FOR509: SANS Copenhagen January 2025

Provided by

Enquire about this course

What You Will Learn
Find the Storm in the Cloud
FOR509: Enterprise Cloud Forensics and Incident Response will help you
  • Understand forensic data only available in the cloud
  • Implement best practices in cloud logging for DFIR
  • Learn how to leverage Microsoft Azure, AWS and Google Cloud Platform resources to gather evidence
  • Understand what logs Microsoft 365 and Google Workspace have available for analysts to review
  • Learn how to move your forensic processes to the cloud for faster data processing
With FOR509: Enterprise Cloud Forensics and Incident Response, examiners will learn how each of the major cloud service providers (Microsoft Azure, Amazon AWS and Google Cloud Platform) are extending analyst's capabilities with new evidence sources not available in traditional on-premise investigations. From cloud equivalents of network traffic monitoring to direct hypervisor interaction for evidence preservation, forensics is not dead. It is reborn with new technologies and capabilities.

Incident response and forensics are primarily about following breadcrumbs left behind by attackers. These breadcrumbs are primarily found in logs. Your knowledge of the investigation process is far more important than the mechanics of acquiring the logs.

This class focuses on log analysis to help examiners come up to speed quickly with cloud-based investigation techniques. It's critical to know which logs are available in the cloud, their retention, whether they are turned on by default, and how to interpret the meaning of the events they contain.

Numerous hands-on labs throughout the course will allow examiners to access evidence generated based on the most common incidents and investigations. Examiners will learn where to pull data from and how to analyze it to find evil. The data will be available in your VM rather than accessed directly via the cloud to ensure a consistent lab experience.
FOR509 Enterprise Cloud Forensics Will Prepare Your Team To
  • Learn and master the tools, techniques, and procedures necessary to effectively locate, identify, and collect data no matter where it is located
  • Identify and utilize new data only available from cloud environments
  • Utilize cloud-native tools to capture and extract traditional host evidence
  • Quickly parse and filter large data sets using scalable technologies such as the Elastic Stack
  • Understand what data is available in various cloud environments
FOR509 Enterprise Cloud Forensics Course Topics
  • Cloud Infrastructure and IR data sources
  • Microsoft 365 and Graph API Investigations
  • Azure Incident Response
  • AWS Incident Response
  • High-level Kubernetes Clouds logs
  • Google Workspace Investigations
  • Google Cloud Incident Response
Business Takeaways
  • Understand digital forensics and incident response as it applies to the cloud
  • Identify malicious activities within the cloud
  • Cost-effectively use cloud-native tools and services for DFIR
  • Ensure the business is adequately prepared to respond to cloud incidents
  • Decrease adversary dwell time in compromised cloud deployments
What You Will Receive
  • SOF-ELK(R) Virtual Machine - a publicly available appliance running the Elastic Stack and the course author's custom set of configurations and lab data. The VM is preconfigured to ingest cloud logs from Microsoft 365, Azure, AWS, Google Cloud and Google Workspace. It will be used during the class to help students wade through the large number of records they are likely to encounter during a typical investigation.
  • Case data to examine during class.
  • Electronic workbook with detailed step-by-step instructions and examples to help you master cloud forensics
What To Take Next
  • FOR500: Windows Forensic Analysis
  • FOR508: Advanced Incident Response, Threat Hunting & Digital Forensics
  • FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
  • SEC541: Cloud Security Threat Detection
  • SEC510: Public Cloud Security: AWS, Azure & GCP
  • SEC588: Cloud Penetration Testing

Enquire

Start date Location / delivery
27 Jan 2025 Copenhagen Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...