury
Fri Dec 14th, 2012
9:00 AM - 5:00 PM


This brand new exercise created in 2012 brings together some of the most exciting techniques learned earlier in the week and tests your newly acquired skills in a case that simulates an attack by an advanced adversary such as an APT. This challenge brings it all together using a simulated intrusion into a real enterprise environment consisting of multiple Windows systems. You will be asked to uncover how the systems were compromised in the initial intrusion, find other systems the adversary moved to laterally, and identify intellectual property stolen via data exfiltration. You will walk out of the course with hands-on experience investigating realistic scenarios, which were put together by a cadre of individuals with many years of experience fighting advanced threats such as an APT group.

CPE/CMU Credits: 6


The Intrusion Forensic Challenge will have each Incident Response team analyzing multiple systems in the Enterprise network.

Each Incident Response team will be asked to answer the following key questions during the challenge just like they would during a real-breach in their organizations:


  1. How and when did the APT group breach our network?
  2. List all compromised systems by IP address and specific evidence of compromise.
  3. When and how did the attackers first laterally move to each system?


  1. How and when did the attackers obtain domain administrator credentials?
  2. Once on other systems, what did the attackers look for on each system?
  3. Email was extracted from executives and system administrators in the enterprise. Are there specific types of email the attackers appeared interested in?
  4. There is a concern among management that compromised critical intellectual property has been exfiltrated from the network. Determine what was stolen: Recover any .rar files or archives exfiltrated, find the .rar encoding password, and extract the contents to verify extracted data.
  5. Collect and list all malware used in the attack.
  6. Develop and present security intelligence or an Indicator of Compromise (IOC) for the APT-group "beacon" malware for both host and network based enterprise scoping.
  7. What specific indicators exists for the use of this malware?


  1. Do we need to change the passwords for every user in domain or just the ones affected by the systems compromised?
  2. Based on the attacked techniques and tools discovered during incident, what are the recommended steps to remediate and recover from this incident?

    • What systems need to be rebuilt?
    • What IP addresses need to be blocked?
    • What countermeasures should we deploy to slow or stop these attackers if they come back?
    • What recommendations would you make in order to detect these intruders in our network again?

Additional Information


A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

You can use any version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products.

Please download and install VMware Workstation 8, VMware Fusion 5.0, or VMware Player 5.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.

In this class we will be using the SIFT Workstation as our analysis platform. Please download the latest version of the SIFT Workstation prior to class beginning. Download the latest version of the SIFT Workstation here:

The SIFT Workstation is a VMware appliance, pre-configured with the necessary tools to perform detailed digital forensic examination in a variety of settings. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The brand new version has been completely rebuilt on an Ubuntu base with many new capabilities and tools such as log2timeline that provides a timeline that can be of enormous value to investigators.


  • CPU: 64bit x64 2.0 GHz or higher is recommended (Multi Core Preferred)
  • DVD/CD Combo Drive
  • Wireless 802.11 B/G/N Networking Capability
  • 4 Gigabyte of RAM minimum (More RAM is recommended due to virtual machine requirements)
  • 200 Gigabyte Host System Hard Drive minimum
  • 100 Gigabytes of Free Space on your System Hard Drive


    • If you attended FOR408 please bring your copy of the FOR408 - Windows 7 SIFT Workstation Virtual Machine
    • OR create a new Windows 7 OS Virtual Machine Workstation (any Win7 versions)

Install the following on your host Windows machine (If MAC/Linux host Install inside Windows VM)

  1. Install MS Office 2010 (Demo Version for 60 Day Free Trial - You need EXCEL 2007 or higher for this class - No exceptions)
  2. Install latest version of RedLine (1.7 or higher)
  3. Bring/install any other forensic tool you feel could be useful (EnCase, FTK, etc). For the final challenge, you can utilize any forensic tool, including commercial capabilities, to help you and your team. If you have any dongles, licensed software, you are free to use it.

If you have additional questions about the laptop specifications, please contact

  • Information Security Professionals who respond to data breach incidents and intrusions
  • Incident Response Team Members who respond to complex security incidents/intrusions from an APT group / advanced adversaries and need to know how to detect, investigate, recover, and remediate compromised systems across an enterprise.
  • Experienced Digital Forensic Analysts who want to solidify and expand their understanding of file system forensics, investigating technically advanced individuals, incident response tactics, and advanced intrusion investigations targeting APT groups.
  • Federal Agents and Law Enforcement, who want to master advanced intrusion investigations, incident response, and expand their investigative skill beyond traditional host-based digital forensics
  • Red Team Members, Penetration Testers, and Exploit Developers who want to learn how their opponents can identify their actions. Discover how common mistakes can compromise operations on remote systems, and how to avoid them. This course covers remote system forensics and data collection techniques that can be easily integrated into post-exploit operating procedures and exploit testing batteries.
  • SANS FOR408 and SEC504 Graduates looking to take their skills to the next level

FOR508 (Advanced Forensics and Incident Response) and FOR408 (Computer Forensic Investigations - Windows In-Depth) are designed to be companion courses with skills that build upon one another. While we suggest taking FOR408 prior to FOR508, students will benefit from taking the courses in any order.

One of the biggest complaints that many have in the digital forensics and incident response community is the lack of realistic intrusion data. Most real-world intrusion data is simply too sensitive to be shared.

Starting a year ago, course authors created a realistic scenario based on experiences surveyed from panel of responders who regularly respond to targeted APT attacks. They helped review and guide the targeted attack "script" used to create the scenario. As a result, the authors created an incredibly rich and realistic attack scenario across multiple enterprise systems. This APT attack lab forms the basis for training during the week. The network was setup to mimic a standard "protected" enterprise network using standard compliance checklists.

  • Full auditing turned on per recommended FISMA guidelines
  • Windows DC set up and configured. DC not tightened down the network more than what is expected in real enterprise networks
  • Systems installed and have real software on it that is used (Office, Adobe, Skype, Tweetdeck, Email, Dropbox, Firefox, Chrome)
  • Fully patched (Patches are automatically installed)
  • Enterprise Incident Response agents
  • Enterprise A/V and On-Scan capability based on DoD's Host Based Security System - HBSS

    • McAfee Endpoint Protection -Anti-virus, Anti-spyware, Safe surfing, Anti-spam, Device Control, Onsite Management, Host Intrusion Prevention (HIPS)
  • Firewall only allowed inbound port 25 and outbound ports 25, 80, 443 only.

This exercise and challenge will be used to show real adversary traces across host systems, system memory, hibernation/pagefiles and more.

  • Phase 1 - Spearphishing attack and malware C2 beacon installation
  • Phase 2 - Lateral movement to other systems, malware utilities download, install additional beacons, and obtain domain admin credentials
  • Phase 3 - Search for intellectual property, profile network, dump email, dump enterprise hashes
  • Phase 4 - Collect data to exfiltrate and copy to staging system. Archive data using rar and a complex passphrase
  • Phase 5 - Exfiltrate rar files from staging server, perform cleanup on staging server.

In the end, we will have created authentic memory captures on each box, network captures, malware samples, in addition to full disk images w/Restore Points (XP) and VSS for (Win7 and Win2008) systems

  • SIFT Workstation Virtual Machine used with many of the class hands-on exercise

    • This course uses the SIFT Workstation to teach incident responders and forensic analysts how to respond to and investigate sophisticated attacks. SIFT contains hundreds of free and open source tools, easily matching any modern forensic and incident response tool suite.

  • F-Response TACTICAL
    • TACTICAL enables incident responders to access remote systems and physical memory of a remote computer via the network
    • Gives any IR or forensic tool the capability to be used across the enterprise
    • Perfect for intrusion investigations and data breach incident response situations
  • Best-selling book "File System Forensic Analysis" by Brian Carrier
  • Course DVD loaded with case examples, tools, and documentation







Author Statement

"There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that." Matt Olney said when describing the Advanced Persistent Threat and advanced adversaries. He was not joking. The results over the past several years clearly indicate that hackers employed by nation states and organized crime are racking up success after success. The Advanced Persistent Threat has compromised hundreds of organizations. Organized crime organizations, utilizing botnets are exploiting ACH fraud daily. Similar groups are penetrating banks and merchants, stealing credit card data daily. Fortune 500 companies are beginning to detail data breaches and hacks in their annual stockholders reports.

The enemy is getting better, bolder, and their success rate is impressive.

We can stop them, but in order to do so we need to field more sophisticated incident responders and digital forensic investigators. We need lethal digital forensic experts that can detect and eradicate advanced threats immediately. A properly trained incident responder could be the only defense your organization has left during a compromise. Forensics 508: ADVANCED COMPUTER FORENSIC ANALYSIS AND INCIDENT RESPONSE is crucial training for you to become a lethal forensicator so that you can step up to these advanced threats. The enemy is good. We are better. This course will help you become one of the best. - Rob Lee