Online Training Special: Get an iPad Mini, Surface Go, or $300 Off through 5/1!

Digital Forensic & Incident Response (DFIR) Courses

SANS cyber forensics courses help organisations protect their people, products and profits from digital criminals. For over a quarter of a century we've trained computer security and forensics professionals who work for some of the world's largest corporations. Here's why SANS computer forensics and security training is so respected:

  • Focussed on protection - SANS DFIR Courses teach the skills needed to detect cutting edge threats and implement the correct responses to them.
  • An extensive curriculum - SANS offers beginner, specialist and advanced DFIR Courses.
  • Top-flight Instructors - Our Instructors are highly ranked DFIR professionals who work in the field.
  • Updated contents - SANS refreshes and reviews all of its training content to ensure it aligns with the latest and most dangerous digital threats.
  • A wealth of courseware - DFIR students receive a library of textbooks and, depending up on the course studied, software and hardware resources to help them deploy new skills.
  • Flexibility - Students can take DFIR training in a classroom, online or in privately.

SANS trains computer forensics and security personnel who work for government departments, global enterprises and military bodies. Our Digital Forensic and Incident Response training Curriculum is designed to help organisations investigate and respond to breaches quickly and effectively.

Click here to jump to our full DFIR course list

Why SANS' DFIR Training?


Putting aside their technical pedigree, SANS Instructors are highly skilled teachers. SANS Cyber Forensics Courses are built around lab work, simulations, war games and capture the flag exercises.


Depending upon the DFIR course taken, students could receive:

  • Textbooks - Textbooks are regularly re-written by security experts to ensure they address the latest technologies and challenges.
  • SIFT Workstation - SANS Investigation Forensics Toolkit is an industry leading toolset designed to aid investigators. It contains over 150 commercial, open source and freeware DFIR tools, all in one environment.
  • Software licences - While many of the tools we teach about are open source, some are commercial. If we can't supply a full licence we'll supply a trial version.
  • CRU WiebeTech UltraDock - This device is used by technicians, investigators and lawyers who need to evaluate and safely copy disks.
  • Windows 8.1 Licence - We'll supply the operating system required to run - virtually or natively - the suite of tools explored in class.
  • Extra learning resources - SANS produce an array of cheat sheets and posters, all created to speed up the learning process.

Training Delivery

SANS understands that training isn't a one size fits all business. Our Training Events take place in a classroom environment face to face with a SANS Instructor. Attend and be in with a chance of winning a DFIR Coin.

Our OnDemand service is an electronic learning system that lets students access SANS' Training Courses from a laptop or tablet.

For businesses with over 25 students, we can arrange for SANS' Training to be delivered internally, in a HQ or training space. This mode of training is called Private Training.

Read what students say on our Testimonials page.

Digital Forensics and Incident Response

GIAC Certification

Many SANS Cyber Forensics Courses are aligned with GIAC Certifications. GIAC Certification proves indelibly that a holder possesses the very sharpest cyber security skills. As a body, GIAC is recognised globally. GIAC Certification is a respected way to enhance career prospects and promotion opportunities.


Our Digital Forensics and Incident Response Training Courses fall into three categories: Core, Advanced, and Specialist.

SANS Core DFIR Courses

SEC401 is SANS' most popular course. It provides a boot-camp style introduction to computer security and forensics essentials, affording a solid foundation upon which to build a DFIR career.

SEC504 focuses on helping students to understand criminals' strategies, techniques and tactics. It explores how to find vulnerabilities, and delves into creating a comprehensive incident-handling plan.

FOR500 looks at forensic analysis of the Windows operating system. The world's most popular operating system silently records a mountain of data. Students are taught how to recover, analyse and authenticate this data.

SANS Advanced DFIR Courses

SANS FOR508 teaches students about the computer security and forensics tools and techniques necessary to master advanced incident response. Students learn how to investigate breaches, spot rogue-employees (no matter how savvy), and counter APTs. The course uses the SIFT workstation.

FOR518 equips students with the skills, knowledge and experience necessary to take on a Mac forensic case. The course is ideal for Windows based investigators who want to broaden their skill base.

Our FOR572 course covers the most critical skills needed to mount an efficient and effective investigation into a breach. No matter how sophisticated an attacker, there's always a way to spot and stop them.

Most employees have a smartphone and it can be a prime source of digital evidence. FOR585 teaches the real-live, hands on skills needed to tackle cases.

Incident response teams, like all teams, need managing. MGT535 explores writing and evaluating procedures - against the backdrop of cybercrime's increasing complexity.

During an attack, organisations need a sharp incident response process - backed up with intelligence. FOR578 has been created to invest defenders with the skills needed to spot exploits, scope situations, and respond firmly, even when faced with highly targeted attacks.

SEC503 delivers the insight, technical knowhow and hands-on skills needed to be a confident network defender.

Along with networks, smartphones provide attackers with points of entry and weaknesses to exploit. FOR585 focuses on smartphones as a source of invaluable forensic evidence.

SANS Specialist DFIR Courses

  • FOR610 focuses on reverse engineering Windows Malware with the aim of gathering forensic intelligence. Students learn how to turn malware inside out.
  • FOR526 teaches students how to understand and analyse captured memory images. The course invests pupils with an in-depth understanding, and exposes them to the industry's most powerful open source memory analysis tools.

Select a Training Course from the list below or read our FAQs here.

DFIR Curriculum
Course Certification
Level 1 SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling GCIH
FOR500: Windows Forensic Analysis GCFE
MGT535: Incident Response Team Management
Level 2 FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics GCFA
FOR518: Mac and iOS Forensic Analysis and Incident Response
FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response GNFA
FOR578: Cyber Threat Intelligence GCTI
FOR585: Smartphone Forensic Analysis In-Depth GASF
Level 3 FOR526: Advanced Memory Forensics & Threat Detection
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques GREM

Training Events Offering DFIR Courses
Event Dates Register
SANS Muscat April 2019 Apr 27 - May 02, 2019  
SANS Stockholm May 2019 May 13 - May 18, 2019  
SANS Milan May 2019 May 13 - May 18, 2019  
SANS Dublin May 2019 May 13 - May 18, 2019  
SANS Amsterdam May 2019 May 20 - May 25, 2019  
SANS Krakow May 2019 May 27 - Jun 01, 2019  
SANS London June 2019 Jun 03 - Jun 08, 2019  
SANS Zurich June 2019 Jun 03 - Jun 08, 2019  
SANS Paris July 2019 Jul 01 - Jul 06, 2019  
SANS Munich July 2019 Jul 01 - Jul 06, 2019  
SANS London July 2019 Jul 08 - Jul 13, 2019  
SANS Pen Test Hackfest Europe 2019 Jul 22 - Jul 28, 2019  
SANS London August 2019 Aug 05 - Aug 10, 2019  
SANS Prague August 2019 Aug 12 - Aug 17, 2019  
SANS Amsterdam August 2019 Aug 19 - Aug 24, 2019  
SANS Copenhagen August 2019 Aug 26 - Aug 31, 2019  
SANS Munich September 2019 Sep 02 - Sep 07, 2019  
SANS Brussels September 2019 Sep 02 - Sep 07, 2019  
SANS Paris September 2019 Sep 16 - Sep 21, 2019  
SANS Rome September 2019 Sep 16 - Sep 21, 2019  
SANS Bahrain September 2019 Sep 21 - Sep 26, 2019  
SANS London September 2019 Sep 23 - Sep 28, 2019  
SANS Kuwait September 2019 Sep 28 - Oct 03, 2019  
SANS DFIR Prague 2019 Sep 30 - Oct 06, 2019  
SANS Cardiff September 2019 Sep 30 - Oct 05, 2019  
SANS Lisbon October 2019 Oct 07 - Oct 12, 2019  
SANS Doha October 2019 Oct 12 - Oct 17, 2019  
SANS London October 2019 Oct 14 - Oct 19, 2019  
SANS SEC504 Madrid October 2019 (in Spanish) Oct 14 - Oct 19, 2019  
SANS Amsterdam October 2019 Oct 28 - Nov 02, 2019  
SANS Paris November 2019 Nov 04 - Nov 09, 2019  
SANS London November 2019 Nov 11 - Nov 16, 2019  
SANS Gulf Region 2019 Nov 16 - Nov 28, 2019  
SANS Munich November 2019 Nov 18 - Nov 23, 2019  
SANS Paris December 2019 Dec 02 - Dec 07, 2019  
SANS Frankfurt December 2019 Dec 09 - Dec 14, 2019  
Online Training: SANS OnDemand
Private Training
Event Dates Register
Private Training Course of Your Choice Your Choice