Training
Featured CourseView All Courses

SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

SEC595Cyber Defense, Artificial Intelligence
SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
View course detailsRegister
Get a Free Hour of SANS Training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
NEW - AI Security Training
Can't find what you are looking for?

Let us help.

Contact us
Free Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

Customer Case Studies

Discover how organizations and individual cyber practitioners use SANS training and GIAC certifications

AI Risk & Readiness

Explore expert-driven guidance, training, and tools to help defend against AI-powered threats and adopt AI securely

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Contact Sales
Contact Sales

Digital Forensics and Incident Response Training

Digital Forensics and Incident Response (DFIR) is essential to understand how intrusions occur, uncover malicious behavior, explain exactly “what happened”, and restore integrity across digital environments. DFIR combines cybersecurity, threat hunting, and investigative techniques to identify, analyze, respond to, and proactively hunt cyber threats and criminal activity.

Digital Forensics, Incident Response & Threat Hunting Training
Jump to:

Investigate, Analyze, Respond, and Hunt Proactively, with Confidence

DFIR is about more than just cyberattacks—it’s about uncovering the truth behind any digital incident. Whether you’re responding to a ransomware breach, investigating insider abuse, analyzing digital evidence in criminal cases, or even performing proactive compromise assessments, SANS Digital Forensics and Incident Response training, designed by real-world practitioners, equips professionals with the technical skills and an investigative mindset to follow the evidence wherever it leads.

From intrusion response to deep-dive forensic analysis of systems, mobile devices, cloud, and memory, our curriculum balances the needs of both security operations and criminal investigations.

What You'll Learn

Digital Forensics

Master evidence collection, timeline analysis, and media exploitation by extracting and analyzing hidden artifacts, reconstructing user activity, and uncovering critical evidence in investigations.

Threat Hunting, Ransomware & Threat Intelligence

Develop proactive techniques to uncover hidden threats, analyze ransomware tactics, and utilize intelligence to anticipate and counter cyber threats.

Malware Analysis, Memory Forensics & Underground Investigations

Examine malicious code, analyze volatile memory, and investigate cybercriminal activity to understand attacker techniques and enhance detection.

Student Insights

SANS DFIR offers the ultimate in quality instruction and thoughtful curriculum development. I learned so much this week and can't wait to review and apply what I learned. I hope all my coworkers will get a chance to experience this quality of training.
Gabrielle S.U.S. Federal Agency

Featured Courses

View All Courses
  • Slide 1 of 12

    FOR498: Digital Acquisition and Rapid Triage

    Essentials
    FOR498Digital Forensics and Incident Response
    FOR498: Digital Acquisition and Rapid Triage
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 2 of 12

    FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

    Advanced
    FOR572Digital Forensics and Incident Response
    FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 3 of 12

    FOR585: Smartphone Forensic Analysis In-Depth

    MAJOR UPDATES
    AI SKILLS
    Essentials
    FOR585Digital Forensics and Incident Response
    FOR585: Smartphone Forensic Analysis In-Depth
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 22 Hands-On Labs

    View course detailsRegister
  • Slide 4 of 12

    FOR528: Ransomware and Cyber Extortion

    Intermediate
    FOR528Digital Forensics and Incident Response
    FOR528: Ransomware and Cyber Extortion
    • 4 Days (Instructor-Led)
    • 24 CPEs / 24 Hours (Self-Paced)
    • Labs: 13 Hands-On Labs

    View course detailsRegister
  • Slide 5 of 12

    FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics

    UPDATED
    Intermediate
    FOR508Digital Forensics and Incident Response
    FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 35 Hands-On Labs

    View course detailsRegister
  • Slide 6 of 12

    FOR500: Windows Forensic Analysis

    UPDATED
    Essentials
    FOR500Digital Forensics and Incident Response
    FOR500: Windows Forensic Analysis
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 22 Hands-On Labs

    View course detailsRegister
  • Slide 7 of 12

    FOR578: Cyber Threat Intelligence

    MAJOR UPDATES
    Intermediate
    FOR578Digital Forensics and Incident Response
    FOR578: Cyber Threat Intelligence
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 8 of 12

    FOR518: Mac and iOS Forensic Analysis and Incident Response

    UPDATED
    Intermediate
    FOR518Digital Forensics and Incident Response
    FOR518: Mac and iOS Forensic Analysis and Incident Response
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 23 Hands-On Labs

    View course detailsRegister
  • Slide 9 of 12

    FOR509: Enterprise Cloud Forensics and Incident Response

    MAJOR UPDATES
    Intermediate
    FOR509Digital Forensics and Incident Response
    FOR509: Enterprise Cloud Forensics and Incident Response
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 23 Hands-On Labs

    View course detailsRegister
  • Slide 10 of 12

    FOR563: Applied AI for Digital Forensics and Incident Response: Leveraging Local Large Language Models

    NEW
    AI-FOCUSED
    Intermediate
    FOR563Digital Forensics and Incident Response, Artificial Intelligence
    FOR509: Enterprise Cloud Forensics and Incident Response
    • 1 Day (Instructor-Led)
    • 6 CPEs / 6 Hours (Self-Paced)
    • Labs: 4 Hands-On Labs

    View course detailsRegister
  • Slide 11 of 12

    FOR577: LINUX Incident Response and Threat Hunting

    Intermediate
    FOR577Digital Forensics and Incident Response
    FOR577: LINUX Incident Response and Threat Hunting
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 23 Hands-On Labs

    View course detailsRegister
  • Slide 12 of 12

    FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

    Advanced
    FOR610Digital Forensics and Incident Response
    FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 48 Hands-On Labs

    View course detailsRegister
View All Courses

Meet Your Experts

Steve Anson

Steve Anson

Co-Founder

Steve has transformed global cybersecurity by leading complex digital crime investigations for the FBI and DoD, and by training national cyber units in over 60 countries. His work has set the global standard for incident response and threat hunting.

Learn more
Heather Barnhart

Heather Barnhart

DFIR Curriculum Lead and Head of Faculty

Heather brings 24+ years of experience supporting government agencies, defense contractors, law enforcement, and Fortune 500 companies. Her extensive case experience spans fraud investigations, crimes against children, counterterrorism, and more.

Learn more
Ovie Carroll

Ovie Carroll

Director

For Ovie Carroll, digital forensics is all about the hunt for evidence in digital places that are hiding critical clues, followed by deep analysis to prove something that the evidence was never intended to prove.

Learn more
David Cowen

David Cowen

Vice President

David brings 25+ years in cybersecurity, shifting from pen testing to DFIR in 1999. He’s VP at Charles River Associates, a SANS instructor and course author, and Red Team Captain for the National Collegiate Cyber Defense Competition.

Learn more
Sarah Edwards

Sarah Edwards

Head Of DFIR

Sarah Edwards is a pioneering force in Apple forensics, having revolutionized the field through the creation of APOLLO—an open-source tool that deciphers macOS and iOS pattern-of-life data.

Learn more
Phil Hagen

Phil Hagen

Principal Information Security Researcher

Phil Hagen shaped network forensics with SOF-ELK® and SANS FOR572, setting standards in large-scale log analysis and response. His role in exposing a global fraud ring behind hundreds of millions in losses defines his lasting impact on cybersecurity.

Learn more

Explore Careers Within Digital Forensics

Threat Hunter

Digital Forensics and Incident ResponseExplore learning path

Digital Forensics Analyst

Digital Forensics and Incident ResponseExplore learning path

Malware Analyst

Digital Forensics and Incident ResponseExplore learning path

Incident Response Team Member

Digital Forensics and Incident ResponseExplore learning path

Media Exploitation Analyst

Digital Forensics and Incident ResponseExplore learning path

Military Operations/Law Enforcement Agents

Digital Forensics and Incident ResponseExplore learning path

Intrusion Detection/SOC Analysts

Digital Forensics and Incident ResponseExplore learning path

Cybersecurity Analyst/Engineer

Cyber DefenseExplore learning path

SANS Law Enforcement Appreciation Programs (LEAP)

SANS is proud to support State, Provincial, and Local Law Enforcement and the badged professionals behind them, especially those experiencing hardship funding their training efforts. To support these professionals in their quest to keep our communities safe, there are two promotional programs that can offer significant flexibility toward SANS courses.

Learn More
Two Police Officers Smiling

Upcoming Webinars

DFIR Insights From The Experts

SANS DFIR Europe Summit and Training 2026

SANS DFIR Europe Summit and Training 2026 delivers cutting-edge, hands-on cybersecurity training led by top digital forensics and incident response experts. Join us live in beautiful Prague or attend virtually from anywhere.

Event
Prague, Bridge
More Insights

Incident Response Is Becoming More Complex – Even for Experienced DFIR Teams

Modern incidents unfold faster and span more systems than ever before. Evidence arrives out of sequence, attacks move between cloud and endpoint environments in minutes, and early missteps can derail an investigation before scope and intent are clear. 

Explore expert insights and resources on where incident response breaks down, and how experienced DFIR teams maintain focus, coordination, and investigative discipline under pressure. 

Explore Incident Response Resources
Stylized Woman Working on Computer

Frequently Asked Questions