Get an 11" iPad Pro, Surface Go 2, or $300 Off with OnDemand Training

DFIR Summit & Training 2020 - Live Online

Virtual, US Eastern | Thu, Jul 16 - Sat, Jul 25, 2020

In response to the escalation of the COVID-19 pandemic, we've made the decision to convert this training event into a Live Online event.

The courses below will take place online, using virtual software to stream live instructors to all registered students during the scheduled classroom hours. (Eastern Time) This alternate training format will allow us to deliver the cybersecurity training you expect while keeping you, our staff, and our instructors as safe as possible.

Your registration for a Live Online course includes electronically delivered courseware, live streaming instruction by a SANS instructor, course labs, and four months of online access to course recordings.

FOR308: Digital Forensics Essentials Waitlist

Mon, July 20 - Sat, July 25, 2020

Course Syllabus  ·  36 CPEs  ·   Lab Requirements
Instructor: Jason Jordaan

Because this course is offered as a beta including discounted pricing, seating is limited to a maximum of two seats per organization. No additional discounts apply.

More than half of jobs in the modern world use a computer. The vast majority of people aged 18-30 are 'digitally fluent'; accustomed to using smartphones, smart TVs, tablets and home assistants, in addition to laptops and computers, simply as part of everyday life. Yet, how many of these users actually understand what's going on under the hood? Do you know what your computer or smartphone can tell someone about you? Do you know how easy it might be for someone to access and exploit that data? Are you fed up with not understanding what technical people are talking about when it comes to computers and files, data and metadata? Do you know what actually happens when a file is deleted? Do you want to know more about Digital Forensics and Incident Response? If you answered 'yes' to any of the above, this course is for you. This is an introductory course aimed at people from non-technical backgrounds, to give an understanding, in layman's terms, of how files are stored on a computer or smartphone. It explains what Digital Forensics and Incident Response are and the art of the possible when professionals in these fields are given possession of a device.

This course is intended to be a starting point in the SANS catalogue and provide a grounding in knowledge, from which other, more in-depth, courses will expand.

IT'S NOT JUST ABOUT USING TOOLS AND PUSHING BUTTONS

FOR308: Digital Forensics Essentials Course will help you understand:

  • What digital forensics is
  • What digital evidence is and where to find it
  • How digital forensics can assist your organization or investigation
  • Digital forensics principles and processes
  • Incident response processes and procedures
  • How to build and maintain a digital forensics capacity
  • Some of the key challenges in digital forensics and incident response
  • Some of the core legal issues impacting on digital evidence

More

Digital forensics has evolved from methods and techniques that were used by detectives in the 1990's to get digital evidence from computers, into a complex and comprehensive discipline. The sheer volume of digital devices and data that we could use in investigative ways meant that digital forensics was no longer just being used by police detectives. It was now being used as a full forensic science. It was being used in civil legal processes. It was being used in the military and intelligence services to gather intelligence and actionable data. It was being used to identify how people use and mis-use devices. It was being used to identify how information systems and networks were being compromised and how to better protect them. And that is just some of the current uses of digital forensics.

However digital forensics and incident response are still largely misunderstood outside of a very small and niche community, despite their uses in the much broader commercial, information security, legal, military, intelligence and law enforcement communities.

Many digital forensics and incident response courses focus on the techniques and methods used in these fields, which often do not address the core principles: what digital forensics and incident response are and how to actually make use of digital investigations and digital evidence. This course provides that. It serves to educate the users and potential users of digital forensics and incident response teams, so that they better understand what these teams do and how their services can be better leveraged. Such users include executives, managers, regulators, legal practitioners, military and intelligence operators and investigators. In addition, not only does this course serve as a foundation for prospective digital forensics practitioners and incident responders, but it also fills in the gaps in fundamental understanding for existing digital forensics practitioners who are looking to take their capabilities to a whole new level.

FOR308: Digital Forensics Essentials Course will prepare your team to:

  • Effectively use digital forensics methodologies
  • Ask the right questions in relation to digital evidence
  • Understand how to conduct digital forensics engagements compliant with acceptable practice standards
  • Develop and maintain a digital forensics capacity
  • Understand incident response processes and procedures and when to call on the team
  • Describe potential data recovery options in relation to deleted data
  • Identify when digital forensics may be useful and understand how to escalate to an investigator
  • If required, use the results of your digital forensics in court

FOR308: Digital Forensics Fundamentals Course Topics

  • Introduction to digital investigation and evidence
  • Where to find digital evidence
  • Digital forensics principles
  • Digital forensics and incident response processes
  • Digital forensics acquisition
  • Digital forensics examination and analysis
  • Presenting your findings
  • Understanding digital forensic reports
  • Challenges in digital forensics
  • Building and developing digital forensics capacity
  • Legality of digital evidence
  • How to testify in court

Hide

Course Syllabus


Jason Jordaan
Mon Jul 20th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET

Overview

The volume of digital information in the world is growing at a scarily fast rate. In fact, 90 percent of the digital data that exists worldwide today was created within the last two years and it's not slowing down with, 2.5 quintillion bytes of new data created each and every day.

If you are investigating any matter, whether it is a crime, an administrative or civil issue, or trying to figure out how your network was compromised, you need evidence. If you are gathering intelligence you need information. The simple reality is that these days the vast majority of potential evidence or information that we can use, whether it is for investigations, court, or intelligence purposes, is digital in nature. To effectively conduct digital investigations, one needs to understand exactly what digital evidence is, where to find it, the issues affecting digital evidence, and the unique challenges facing digital evidence. This will allow one to understand the crucial role that digital forensics plays with regards to digital evidence.

CPE/CMU Credits: 6

Topics

MODULE 1.1: Understanding Digital Investigation

  • Why we need to conduct investigations:
    • Incident response and Threat Hunting
    • Regulatory investigations
    • Media Exploitation
    • Military action
    • Administrative investigations (HR/internal investigations)
    • Auditing
    • Law Enforcement investigations
    • Civil and Criminal litigation

MODULE 1.2: Digital Evidence

  • What is digital evidence?
  • The difference between data and metadata
    • File formats and extensions
    • File system metadata and file metadata
  • The nature of digital evidence
    • Binary and hexadecimal
    • Bits, nibbles, and bytes
    • Converting data between binary, hex and ASCII
  • Disk structures
  • Data structures
    • Filesystems
    • Slack space and keyword searching
    • Memory data structures
    • Network data structures
    • Volatile and non-volatile data structures
    • Allocated and unallocated data
    • File deletion and recovery
  • Data encoding
    • ASCII and Unicode
  • The fragility of digital evidence
    • Understanding how easy it is to alter or change digital evidence
    • The importance of minimizing changes to digital evidence
    • Understanding when it is unavoidable to change digital evidence and how to address it
    • General rules of acquisition

MODULE 1.3: Sources of Digital Evidence

  • Computers and laptops
  • Servers
  • Virtual machines
  • Tablets and mobile devices
  • Removable storage media
  • RAM
  • Network devices and data
  • Embedded/IoT devices
  • Digital evidence in the Cloud
  • ICS/SCADA
  • Drones and vehicles

MODULE 1.4: Digital Evidence Challenges

  • Device volumes
    • Number of devices per person is increasing
  • Data volumes
    • The problem of increasing data volumes
    • Do you really need to collect everything?
  • Constantly updated operating systems/apps/services
  • Device support/locked down devices
    • Android and iOS uptake
  • Data corruption and recovery
  • IoT devices and acquisition

Jason Jordaan
Tue Jul 21st, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET

Overview

Digital forensics is the core set of principles and processes necessary to produce usable digital evidence and uncover critical intelligence

CSI and similar television shows has popularized forensics in the public consciousness and increased awareness of forensics. Digital forensics is the forensic discipline that deals with the preservation, examination and analysis of digital evidence. However, television and movies have created misunderstandings about exactly what digital forensics is and does. As a result, many people interested in forensics have no real understanding about what it entails.

These misperceptions have also seen lawyers that make use of digital evidence in court, investigators that need digital evidence to solve cases, information security practitioners responding to security incidents, and even people conducting digital forensics; making mistakes in relation to digital evidence, which can have negative consequences.

Digital forensics is crucial to ensure accurate and usable digital evidence, but it is important to understand exactly what it is, what it can do, and how it can be used. If you are a user of digital forensics and digital evidence, understanding exactly how digital forensics works will enable you to better make use of digital forensics and digital evidence. If you are a manager or supervisor of a digital forensic capacity, this will help you understand exactly how it should be functioning and how to build and maintain it. Finally, if you are a prospective digital forensics practitioner or an existing one, this will equip you with the fundamental knowledge and skills that form the core of the digital forensic profession.

CPE/CMU Credits: 6

Topics

MODULE 2.1: Introduction to Digital Forensics

  • The history and evolution of digital forensics
  • Defining digital forensics
  • The purpose of digital forensics
    • Asking the right questions
  • Knowledge, skills and attributes of digital forensics practitioners
    • First responders
    • Digital forensic investigators
    • Digital forensic analyst
  • Digital Forensics vs Incident Response vs Threat Hunting
  • Digital forensics tools
    • Hardware
    • Software

MODULE 2.2: Digital Forensics Principles

  • ACPO guidelines
  • SWGDE guidelines
  • Locard's Exchange Principle
  • The Inman-Rudin Paradigm
    • Transfer
    • Divisibility
    • Identification
      • Digital evidence categorization model
  • Classification/individualization
  • Association
  • Reconstruction
    • Relational analysis
    • Functional analysis
    • Temporal analysis
  • The philosophy of science and the scientific method

MODULE 2.3: Digital Forensics and Incident Response Processes

  • The digital forensics process
  • ISO 27043
  • The scientific method in digital forensics
  • Forensic process in practice
  • Validation processes
  • Quality assurance

MODULE 2.4: Digital Forensics Challenges

  • Rapidly changing technology
    • Moore's Law
    • Koomey's Law
    • Kryder's Law
  • Over reliance on forensic tools
  • Commercial vs free and open source tools
  • Competency & motivation of practitioners
  • Mental health issues
  • Ongoing education
  • Anti-forensics

Jason Jordaan
Wed Jul 22nd, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET

Overview

INCIDENT RESPONSE

Incident Response is the core set of principles and processes necessary to allow an organization to successfully respond, react and remediate against potential attack scenarios

Digital forensics deals with the preservation, examination and analysis of digital evidence. However, Incident Response is often the preceding activity that leads to the requirement to conduct a forensic investigation. If not executed properly, the Incident Response processes and team have the ability to inadvertently disrupt or damage subsequent forensic activities. It is therefore a vitally important aspect of an investigation.

The Incident Response team must be adept at recognizing incidents and responding appropriately to collect and preserve evidence, whilst identifying and containing the incident. This same team are also usually involved in Forensic Readiness planning, which defines what evidence may be useful in a number of attack scenarios and ensures that systems are configured to collect and retain this evidence. Evidence that is collected in advance of an investigation can provide vital clues to a digital forensic investigator and when used in addition to subsequently acquired data, can provide insights into what data may have changed during specified periods of time that may be pertinent to the case.

Digital Forensics and Incident Response therefore go hand-in-hand and are often referred to by the acronym DFIR. If you are a prospective or current digital forensics practitioner, understanding exactly how incident response works will enable you better leverage these teams before, during and after investigations to obtain the best and most useful evidence and improve reporting. If you do not plan to build a career in digital forensics, understanding how the Incident Response teams and processes work will demonstrate when and how to engage if you suspect an incident may have occurred and the types of actions on your part that may assist (or impair) any potential investigation, to provide you with the best possible outcome.

Topics

MODULE 3.1: Introduction to Incident Response

  • Defining incident response
  • Incident response processes and best practice
    • Order of volatility
    • Phases of incident response
  • Knowledge, skills and attributes of an incident response team
    • SOC analysts
    • First responders
    • Management
    • Relationships and use of specialists
  • Legal considerations
  • Incident Response tools
    • Hardware
    • Software
    • Grab-bags

MODULE 3.2: Incident Response Standards

  • ISO27035 - Security Incident management
  • NIST Incident Handling Guide
  • Government guidelines
    • UK - NCSC / Crest
    • US-CERT
    • IT Governance EU
  • Templates for policies and plans

MODULE 3.3: Incident Response Challenges

  • Lack of suitable preparation
    • network diagrams, system details and access
    • out-of-date documentation
  • Over reliance on tools
  • Malware, antivirus and anti-forensics
    • What is malware?
    • What is antivirus?
  • Sophisticated attacks

DIGITAL FORENSICS MANAGEMENT

Good management of a digital forensic or incident response team is key in allowing an organization to successfully respond to potential attack scenarios and investigate digital evidence

Management of a DFIR team is crucial to the success or failure of investigations. This includes suitably preparing the team and environment, providing support throughout each case, escalating issues as required, as well as conducting reviews and providing regular feedback. If sufficient management support is not in place at any stage in the lifecycle of an investigation, it may not be possible to proceed, or insufficient analysis may be conducted. Understanding how to build, manage and prepare a DFIR capability is essential.

Digital Forensic Readiness is the key element in preparation to allow an organization to successfully respond to potential attack scenarios and investigate digital evidence. Digital forensic readiness acknowledges and defines the tools, processes and resources that must be in place to allow an organization to suitably deal with Digital Forensic investigations and Incident Response cases. If Readiness policies and processes are not defined properly, digital evidence may be unsuitable or may not be available when required, which can hinder or entirely prevent an investigation. It is therefore a vitally important aspect of pre-investigation planning.

Topics

MODULE 4.1: Introduction to Forensic Readiness

  • Defining forensic readiness
  • Differences between forensic readiness and incident response

MODULE 4.2: The need for Forensic Readiness

  • Use of digital evidence in organizations
  • Forensic readiness and ISO standards
  • Legislation and regulation
  • Benefits of forensic readiness

MODULE 4.3: Building and Managing a DFIR Capacity

  • Building a business case for digital forensics and incident response
  • DFIR service models
  • Building a DFIR capacity
  • Selecting team members
    • Roles
    • Skill sets
    • Complementary Skills
    • Specialist skills to be able to call upon when required
  • Managing a DFIR capacity

CPE/CMU Credits: 6


Jason Jordaan
Thu Jul 23rd, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET

Overview

The acquisition of digital evidence is the most critical part of the digital forensics process and as such it must be done right

Acquiring digital evidence is a crucial component in any investigation. Digital forensics is about finding answers, and if we cannot get to the evidence that we need, which is often stored on devices, in memory, on the wire or wireless, or in the Cloud, then we will never be able to get the answers we seek. Getting the digital evidence and selecting the appropriate method to obtain it can mean the difference between success and failure in an investigation.

The acquisition of digital evidence has evolved over the years and the old way of doing it may not always be the best or most effective way of getting the evidence and may actually compromise an investigation. By understanding the various strategies and methods that we have available to us to acquire digital evidence means that informed decisions can be made as to the best method to use to acquire evidence in a given situation or environment.

CPE/CMU Credits: 6

Topics

MODULE 5.1: Forensic Acquisition Principles and Standards

  • Preserving the integrity of digital data
  • Minimizing the alteration of digital data
  • Copying versus imaging
  • Forensic imaging methods
    • Live imaging versus "dead" imaging
    • Triage image, sparse image, full logical images and physical images
  • Write blocking
    • Software based write blocking
    • Hardware write blocking
  • Data verification and integrity preservation
    • Hashing
  • The forensic acquisition processes
    • ISO 27037 forensic acquisition processes
    • SWGDE forensic acquisition guidelines
    • ACPO guidelines

MODULE 5.2: Understanding Forensic Images

  • Physical and logical images
  • Forensic image formats
  • Raw image versus forensic image

MODULE 5.3: Forensic Acquisition Processes

  • Handling and controlling physical evidence
  • Addressing encryption
  • Acquisition types
    • Live acquisitions
    • "Deadbox" acquisitions
    • Network acquisitions
    • Remote acquisitions
    • Cloud acquisitions
    • Mobile acquisition
    • Advanced Extraction Techniques
      • JTAG/ISP
      • Chip off acquisitions

MODULE 5.4: Acquisition Challenges

  • Available space vs. drive size
  • Speed of acquisition vs. available time
  • Operating System security
  • Encryption
    • Types of encryption
      • Full Disk Encryption
      • File Based Encryption
      • Single File Encryption
    • Encryption methods
    • Encryption tools
    • Decryption options
  • Acquiring data from the Cloud
  • Damage devices
  • Unsupported devices
  • Legal authority
    • Obtaining evidence in other jurisdictions - mutual legal assistance treaty
    • Data sovereignty

Jason Jordaan
Fri Jul 24th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET

Overview

The only way to get answers is to ask questions, and the only way to get the right answers is to ask the right questions

The key purpose of digital forensics is to find answers, and it is through the analysis process that digital forensics transforms raw data into either evidence or intelligence that we can use to answer the questions that we need answered. The use of technology is so integral to our day to day activities that it allows us an unprecedented opportunity to reconstruct what has happened in the past, to learn what is happening in the present, and even predict what may happen in the future, all based on the data available to us.

By understanding digital forensic analysis, we can see how we can ask the right questions in our investigations and intelligence efforts, how we can critically examine and analyze the data at hand in a manner that can withstand scrutiny and finally, understand the types of answers we can get.

CPE/CMU Credits: 6

Topics

MODULE 6.1: What Can Forensic Analysis Prove

  • What are the questions that forensic analysis can provide answers for
    • Who
      • User attribution
      • Assessing alibis and statements
    • What
    • When
      • Timelines
    • Where
      • Location information
    • Why
      • Determining intent
    • How

MODULE 6.2: Planning the Examination

  • Understanding what you are investigating
  • Identify what artefacts can answer your questions
    • Types and examples of artefacts and techniques
  • Kitchen sink vs targeted approach (include triage)
  • Documentation

MODULE 6.3: The Art and Science of Forensic Analysis

  • Understanding and applying critical thinking in an investigation
  • Applying the scientific method to forensic analysis
  • Gather information and make observations
  • Form a hypothesis to explain observations
  • Evaluate the hypothesis
  • Draw conclusions
  • Hypothesis formulation
  • Evaluating hypotheses

MODULE 6.4: Forensic Examination and Analysis Standards

  • SWGDE standards
  • ISO 27042 guidelines for the analysis and interpretation of digital evidence

MODULE 6.5: Forensic Examination and Analysis Challenges

  • Breadth and depth of required knowledge
  • Forensic artifact documentation challenges
  • Tool capability variation
  • Identifying data of interest
  • Stakeholder expectations
  • Analysis scoping and planning
  • Ongoing documentation and notetaking

Jason Jordaan
Sat Jul 25th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET

Overview

DOCUMENTING AND REPORTING IN DIGITAL FORENSICS

It doesn't matter how good your technical skills are, if you are not able to effectively document what you have done and report on your findings in a manner that non-technical people understand, your investigation is on shaky ground

Digital forensics is at its core about getting answers to questions, whether as evidence or intelligence. So, it is important that we can get the answers that we find in our investigations to the right people so that they can make decisions and act on what is found in the digital forensics process.

It is crucial that we are able to effectively communicate these answers to those people who need them, in a manner that is useful to them, and to be able to effectively support our answers. Not only must we be able to effectively communicate, but it is important that the users of these answers understand what our various reports means and how they can use them effectively. Without effective communication and understanding of what is communicated, all effort expended in the digital forensic process is lost.

Topics

MODULE 7.1: Ongoing Documentation

  • Understanding the need for documentation
  • Making contemporaneous notes
  • Supporting your documentation with evidence
  • Maintaining the integrity of your documentation
  • Types of documentation
  • Investigation authorization and mandates
  • Case notes
  • Quality assurance documentation
  • Tool validation documentation

MODULE 7.2: Presenting your Findings

  • How to communicate technical concepts to non-technical audiences
  • Educating your audience
  • Telling the story
  • Supporting your narrative with evidence
  • Written reports
  • Verbal presentations

GOING TO COURT

While not all digital forensics matters end up going to court, some do, and when that is the case it is important to at least have some understanding of the law of evidence and going to court

Digital investigations can often end up in court. In certain instances, a criminal prosecution may be desired where your digital evidence will be used in a criminal court to prosecute an offender using the digital evidence you have gathered and analyzed. In other instances, you may use your digital evidence in a civil court claiming damages or other relief or defending your organization against claims for damages arising from a breach or other incident.

While laws differ around the world, there are some common principles that apply which digital forensic practitioners need to know. They need to understand the legal requirements for evidence to be acceptable for a court to use. They also need to understand how to present that evidence if they are called upon to testify in court. These two fundamentals can mean the difference between success and failure.

Topics

MODULE 8.1: Legal Evidence

  • What is evidence
  • The legal requirements for court directed evidence
  • Admissibility
    • Legality
      • Chain of custody
  • Legal processes to secure evidence
  • Consent
  • Organizational policy and contractual frameworks
  • Reliability of the evidence
    • Integrity
  • Relevance
    • Proving legal elements
    • Exculpatory evidence

MODULE 8.2: Testifying in Court

  • Understanding the court process
  • Technical versus expert witnesses
  • The responsibility of a witness
  • The testifying process
  • How to be an effective witness

CPE/CMU Credits: 6

Additional Information

!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!!

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

You can use any 64-bit version of Windows or Mac OSX as your core operating system that also can install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the VM to function properly in the class.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Please download and install VMware Workstation 12, VMware Fusion 8, or VMware Player 12 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.

MANDATORY FOR308 SYSTEM HARDWARE REQUIREMENTS:

  • CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more. A recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
  • BIOS settings for Intel-VT enabled. Being able to access your BIOS (if password protected) is also required in case changes are required.
  • 8 GB (Gigabytes) of RAM or higher is mandatory for this class (Important - Please Read::8 GB of RAM or higher of RAM is mandatory and minimum. For best experience 16GB of RAM is recommended)
  • Wireless 802.11 Capability
  • USB 3.0
  • 250+ Gigabyte Host System Hard Drive minimum
  • 200 Gigabytes of Free Space on your System Hard Drive - Free Space on Hard Drive is critical to host the VMs we distribute
  • Students must have Administrator-level Access to both the laptop's host operating system and system-level BIOS/EFI settings. If this access is not available, it can significantly impact the student experience.
  • Disable Credential Guard if enabled. Hyper-V required for Credential Guard will conflict with VMware products required for the course.

MANDATORY FOR308 HOST OPERATING SYSTEM REQUIREMENTS:

  • Host Operating System: Fully patched and updated Windows 10 or Apple Mac OSX (10.12+)
  • While an Apple Mac host computer should work for the majority of labs, a Windows host computer is recommended for the best experience. There is at least one exercise in the class that cannot be performed if using an Apple Mac is selected as your host device.
  • Update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
  • Do not bring a host system that has critical data you cannot afford to lose.

PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:

IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:

  1. Bring the proper system hardware (64bit/8GB+ RAM, 200GB free drive space) and operating system configuration
  2. Bring a supported host OS
  3. Install VMware (Workstation, Player, or Fusion) MS Office and 7zip and make sure these work before class.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Federal Agents and Law Enforcement Officers who want to learn the fundamentals of digital forensics, or who are starting out in digital forensics, or who are responsible for managing digital forensics units, or what to know how digital evidence can be used in investigations and other law enforcement operations.
  • Digital Forensic Analysts who want to consolidate and expand their understanding of the fundamentals of digital forensics as a discipline.
  • Information Security Professionals who want to understand the fundamentals of digital forensics and how to leverage this in their operational environments.
  • Legal Professionals who need to understand digital forensics, the role it can play in proving a matter in court, the various uses of digital evidence, and the relationship between digital forensics and digital evidence.
  • Military and Intelligence Operators who need to understand the role of digital investigation and intelligence gathering, and how digital forensics can enhance their missions.
  • HR Professionals that may have to rely on digital forensics and evidence in internal investigations of staff misconduct.
  • Managers and Executives who need to understand what digital forensics can do for their organizations and the critical role that it can play in securing their organization.
  • Anyone interested in digital forensics, whether or not they are considering a career in this field.

FOR308 is an introductory digital forensics course that addresses core digital forensics principles, processes and knowledge.

If you wish to become a digital forensics or incident response practitioner, we recommend that you follow up this course with one or more of the following SANS courses: FOR500, FOR508, FOR518, FOR585, FOR526 or FOR572.

SANS Windows SIFT Workstation

  • This course uses the SANS Windows DFIR Workstation to teach first responders and forensic analysts how to view, decode, acquire, and understand digital evidence.
  • DFIR Workstation that contains many free and open-source tools, which we will demonstrate in class and use with many of the hands-on class exercises
  • Windows 10
  • VMWare Appliance ready to tackle the fundamentals of digital forensics

Fully working license for 120 days:

Digital Download Package

SANS DFIR Electronic Workbook

  • Electronic Exercise book with detailed step-by-step instructions and examples to help you master digital forensic fundamentals

FOR308: Digital Forensics Essentials Course will prepare your team to:

  • Effectively use digital forensics methodologies
  • Ask the right questions in relation to digital evidence
  • Understand how to conduct digital forensics engagements compliant with acceptable practice standards
  • Develop and maintain a digital forensics capacity
  • Understand incident response processes and procedures and when to call on the team
  • Describe potential data recovery options in relation to deleted data
  • Identify when digital forensics may be useful and understand how to escalate to an investigator
  • If required, use the results of your digital forensics in court

Author Statement

"Digital Forensics sounds like a really cool and exciting specialist field of expertise, and whilst many people choose to build up their knowledge and experience over many years to become specialists, it is also very much applicable to everyone who uses a computer, or a smartphone, or owns a home assistant. The vast majority of jobs in the developed world now involve the use of some form of computer. It is tremendously beneficial for users to understand how their data is being stored on those systems, the fact that deleted files may be recoverable and steps they can take to improve their odds of successful recovery, as well as how to recognize and respond to any incidents they may encounter on their systems and understand when to call in the experts.

Whether you're interested in getting into the field of Digital Forensics, or you'd just like to understand more about the systems you use on a daily basis, without any prerequisite knowledge required, FOR308 will introduce you to data, how to find it, acquire it, preserve it and most importantly, how to understand it" - Kathryn Hedley

"I have been teaching digital forensics around the world for several years for the SANS Institute, and not a single class went by where I was not being asked questions by my students about areas that I considered essential digital forensic topics, such as how to structure an investigation, how core digital forensics processes work, how to write a digital forensics report, how to testify in court, the legal issues that impact on digital evidence, and so many more topics. These have not been topics we have traditionally covered within the SANS DFIR faculty. I realized that to develop fully rounded digital forensic practitioners we would need to cover these essential areas, to fill in the gaps, so to speak. This was also an opportunity to provide an introduction to digital forensics and digital evidence, not only people embarking on a digital forensics career, but to lawyers and investigators dealing with digital evidence, to managers managing digital forensics capacity in their organizations, and anyone interested in the field of digital forensics.

You can't build a house without a foundation, and this course provides that essential foundation for a career in digital forensics" - Jason Jordaan

"Digital forensics is a specialist skill the requires a solid understanding of the technical working of devices, operating systems, file systems, and applications. Typically, these examinations are going to be one component within a greater overall investigation which is where FOR308 comes in. At SANS we have trained some of the best and brightest for decades. Specifically, in digital forensics we teach students every day how to be amazing forensicators; how to understand the underlying data to process, parse, and present digital information for technical audiences. This class however will bring you right back to basics, because the fundamentals are key. The skills and processes taught in this course are applicable across the rest of the DFIR curriculum; whether you're managing a DFIR capability, getting into the field, or just need to understand how it all fits together. This class will set you up with the tools that you need to understand the processes and procedures involved from start to finish" - Phill Moore