FOR509: Enterprise Cloud Forensics and Incident Response
About This Course
The world is changing and so is the data we need to conduct our investigations. Cloud platforms change how data is stored and accessed. They remove the examiner's ability to directly access systems and use classical data extraction methods. Unfortunately, many examiners are still trying to force old methods for on-premise examination onto cloud-hosted platforms. Rather than resisting change, examiners must learn to embrace the new opportunities presented to them in the form of new evidence sources. FOR509: Enterprise Cloud Forensics and Incident Response addresses today's need to bring examiners up to speed with the rapidly changing world of enterprise cloud environments by uncovering the new evidence sources that only exist in the Cloud.
What You'll Learn
- Understand forensic data only available in the cloud
- Implement best practices in cloud logging for DFIR
- Learn how to leverage Microsoft Azure, AWS and Google Cloud Platform resources to gather evidence
- Understand what logs Microsoft 365 and Google Workspace have available for analysts to review
- Learn how to move your forensic processes to the cloud for faster data processing
FOR509 Enterprise Cloud Forensics will prepare you to:
- Learn and master the tools, techniques, and procedures necessary to effectively locate, identify, and collect data no matter where it is located
- Identify and utilize new data only available from cloud environments
- Utilize cloud-native tools to capture and extract traditional host evidence
- Quickly parse and filter large data sets using scalable technologies such as the Elastic Stack
- Understand what data is available in various cloud environments
Entry Requirements
FOR509 is an Intermediate to Advanced course that focuses on Cloud infrastructure and log analysis. This class teaches students how to make use of cloud provider created data that augments, replaces or extends the artifacts they already learned about in prior SANS classes.
Students may benefit from having taken the following courses:
- FOR500: Windows Forensic Analysis
- FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
- SEC488: Cloud Security Essentials
or having relevant previous experience.
Participants should be proficient in written and spoken English. There are no minimum entry requirements for years of experience in the domain, education level or age group; but participants should possess the relevant prerequisite skills mentioned above before taking the course.