SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals


Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact Us




Apply your credits to renew your certifications
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
Apply what you learn with hands-on exercises and labs
Gain essential skills in digital forensic acquisition and rapid triage. Learn to collect and preserve data from diverse sources and then rapidly extract actionable intelligence.
FOR498 is an excellent course! I learned a lot of new skills that I can't wait to develop further, and Kevin Ripa did an outstanding job delivering the content and making it interesting. His personal stories and examples kept the course engaging and rooted in reality.
A digital forensic acquisition training course, FOR498 provides the skills to identify the many and varied data storage mediums in use today, and how to collect and preserve this data in a forensically sound manner despite how and where it may be stored. This forensics data collection course covers digital acquisition from computers, portable devices, networks, and the cloud, and teaches rapid triage—the art and science of identifying and starting to extract actionable intelligence from a hard drive in 90 minutes or less.


Kevin Ripa has transformed the global cybersecurity landscape through decades of frontline digital forensics, assisting law enforcement, governments, and Fortune 500 companies in unraveling sophisticated cyberattacks and nation-state threats.
Read more about Kevin Ripa

Eric has redefined digital forensics with open-source tools like KAPE, now global standards for cybercrime investigations. He has directly enabled faster evidence analysis, rescued exploited children, and set new benchmarks in forensic response.
Read more about Eric ZimmermanExplore the course syllabus below to view the full range of topics covered in FOR498: Digital Acquisition and Rapid Triage.
Section one emphasizes the importance of proper digital evidence collection. We introduce foundational forensic concepts, tools, and procedures, including evidence handling, scene management, and file systems. We also highlight the need for proper training to ensure data integrity in high-pressure investigative environments.
Section two focuses on acquiring data from portable devices and enterprise systems, emphasizing proper handling. It covers smartphone analysis, write blocking, and efficient evidence collection across diverse storage types. We will also explore myriad acquisition hardware and software, adapters, and identification for data-informed decision making.
Section three covers "Quick Win Forensics," focusing on rapidly identifying and acquiring key evidence through live response, memory capture, and triage techniques. It emphasizes speed and efficiency, especially in cases involving encryption or file-less malware.
This section covers acquiring data from non-traditional and cloud storage, using tools like KAPE for rapid triage and remote collection. It prepares investigators to quickly access critical evidence from complex modern systems like RAID, Volume Shadow Copies, and cloud services.
This section focuses on the unique challenges of acquiring data from Apple devices and the Internet of Things (IoT). It covers macOS-specific tools, encryption hurdles, and alternative imaging methods due to hardware constraints. The section also teaches how to analyze IoT device communication and collect related network traffic for forensic purposes.
Section six focuses on online attribution and advanced data recovery techniques when traditional tools fall short. It covers tracing digital artifacts to their sources, legal considerations, and the use of file and stream carving to recover deleted or corrupted data. Emphasis is placed on understanding tool limitations and applying manual recovery methods.
Responsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.
Explore learning pathResponsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.
Explore learning pathResponsible for investigating cyberspace intrusion incidents and crimes. Applies tactics, techniques, and procedures for a full range of investigative tools and processes and appropriately balances the benefits of prosecution versus intelligence gathering.
Explore learning pathExecute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.
Explore learning pathAnalyze network and endpoint data to swiftly detect threats, conduct forensic investigations, and proactively hunt adversaries across diverse platforms including cloud, mobile, and enterprise systems.
Explore learning pathSecurity Operations Center (SOC) analysts work alongside security engineers and SOC managers to implement prevention, detection, monitoring, and active response. Working closely with incident response teams, a SOC analyst will address security issues when detected, quickly and effectively. With an eye for detail and anomalies, these analysts see things most others miss.
Explore learning pathEnsure the cybercriminal investigation reveals all digital evidence to prove the malicious activity.
Explore learning pathResponsible for identifying, collecting, examining, and preserving digital evidence using controlled and documented analytical and investigative techniques.
Explore learning pathAdd a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
In DFIR, things rarely go as planned. This course teaches you about the options to control when things aren't working as expected.
FOR498 provided information I can take back to my company and begin using immediately. It will be very easy to show leadership the ROI on this course.
I've said it a few times, but this is the most robust digital acquisition course I have taken for overall content covered when it comes to methods and tools. I took this course mainly to learn how to do MacBook Acquisitions, but I've learned so much more already. It just goes to show how there's always more to learn in digital forensics and I appreciate a course that points out my weaknesses to me in a non-vendor specific way.
It's not easy to get exposure to forensics tools and methodology. This is a great class for someone already in the field trying to expand their knowledge. SANS is a well-known and trusted organization. With so many options to choose from and limited time, it's a huge benefit to go straight to a trusted source to get what you need.

Get feedback from the world’s best cybersecurity experts and instructors

Choose how you want to learn - online, on demand, or at our live in-person training events

Get access to our range of industry-leading courses and resources