Over 45 Cyber Security Courses at SANS 2018 in Orlando! Save up to $200 thru 2/28.

Digital Forensic & Incident Response (DFIR) Courses

SANS cyber forensics courses help organisations protect their people, products and profits from digital criminals. For over a quarter of a century we've trained computer security and forensics professionals who work for some of the world's largest corporations. Here's why SANS computer forensics and security training is so respected:

  • Focussed on protection - SANS DFIR Courses teach the skills needed to detect cutting edge threats and implement the correct responses to them.
  • An extensive curriculum - SANS offers beginner, specialist and advanced DFIR Courses.
  • Top-flight Instructors - Our Instructors are highly ranked DFIR professionals who work in the field.
  • Updated contents - SANS refreshes and reviews all of its training content to ensure it aligns with the latest and most dangerous digital threats.
  • A wealth of courseware - DFIR students receive a library of textbooks and, depending up on the course studied, software and hardware resources to help them deploy new skills.
  • Flexibility - Students can take DFIR training in a classroom, online or in privately.

SANS trains computer forensics and security personnel who work for government departments, global enterprises and military bodies. Our Digital Forensic and Incident Response training Curriculum is designed to help organisations investigate and respond to breaches quickly and effectively.

Click here to jump to our full DFIR course list

Why SANS' DFIR Training?


Putting aside their technical pedigree, SANS Instructors are highly skilled teachers. SANS Cyber Forensics Courses are built around lab work, simulations, war games and capture the flag exercises.


Depending upon the DFIR course taken, students could receive:

  • Textbooks - Textbooks are regularly re-written by security experts to ensure they address the latest technologies and challenges.
  • SIFT Workstation - SANS Investigation Forensics Toolkit is an industry leading toolset designed to aid investigators. It contains over 150 commercial, open source and freeware DFIR tools, all in one environment.
  • Software licences - While many of the tools we teach about are open source, some are commercial. If we can't supply a full licence we'll supply a trial version.
  • CRU WiebeTech UltraDock - This device is used by technicians, investigators and lawyers who need to evaluate and safely copy disks.
  • Windows 8.1 Licence - We'll supply the operating system required to run - virtually or natively - the suite of tools explored in class.
  • Extra learning resources - SANS produce an array of cheat sheets and posters, all created to speed up the learning process.

Training Delivery

SANS understands that training isn't a one size fits all business. Our Training Events take place in a classroom environment face to face with a SANS Instructor. Attend and be in with a chance of winning a DFIR Coin.

Our OnDemand service is an electronic learning system that lets students access SANS' Training Courses from a laptop or tablet.

For businesses with over 25 students, we can arrange for SANS' Training to be delivered internally, in a HQ or training space. This mode of training is called Private Training.

Read what students say on our Testimonials page.

Digital Forensics and Incident Response

GIAC Certification

Many SANS Cyber Forensics Courses are aligned with GIAC Certifications. GIAC Certification proves indelibly that a holder possesses the very sharpest cyber security skills. As a body, GIAC is recognised globally. GIAC Certification is a respected way to enhance career prospects and promotion opportunities.


Our Digital Forensics and Incident Response Training Courses fall into three categories: Core, Advanced, and Specialist.

SANS Core DFIR Courses

SEC401 is SANS' most popular course. It provides a boot-camp style introduction to computer security and forensics essentials, affording a solid foundation upon which to build a DFIR career.

SEC504 focuses on helping students to understand criminals' strategies, techniques and tactics. It explores how to find vulnerabilities, and delves into creating a comprehensive incident-handling plan.

FOR500 looks at forensic analysis of the Windows operating system. The world's most popular operating system silently records a mountain of data. Students are taught how to recover, analyse and authenticate this data.

SANS Advanced DFIR Courses

SANS FOR508 teaches students about the computer security and forensics tools and techniques necessary to master advanced incident response. Students learn how to investigate breaches, spot rogue-employees (no matter how savvy), and counter APTs. The course uses the SIFT workstation.

FOR518 equips students with the skills, knowledge and experience necessary to take on a Mac forensic case. The course is ideal for Windows based investigators who want to broaden their skill base.

Our FOR572 course covers the most critical skills needed to mount an efficient and effective investigation into a breach. No matter how sophisticated an attacker, there's always a way to spot and stop them.

Most employees have a smartphone and it can be a prime source of digital evidence. FOR585 teaches the real-live, hands on skills needed to tackle cases.

Incident response teams, like all teams, need managing. MGT535 explores writing and evaluating procedures - against the backdrop of cybercrime's increasing complexity.

During an attack, organisations need a sharp incident response process - backed up with intelligence. FOR578 has been created to invest defenders with the skills needed to spot exploits, scope situations, and respond firmly, even when faced with highly targeted attacks.

SEC503 delivers the insight, technical knowhow and hands-on skills needed to be a confident network defender.

Along with networks, smartphones provide attackers with points of entry and weaknesses to exploit. FOR585 focuses on smartphones as a source of invaluable forensic evidence.

SANS Specialist DFIR Courses

  • FOR610 focuses on reverse engineering Windows Malware with the aim of gathering forensic intelligence. Students learn how to turn malware inside out.
  • FOR526 teaches students how to understand and analyse captured memory images. The course invests pupils with an in-depth understanding, and exposes them to the industry's most powerful open source memory analysis tools.

Select a Training Course from the list below or read our FAQs here.

DFIR Curriculum
Course Certification
Level 1 SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling GCIH
FOR500: Windows Forensic Analysis GCFE
MGT535: Incident Response Team Management
Level 2 FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting GCFA
FOR518: Mac Forensic Analysis
FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response GNFA
FOR578: Cyber Threat Intelligence GCTI
FOR585: Advanced Smartphone Forensics GASF
Level 3 FOR526: Memory Forensics In-Depth
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques GREM

Training Events Offering DFIR Courses
Event Dates Register
SANS London March 2018 Mar 05 - Mar 10, 2018  
SANS Paris March 2018 Mar 12 - Mar 17, 2018  
SANS Munich March 2018 Mar 19 - Mar 24, 2018  
SANS Abu Dhabi 2018 Apr 07 - Apr 12, 2018  
SANS Zurich 2018 Apr 16 - Apr 21, 2018  
SANS London April 2018 Apr 16 - Apr 21, 2018  
SANS Riyadh April 2018 Apr 28 - May 03, 2018  
SANS Amsterdam May 2018 May 28 - Jun 02, 2018  
SANS London June 2018 Jun 04 - Jun 12, 2018  
SANS Milan June 2018 Jun 11 - Jun 16, 2018  
SANS Oslo June 2018 Jun 18 - Jun 23, 2018  
SANS Paris June 2018 Jun 25 - Jun 30, 2018  
SANS London July 2018 Jul 02 - Jul 07, 2018  
SANS Pen Test Berlin 2018 Jul 23 - Jul 28, 2018  
SANS Krakow 2018 Aug 20 - Aug 25, 2018  
SANS Amsterdam September 2018 Sep 03 - Sep 08, 2018  
SANS Munich September 2018 Sep 16 - Sep 22, 2018  
SANS London September 2018 Sep 17 - Sep 22, 2018  
Online Training: SANS OnDemand
Private Training
Event Dates Register
Private Training Course of Your Choice Your Choice