SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
FOR498: Digital Acquisition and Rapid Triage
FOR498Digital Forensics and Incident Response
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course created by:
Kevin Ripa & Eric Zimmerman
Course created by:Kevin Ripa & Eric Zimmerman
- GIAC Battlefield Forensics and Acquisition (GBFA)
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- Essential Skill Level
Course material is for individuals with an understanding of IT or cyber security concepts
- 20 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Gain essential skills in digital forensic acquisition and rapid triage. Learn to collect and preserve data from diverse sources and then rapidly extract actionable intelligence.
Featured Quote
FOR498 is an excellent course! I learned a lot of new skills that I can't wait to develop further, and Kevin Ripa did an outstanding job delivering the content and making it interesting. His personal stories and examples kept the course engaging and rooted in reality.
Course Overview
A digital forensic acquisition training course, FOR498 provides the skills to identify the many and varied data storage mediums in use today, and how to collect and preserve this data in a forensically sound manner despite how and where it may be stored. This forensics data collection course covers digital acquisition from computers, portable devices, networks, and the cloud, and teaches rapid triage—the art and science of identifying and starting to extract actionable intelligence from a hard drive in 90 minutes or less.
What You’ll Learn
- Collect data from PCs, Macs, tablets, smartphones, RAM, virtual machines, and cloud environments
- Perform evidence acquisition while maintaining forensic soundness and chain of custody
- Execute rapid triage workflows to generate actionable intelligence in 90 minutes or less
- Capture volatile data and memory from live systems during active investigations
- Manage scenes efficiently to preserve and prioritize critical data
- Acquire evidence from enterprise environments including Exchange, SharePoint, and network repositories
- Utilize industry-standard open-source tools and SANS-provided environments for hands-on collection and analysis
Business Takeaways
- Preserve digital evidence effectively to support regulatory, legal, and internal investigations
- Accelerate incident response with rapid data triage and reduced analysis time
- Confidently operate across diverse platforms, storage types, and user environments
- Improve collaboration between technical teams, investigators, and legal stakeholders
- Prevent data loss or mishandling during high-pressure incidents
- Reduce dependency on external digital forensics resources by building in-house capability
- Stay current with evolving acquisition challenges across cloud, mobile, and large-scale storage systems
Meet Your Authors
- Slide 1 of 2
Kevin Ripa
Senior InstructorKevin Ripa has transformed the global cybersecurity landscape through decades of frontline digital forensics, assisting law enforcement, governments, and Fortune 500 companies in unraveling sophisticated cyberattacks and nation-state threats.
Read more about Kevin Ripa - Slide 2 of 2
Eric Zimmerman
Principal InstructorEric has redefined digital forensics with open-source tools like KAPE, now global standards for cybercrime investigations. He has directly enabled faster evidence analysis, rescued exploited children, and set new benchmarks in forensic response.
Read more about Eric Zimmerman
Slide 1 of 0
(1/0)
Course Syllabus
Explore the course syllabus below to view the full range of topics covered in FOR498: Digital Acquisition and Rapid Triage.
Section 1Scene Prep, Management, and Storage Interfaces
Section one emphasizes the importance of proper digital evidence collection. We introduce foundational forensic concepts, tools, and procedures, including evidence handling, scene management, and file systems. We also highlight the need for proper training to ensure data integrity in high-pressure investigative environments.
Topics covered
- Introduction to SIFT and Digital Forensic Acquisition
- Understanding the Data
- Scene Management and Evidence Acquisition
- Device and Interface Identification
Labs
- DFIR Workstation Installation
- Converting an E01 into a Bootable VM
- Interface Identification and BIOS/UEFI
Section 2Portable Devices and Acquisition Processes
Section two focuses on acquiring data from portable devices and enterprise systems, emphasizing proper handling. It covers smartphone analysis, write blocking, and efficient evidence collection across diverse storage types. We will also explore myriad acquisition hardware and software, adapters, and identification for data-informed decision making.
Topics covered
- Smartphone Acquisition and Analysis
- Android
- Acquisition Hardware and Software
- Acquisition Methodology
- Discovering and Interacting with Data
Labs
- Portable Device Acquisition and Analysis
- Hard Drive Wiping and Formatting
- Write Blocking Methodologies
- Preparing the Analyst Machine
- Using Timeline Explorer
Section 3Triage and Data Acquisition
Section three covers "Quick Win Forensics," focusing on rapidly identifying and acquiring key evidence through live response, memory capture, and triage techniques. It emphasizes speed and efficiency, especially in cases involving encryption or file-less malware.
Topics covered
- Beginning the Collection Process
- Mounting Evidence and Triage Acquisition
- Memory Acquisition and Encryption Checking
- Host-Based Live Acquisition
- Dead Box Acquisition
Labs
- Mounting Evidence
- Triage Acquisition
- RAM Acquisition and Encrypted Media
- Host Based Live Acquisition
- Dead Box Acquisition
Section 4Non-Traditional and Cloud Acquisition
This section covers acquiring data from non-traditional and cloud storage, using tools like KAPE for rapid triage and remote collection. It prepares investigators to quickly access critical evidence from complex modern systems like RAID, Volume Shadow Copies, and cloud services.
Topics covered
- File Systems Revisited
- Battlefield Forensics with KAPE
- Multi-Drive Storage
- EMC/Non-traditional Formats
- Remote Acquisition
Labs
- Volume Shadow Copy Acquisition
- Using the KAPE Tool for Battlefield Forensics
- Network Acquisition
Section 5Apple Acquisition and Internet of Things
This section focuses on the unique challenges of acquiring data from Apple devices and the Internet of Things (IoT). It covers macOS-specific tools, encryption hurdles, and alternative imaging methods due to hardware constraints. The section also teaches how to analyze IoT device communication and collect related network traffic for forensic purposes.
Topics covered
- Apple MacOS Device Overview and Acquisition
- Internet of Things (IoT)
Labs
- PCAP Collection
- PCAP Graphical Tools
- PCAP Command Line Tools
Section 6Beyond the Forensic Tools: The Deeper Dive
Section six focuses on online attribution and advanced data recovery techniques when traditional tools fall short. It covers tracing digital artifacts to their sources, legal considerations, and the use of file and stream carving to recover deleted or corrupted data. Emphasis is placed on understanding tool limitations and applying manual recovery methods.
Topics covered
- Identifying Online Asset Ownership
- File and Stream Recovery
- Advanced Data Carving and Rebuilding
- Where Do We Go From Here
Labs
- Online Attribution
- Data and Stream Carving
- Data Rebuilding
Things You Need To Know
Relevant Job Roles
Insider Threat Analysis
NICE: Protection and DefenseResponsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.
Explore learning pathDigital Forensics Analyst
Digital Forensics and Incident ResponseThis expert applies digital forensic skills to a plethora of media that encompass an investigation. The practice of being a digital forensic examiner requires several skill sets, including evidence collection, computer, smartphone, cloud, and network forensics, and an investigative mindset. These experts analyze compromised systems or digital media involved in an investigation that can be used to determine what really happened. Digital media contain footprints that physical forensic data and the crime scene may not include.
Explore learning pathDigital Forensics (OPM 212)
NICE: Protection and DefenseResponsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.
Explore learning pathCybercrime Investigation (OPM 221)
NICE: InvestigationResponsible for investigating cyberspace intrusion incidents and crimes. Applies tactics, techniques, and procedures for a full range of investigative tools and processes and appropriately balances the benefits of prosecution versus intelligence gathering.
Explore learning pathMilitary Operations / Law Enforcement Agents
Digital Forensics and Incident ResponseExecute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.
Explore learning pathDigital Evidence Analysis (OPM 211)
NICE: InvestigationResponsible for identifying, collecting, examining, and preserving digital evidence using controlled and documented analytical and investigative techniques.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Filter by:
Location & instructorDate & TimeCourse priceEnrollment options
- Location & instructor
Virtual (OnDemand)
Instructed by Kevin RipaDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Prague, CZ & Virtual (live)
Instructed by Jason JordaanDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxes - Location & instructor
Coral Gables, FL, US & Virtual (live)
Instructed by Eric ZimmermanDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Orlando, FL, US & Virtual (live)
Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
Showing 4 of 4
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 4In DFIR, things rarely go as planned. This course teaches you about the options to control when things aren't working as expected.
- Slide 2 of 4FOR498 provided information I can take back to my company and begin using immediately. It will be very easy to show leadership the ROI on this course.
- Slide 3 of 4I've said it a few times, but this is the most robust digital acquisition course I have taken for overall content covered when it comes to methods and tools. I took this course mainly to learn how to do MacBook Acquisitions, but I've learned so much more already. It just goes to show how there's always more to learn in digital forensics and I appreciate a course that points out my weaknesses to me in a non-vendor specific way.
- Slide 4 of 4It's not easy to get exposure to forensics tools and methodology. This is a great class for someone already in the field trying to expand their knowledge. SANS is a well-known and trusted organization. With so many options to choose from and limited time, it's a huge benefit to go straight to a trusted source to get what you need.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources