FOR498: DFIR Summit & Training 2024 New

Provided by

Enquire about this course

What You Will Learn
FOR498: Digital Acquisition and Rapid Triage will help you to:
  • Acquire data effectively from:
    • PCs, Microsoft Surface, and Tablet PCs
    • Apple Devices, and Mac, and Macbooks
    • Random Access Memory (RAM)
    • Smartphones and portable mobile devices
    • Cloud storage and services
    • Network storage repositories
    • Virtual Machine environments
  • Produce actionable intelligence in 90 minutes or less
The first step in any investigation is the gathering of evidence. Digital forensic investigations are no different. The evidence used in this type of investigation is data, and this data can live in many varied formats and locations. You must be able to first identify the data that you might need, determine where that data resides, and, finally, formulate a plan and procedures for collecting that data.
With digital forensic acquisitions, you will typically have only one chance to collect data properly. If you manage the acquisition incorrectly, you run the risk of not only damaging the investigation, but more importantly, destroying the very data that could have been used as evidence.

With the wide range of storage media in the marketplace today, any kind of standardized methodology for all media is simply untenable. Many mistakes are being made in digital evidence collection, and this can cause the guilty to go free and, more importantly, the innocent to be incarcerated. The disposition of millions and millions of dollars can rest within the bits and bytes that you are tasked with properly collecting and interpreting.

An examiner can no longer rely on "dead box" imaging of a single hard drive. In today's cyber sphere, many people utilize a desktop, laptop, tablet, and cellular phone within the course of a normal day. Compounding this issue is the expanding use of cloud storage and providers, and the proper collection of data from all these domains can become quite overwhelming.

This in-depth digital acquisition and data handling course will provide first responders and investigators alike with the advanced skills necessary to properly respond to, identify, collect, and preserve data from a wide range of storage devices and repositories, ensuring that the integrity of the evidence is beyond reproach. Constantly updated, FOR498 addresses today's need for widespread knowledge and understanding of the challenges and techniques that investigators require when addressing real-world cases.

Numerous hands-on labs throughout the course will give first responders, investigators, and digital forensics teams practical experience needed when performing digital acquisition from hard drives, memory sticks, cellular phones, network storage areas, and everything in between.

During a digital forensics response and investigation, an organization needs the most skilled responders possible, lest the investigation end before it has begun. FOR498: Digital Acquisition and Rapid Triage will train you and your team to respond, identify, collect, and preserve data no matter where that data hides or resides.
You Will Be Able To
  • Learn and master the tools, techniques, and procedures necessary to effectively locate, identify, and collect data no matter where it is stored
  • Handle and process a scene properly to maintain evidentiary integrity
  • Perform data acquisition from at-rest storage, including both spinning media and solid-state storage
  • Identify the numerous places that data for an investigation might exist
  • Perform rapid triage by going from evidence seizure to actionable intelligence in 90 minutes or less
  • Assist in preparing the documentation necessary to communicate with online entities such as Google, Facebook, Microsoft, etc.
  • Understand the concepts and usage of large-volume storage technologies, including JBOD, RAID storage, NAS devices, and other large-scale, network addressable storage
  • Identify and collect user data within large corporate environments where it is accessed using SMB
  • Gather volatile data such as a computer system's RAM
  • Recover and properly preserve digital evidence on cellular and other portable devices
  • Address the proper collection and preservation of data on devices such as Microsoft Surface/Surface Pro, where hard-drive removal is not an option
  • Address the proper collection and preservation of data on Apple devices such as MacBook, MacBook Air, and MacBook Pro, where hard-drive removal is not an option
  • Properly collect and effectively target email from Exchange servers, avoiding the old-school method of full acquisition and subsequent onerous data culling
  • Properly collect data from SharePoint repositories
  • Access and acquire online mail stores such as Gmail, Hotmail, and Yahoo Mail accounts
Course Topics
  • Advanced use of a wide range of best-of-breed, open-source tools in the SANS Windows 10 environment, as well as other external tools to perform proper data acquisition and evidence handling
  • Rapid incident response collection of artifacts to quickly further the investigation without waiting for completion of a forensic image
  • Remote and enterprise digital evidence collection
  • Windows live artifact collection
  • Memory collection
  • Volume shadow copy acquisition
  • Understanding advanced storage containers such as RAID and JBOD
  • Examination of file systems and how they hold data
  • Advanced understanding of proper evidence collection and scene management
  • Identifying data storage devices and locations
  • Properly identifying a vast array of interface styles and adapter usage
  • Gaining access to storage media using non-destructive methods
  • Accessing and collecting cloud-based storage containers, including online email such as Gmail and
  • Instruction specific to the acquisition of Apple devices
  • Methodologies for accessing and acquiring data from portable and cellular devices, as well as non-traditional devices such as GPS units and Internet of Things devices
What You Will Receive
  • A 90 Day License to Cellebrite Physical Analyzer
  • SANS Windows SIFT Workstation
    • This course uses the SANS Windows DFIR Workstation extensively to teach first responders and forensic analysts how to respond to, acquire, and investigate even the most time-sensitive cases.
    • DFIR Workstation that contains hundreds of free and open-source tools, easily matching any modern forensic commercial suite
    • A virtual machine is used with many of the hands-on class exercises
    • Windows 10
    • VMWare Appliance ready to tackle forensics
  • F-Response Consultant Covert
    • Enables practitioner to access remote systems and physical memory of a remote computer via the network
    • Gives any forensics tool the capability to be used remotely
    • Perfect for network and cloud data acquisition and visibility
    • Deployable agent to remote systems
    • SIFT Workstation compatible
    • Vendor neutral - works with just about any tool
    • The six-month license allows it to continue to be used and benchmarked in your environment at work/home
  • Fully working licenses for 90 days:
    • Magnet Forensics Axiom
    • Arsenal Image Mounter
    • Domain Tools
  • Fully working licenses for 120 days:
    • SafeBlock
  • Digital Download Package
    • Download package with case images, memory captures, DFIR Workstation, tools, and documentation
  • SANS DFIR Electronic Exercise Workbook
    • Electronic Exercise book with detailed step-by-step instructions and examples to help you master Battlefield Forensics
  • UltraDock Hardware Write Blocking Device
    • SATA to USB 3 adapter for 2.5" bare hard drives
    • Note: this comes with a US plug. International students taking the course Live Online or OnDemand, please obtain an adapter.
  • SANS DFIR Cheatsheets to Help Use the Tools in the Field


Start date Location / delivery
24 Aug 2024 Salt Lake City Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...