FOR509: SANS Copenhagen January 2025
Provided by SANS
What You Will Learn
Find the Storm in the Cloud
FOR509: Enterprise Cloud Forensics and Incident Response will help you
Incident response and forensics are primarily about following breadcrumbs left behind by attackers. These breadcrumbs are primarily found in logs. Your knowledge of the investigation process is far more important than the mechanics of acquiring the logs.
This class focuses on log analysis to help examiners come up to speed quickly with cloud-based investigation techniques. It's critical to know which logs are available in the cloud, their retention, whether they are turned on by default, and how to interpret the meaning of the events they contain.
Numerous hands-on labs throughout the course will allow examiners to access evidence generated based on the most common incidents and investigations. Examiners will learn where to pull data from and how to analyze it to find evil. The data will be available in your VM rather than accessed directly via the cloud to ensure a consistent lab experience.
FOR509 Enterprise Cloud Forensics Will Prepare Your Team To
Find the Storm in the Cloud
FOR509: Enterprise Cloud Forensics and Incident Response will help you
- Understand forensic data only available in the cloud
- Implement best practices in cloud logging for DFIR
- Learn how to leverage Microsoft Azure, AWS and Google Cloud Platform resources to gather evidence
- Understand what logs Microsoft 365 and Google Workspace have available for analysts to review
- Learn how to move your forensic processes to the cloud for faster data processing
Incident response and forensics are primarily about following breadcrumbs left behind by attackers. These breadcrumbs are primarily found in logs. Your knowledge of the investigation process is far more important than the mechanics of acquiring the logs.
This class focuses on log analysis to help examiners come up to speed quickly with cloud-based investigation techniques. It's critical to know which logs are available in the cloud, their retention, whether they are turned on by default, and how to interpret the meaning of the events they contain.
Numerous hands-on labs throughout the course will allow examiners to access evidence generated based on the most common incidents and investigations. Examiners will learn where to pull data from and how to analyze it to find evil. The data will be available in your VM rather than accessed directly via the cloud to ensure a consistent lab experience.
FOR509 Enterprise Cloud Forensics Will Prepare Your Team To
- Learn and master the tools, techniques, and procedures necessary to effectively locate, identify, and collect data no matter where it is located
- Identify and utilize new data only available from cloud environments
- Utilize cloud-native tools to capture and extract traditional host evidence
- Quickly parse and filter large data sets using scalable technologies such as the Elastic Stack
- Understand what data is available in various cloud environments
- Cloud Infrastructure and IR data sources
- Microsoft 365 and Graph API Investigations
- Azure Incident Response
- AWS Incident Response
- High-level Kubernetes Clouds logs
- Google Workspace Investigations
- Google Cloud Incident Response
- Understand digital forensics and incident response as it applies to the cloud
- Identify malicious activities within the cloud
- Cost-effectively use cloud-native tools and services for DFIR
- Ensure the business is adequately prepared to respond to cloud incidents
- Decrease adversary dwell time in compromised cloud deployments
- SOF-ELK(R) Virtual Machine - a publicly available appliance running the Elastic Stack and the course author's custom set of configurations and lab data. The VM is preconfigured to ingest cloud logs from Microsoft 365, Azure, AWS, Google Cloud and Google Workspace. It will be used during the class to help students wade through the large number of records they are likely to encounter during a typical investigation.
- Case data to examine during class.
- Electronic workbook with detailed step-by-step instructions and examples to help you master cloud forensics
- FOR500: Windows Forensic Analysis
- FOR508: Advanced Incident Response, Threat Hunting & Digital Forensics
- FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
- SEC541: Cloud Security Threat Detection
- SEC510: Public Cloud Security: AWS, Azure & GCP
- SEC588: Cloud Penetration Testing
Enquire
Start date | Location / delivery | |
---|---|---|
27 Jan 2025 | Copenhagen | Book now |