Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert
Major updates

FOR589: Cybercrime Investigations

FOR589Digital Forensics and Incident Response
  • 5 Days (Instructor-Led)
  • 30 Hours (Self-Paced)
Course created by:
Conan BeachSean O'ConnorWill Thomas
Conan Beach, Sean O'Connor & Will Thomas
Register NowCourse Preview
FOR589: Cybercrime Intelligence
Course created by:
Conan BeachSean O'ConnorWill Thomas
Conan Beach, Sean O'Connor & Will Thomas
Register NowCourse Preview
  • 30 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • Intermediate Skill Level

    Course material is geared for cyber security professionals with hands-on experience

  • 20 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Learn how to investigate cybercrime from end to end — uncover attacker tactics, trace financial activity, and analyze digital evidence to support attribution and incident response.

Featured Quote

In the many years I’ve been doing this, I’ve taken lots of cybersecurity courses, created them, and taught them. This course is different than any cyber related course I’ve ever taken. They showed me things I had not even thought about, and I’ve been doing this for a long time.
Jon DiMaggioChief Security Strategist, Analyst1

Course Overview

Today’s dynamic cybercrime ecosystem continuously lowers the barriers for novice criminals to collaborate with more sophisticated actors. FOR589 Cybercrime Investigations offers a comprehensive exploration of the cybercrime underground, detailing a broad spectrum of tactics and techniques used by cybercriminals to target organizations. This cybercrime training course includes over twenty hands-on labs and a final capstone exercise, equipping analysts with the skills necessary to enhance their organization's defenses, proactively gather critical intelligence, trace cryptocurrency proceeds linked to crime, and generate actionable insights.

What You’ll Learn

  • Adapt traditional investigative methods to the cyber domain and uncover risks specific to your organization
  • Investigate dark web marketplaces, forums, and threat actor communications
  • Separate actionable leads from background noise to drive informed, evidence-based decisions
  • Translate investigative goals into structured collection and case development plans
  • Build and manage covert personas to safely access underground communities and collect evidence
  • Trace cryptocurrency transactions to uncover threat actors, affiliates, and laundering
  • Vet sources and communities for credibility and access to support investigative objectives

Business Takeaways

  • Bridge cybercrime and crypto crime knowledge gaps across investigative teams
  • Enhance fraud, incident response, and CTI capabilities with specialized cybercrime expertise
  • Detect and investigate emerging threats and actors before attacks escalate
  • Build proactive alerts and detection based on criminal behavior and underground trends
  • Track threat actors through malware, access, affiliate activity, and crypto/infrastructure analysis
  • Deliver tailored, actionable insights to support strategic decisions and improve attribution

Meet Your Authors

Slide 1 of 0

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in FOR589: Cybercrime Intelligence.

Section 1Cybercriminal Intelligence

This section covers the intelligence lifecycle in cybercrime investigations, emphasizing structured methods for threat profiling, persona management, and secure data collection from underground sources. Students will learn to turn fragmented data into actionable intelligence to support investigations and strategic decisions.

Topics covered

  • Intelligence basics & structured analysis
  • Collection planning for cybercrime
  • Cyberattack profiling frameworks
  • OPSEC & defense-in-depth
  • Persona & sock puppet management

Labs

  • Set up VM & test OPSEC
  • Track actors via breach data
  • Manage long-term sock puppets
  • Link analysis with Maltego
  • Create secure crypto wallets

Section 2Cryptocurrency Investigations

This section teaches students to trace illicit cryptocurrency activity using blockchain analytics and attribution techniques. Through real-world case studies, students will learn to follow laundering tactics, cluster wallets, and use OSINT and off-chain data to link transactions to threat actors, aiding in investigations and asset recovery.

Topics covered

  • Blockchain tracing fundamentals
  • UTXO vs. account models
  • Wallet clustering and heuristics
  • Obfuscation: mixers, CoinJoins, hopping
  • Attribution via OSINT and KYC

Labs

  • Study Genesis Block and UTXO
  • Analyze Twitter crypto scam wallets
  • Trace bulletproof host crypto flows
  • Follow Bitfinex laundering patterns
  • Track Colonial Pipeline ransom trail

Section 3Cybercrime Underground

In this section, students learn how to safely navigate and investigate cybercriminal communities across surface, deep, and dark web environments. Uncover how forums, leak sites, messaging platforms, and infrastructure tie together into a functional underground economy—and how adversaries interact to buy, sell, and monetize access, data, and capabilities.

Topics covered

  • Profile forums, markets, and apps
  • Understand cybercriminal roles and groups
  • Investigate infrastructure via profiling
  • Identify victims across sources
  • Map threats with ATT&CK, Diamond

Labs

  • Identify forums, markets, leak sites
  • Pivot on infrastructure with OSINT
  • Build actor dossiers from forums
  • Map tools with ATT&CK and OSINT
  • Investigate real ransomware campaigns

Section 4Undercover Operations

In this section, students will learn how to infiltrate gated criminal communities, build credible personas, and collect human intelligence (HUMINT) directly from threat actors. You’ll explore both manual and automated approaches to collecting data, from eliciting adversaries through social engineering to scraping dark web content at scale.

Topics covered

  • HUMINT: spot, assess, profile
  • Social engineering in investigations
  • Automate dark web scraping
  • Analyze trends with Kibana
  • Attribute and disrupt threat actor

Labs

  • Create sock puppet for access
  • Map forum rules, key actors
  • Scrape via Tor, analyze in Kibana
  • Profile actors with targeting frameworks
  • Use HUMINT to assess adversaries

Section 5Capstone Exercise

The final day of FOR589 is a capstone challenge that focuses on launching an investigation. Students engage in a fun and meaningful exercise that brings together various components of the entire course. The capstone will reinforce the principles taught via a simulated scenario that enables students to practice implementing their newly learned skills.

Things You Need To Know

Relevant Job Roles

Insider Threat Analysis

NICE: Protection and Defense

Responsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.

Explore learning path

Digital Forensics (OPM 212)

NICE: Protection and Defense

Responsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchasing Options?Contact Us

OnDemand Bundle

When purchasing a live, instructor-led course, add 4 months of online access. View price in the info icons below.

SANS Skills Quest by NetWars Core Edition

Add 6 months of hands-on skills practice.  Add to your cart when purchasing your course.

Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Sean O'Connor
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,260 USD*Prices exclude applicable local taxesBuy now for access on Aug 6. Use code Presale10 for 10% off course price!
    Enrollment options
    Self-Paced
  • Location & instructor

    Salt Lake City, UT, US & Virtual (live)

    Instructed by Kevin Ripa & Sean O'Connor
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,260 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Singapore, SG & Virtual (live)

    Instructed by Kevin Ripa
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,375 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Virginia Beach, VA, US & Virtual (live)

    Instructed by Conan Beach
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,260 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Virginia Beach, VA, US & Virtual (live)

    Instructed by Conan Beach
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,260 USD*Prices exclude applicable local taxes
    Enrollment options
    In-Person
  • Location & instructor

    Tokyo, JP & Virtual (live)

    Instructed by Kevin Ripa
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,375 USD*Prices exclude applicable local taxes
    Enrollment options
    Virtual
  • Location & instructor

    Sydney, NSW, AU & Virtual (live)

    Instructed by Kevin Ripa
    Date & Time
    Fetching schedule..View event details
    Course price
    A$12,560 AUD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by Conan Beach
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,260 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
Showing 8 of 20

Learn Alongside Leading Cybersecurity Professionals From Around The World

Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching class with code in the background

Get feedback from the world’s best cybersecurity experts and instructors

Learning via laptop

Choose how you want to learn - online, on demand, or at our live in-person training events

Learning via laptop

Get access to our range of industry-leading courses and resources