FOR308: Digital Forensics Essentials

Provided by

About the course

The Digital Forensics Essentials course provides the necessary knowledge to understand the Digital Forensics and Incident Response disciplines, how to be an effective and efficient Digital Forensics practitioner or Incident Responder, and how to effectively use digital evidence.

What You Will Learn

More than half of jobs in the modern world use a computer. The vast majority of people aged 18-30 are 'digitally fluent'; accustomed to using smartphones, smart TVs, tablets and home assistants, in addition to laptops and computers, simply as part of everyday life. Yet, how many of these users actually understand what's going on under the hood? Do you know what your computer or smartphone can tell someone about you? Do you know how easy it might be for someone to access and exploit that data? Are you fed up with not understanding what technical people are talking about when it comes to computers and files, data and metadata? Do you know what actually happens when a file is deleted? Do you want to know more about Digital Forensics and Incident Response? If you answered 'yes' to any of the above, this course is for you. This is an introductory course aimed at people from non-technical backgrounds, to give an understanding, in layman's terms, of how files are stored on a computer or smartphone. It explains what Digital Forensics and Incident Response are and the art of the possible when professionals in these fields are given possession of a device.

This course is intended to be a starting point in the SANS catalogue and provide a grounding in knowledge, from which other, more in-depth, courses will expand.


FOR308: Digital Forensics Essentials Course will help you understand:

  • What digital forensics is
  • What digital evidence is and where to find it
  • How digital forensics can assist your organization or investigation
  • Digital forensics principles and processes
  • Incident response processes and procedures
  • How to build and maintain a digital forensics capacity
  • Some of the key challenges in digital forensics and incident response
  • Some of the core legal issues impacting on digital evidence

Digital forensics has evolved from methods and techniques that were used by detectives in the 1990's to get digital evidence from computers, into a complex and comprehensive discipline. The sheer volume of digital devices and data that we could use in investigative ways meant that digital forensics was no longer just being used by police detectives. It was now being used as a full forensic science. It was being used in civil legal processes. It was being used in the military and intelligence services to gather intelligence and actionable data. It was being used to identify how people use and mis-use devices. It was being used to identify how information systems and networks were being compromised and how to better protect them. And that is just some of the current uses of digital forensics.

However digital forensics and incident response are still largely misunderstood outside of a very small and niche community, despite their uses in the much broader commercial, information security, legal, military, intelligence and law enforcement communities.

Many digital forensics and incident response courses focus on the techniques and methods used in these fields, which often do not address the core principles: what digital forensics and incident response are and how to actually make use of digital investigations and digital evidence. This course provides that. It serves to educate the users and potential users of digital forensics and incident response teams, so that they better understand what these teams do and how their services can be better leveraged. Such users include executives, managers, regulators, legal practitioners, military and intelligence operators and investigators. In addition, not only does this course serve as a foundation for prospective digital forensics practitioners and incident responders, but it also fills in the gaps in fundamental understanding for existing digital forensics practitioners who are looking to take their capabilities to a whole new level.

FOR308: Digital Forensics Essentials Course will prepare you team to:

  • Effectively use digital forensics methodologies
  • Ask the right questions in relation to digital evidence
  • Understand how to conduct digital forensics engagements compliant with acceptable practice standards
  • Develop and maintain a digital forensics capacity
  • Understand incident response processes and procedures and when to call on the team
  • Describe potential data recovery options in relation to deleted data
  • Identify when digital forensics may be useful and understand how to escalate to an investigator
  • If required, use the results of your digital forensics in court

FOR308: Digital Forensics Fundamentals Course Topics

  • Introduction to digital investigation and evidence
  • Where to find digital evidence
  • Digital forensics principles
  • Digital forensics and incident response processes
  • Digital forensics acquisition
  • Digital forensics examination and analysis
  • Presenting your findings
  • Understanding digital forensic reports
  • Challenges in digital forensics
  • Building and developing digital forensics capacity
  • Legality of digital evidence
  • How to testify in court

What You Will Receive With This Course

SANS Windows SIFT Workstation

  • This course uses the SANS Windows DFIR Workstation to teach first responders and forensic analysts how to view, decode, acquire, and understand digital evidence.
  • DFIR Workstation that contains many free and open-source tools, which we will demonstrate in class and use with many of the hands-on class exercises
  • Windows 10
  • VMWare Appliance ready to tackle the fundamentals of digital forensics

Syllabus (36 CPEs)



FOR308 is an introductory digital forensics course that addresses core digital forensics principles, processes and knowledge.

If you wish to become a digital forensics or incident response practitioner, we recommend that you follow up this course with one or more of the following SANS courses: FOR500, FOR508, FOR518, FOR585, FOR526 or FOR572.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

You can use any 64-bit version of Windows or Mac OSX as your core operating system that also can install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the VM to function properly in the class.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Please download and install VMware Workstation 12, VMware Fusion 8, or VMware Player 12 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.


  • CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more. A recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
  • BIOS settings for Intel-VT enabled. Being able to access your BIOS (if password protected) is also required in case changes are required.
  • 8 GB (Gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher of RAM is mandatory and minimum. For best experience 16GB of RAM is recommended)
  • Wireless 802.11 Capability
  • USB 3.0
  • 250+ Gigabyte Host System Hard Drive minimum
  • 200 Gigabytes of Free Space on your System Hard Drive - Free Space on Hard Drive is critical to host the VMs we distribute
  • Additional USB Flash drive: We recommend a USB Flash drive that is smaller than 16GB.
  • Students must have Administrator-level Access to both the laptop's host operating system and system-level BIOS/EFI settings. If this access is not available, it can significantly impact the student experience.
  • Disable Credential Guard if enabled. Hyper-V required for Credential Guard will conflict with VMware products required for the course.


  • Host Operating System: Fully patched and updated Windows 10 or Apple Mac OSX (10.12+)
  • While an Apple Mac host computer should work for the majority of labs, a Windows host computer is recommended for the best experience. There is at least one exercise in the class that cannot be performed if using an Apple Mac is selected as your host device.
  • Update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
  • Do not bring a host system that has critical data you cannot afford to lose.



  1. Bring the proper system hardware (64bit/8GB+ RAM, 200GB free drive space) and operating system configuration
  2. Bring a supported host OS
  3. Install VMware (Workstation, Player, or Fusion) MS Office and 7zip and make sure these work before class.
  4. Bring a USB Flash drive that is smaller than 16GB.

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.


There are currently no new dates advertised for this course

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...