FOR509: South by South East Asia February 2022

Provided by

Enquire about this course

What You Will Learn

Find the Storm in the Cloud

FOR509: Enterprise Cloud Forensics and Incident Response will help you:
  • Understand forensic data only available in the cloud
  • Implement best practices in cloud logging for DFIR
  • Properly handle rapid triage in cloud environments
  • Learn how to leverage Microsoft Azure, AWS and Google Workspace resources to gather evidence
  • Understand what Microsoft 365 has available for analysts to review
  • Learn how to move your forensic process to the cloud for fast processing where the data lives
With Enterprise Cloud Forensics examiners will learn how each of the major cloud service providers (Microsoft Azure, Amazon AWS and Google Workspace) are extending analysts capabilities with new evidence sources not available in traditional on-premise investigations. From cloud equivalents of network traffic monitoring to direct hypervisor interaction for evidence preservation, forensics is not dead. It is reborn with new technologies and capabilities.

The new world does not end there. More organizations are moving critical resources into the cloud with Microsoft 365. Examiners no longer have direct access to the email servers and datastores for recovering actions; which means they need to learn the new methods available to them to recreate the same data. But why stop at recreation? These new platforms allow us to extend our reach to data we could not easily access before, which when properly configured, can allow for detection and remediation faster than ever before.

The assumption that a change in where or how data is stored always seems to lead to the false assumption that forensics is dead. With the cloud, forensics is given new capabilities and depth that do not exist in the on-premise world. Learn to preserve, configure and examine new sources of evidence that only exist in the Cloud. Learn how to bring your examination into the cloud and how to triage within the same environment. Constantly updated, the Enterprise Cloud Forensics course (FOR509) addresses today's need to bring examiners up to speed with the rapidly changing world of enterprise cloud environments, where their most valuable data is being uploaded to.

Numerous hands-on labs throughout the course will allow examiners to access evidence generated based on the most common incidents and investigations. Examiners will learn where to pull data from and how to analyze it to find evil.

Before, during, and after an investigation cloud resources are constantly changing, FOR509: Enterprise Cloud Forensics will train you and your team to turn on the logs you need for the future, work with the data you have today, and prepare to automate for tomorrow.

  • Learn and master the tools, techniques, and procedures necessary to effectively locate, identify, and collect data no matter where it is located
  • Identify and utilize new data only available from Cloud environments
  • Quickly parse and filter large data sets, using scalable technologies such as the Elastic Stack
  • Learn how to profile attackers in different cloud environments
  • Understand what data is available in different cloud environments
  • Cloud Infrastructure and IR data sources
  • Microsoft 365
  • AWS Incident Response
  • Azure Incident Response
  • GCP Incident Response
  • SOF-ELK(R) Virtual Machine - a publicly available appliance running the Elastic Stack and the course author's custom set of configurations and dashboards. The VM is preconfigured to ingest cloud logs from AWS, Azure, and GCP, and will be used during the class to help students wade through the hundreds of millions of records they are likely to encounter during a typical investigation.
  • Realistic case data to examine during class.
  • USB drive(s) loaded with case examples, tools, and documentation.
  • Exercise book with detailed step-by-step instructions and examples to help you master cloud forensics
  • FOR518: Mac and iOS Forensics Analysis and Incident Response
  • FOR585: Smartphone Forensic Analysis In-Depth
  • FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
  • SEC541: Cloud Security Monitoring and Threat Detection


Start date Location / delivery
31 Jan 2022 Virtual Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...