SANS Digital Forensics and Incident Response Blog

New Forensic Courses Offered at SANSFIRE 2009

Dear SANS Forensic Blog Reader,

My name is Rob Lee and I am the lead author and faculty fellow for the popular computer forensic course offered here at SANS: SEC508, Computer Forensics, Investigation, and Response. In addition to the new SANS Forensic website at , I have been working to expand the digital forensic training offerings that SANS provides for both new and seasoned digital forensic and incident response professionals. It is with great pleasure that I am able to introduce you to three new courses that are launching at SANSFIRE 2009 .

The new courses launching at SANSFIRE 2009:

SEC 408 Forensic and E-Discovery Forensics (

SEC408 -> Written for individuals who are new to computer forensics, this course focuses on the essentials that a forensic investigator must know to investigate core computer crime incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation. This course covers the fundamental steps of the traditional computer forensic methodology so that each student will have the initial qualifications to work as an investigator in the field helping solve cases and fight crime.

This course is written by SEC508 Computer Forensics, Investigation, and Response author/instructor Rob Lee to create a introductory forensic course that will create a full forensic curriculum for SANS. SEC408 and SEC508 will not overlap, one course will flow right into the other. SEC408 will use EnCase and FTK as the primary tool focusing on traditional crimes that can be solved with computer forensics.

SEC508 will slightly shift its focus to target more technically savvy criminals and push the investigators skills to understand difficult cases in addition to continuing to teach the fundamentals of filesystem forensics.

SEC558 Network Forensics (

SEC558 -> Network equipment such as web proxies, firewalls, IDS, and routers often contain evidence that can make or break a case. In this class, law enforcement and information security professionals will learn how to recover evidence from network-based devices, in order to facilitate investigations and build stronger cases. Through hands-on exercises, students will learn to collect evidence from many network-based devices, including switches, routers, web proxies, firewalls, and central logging servers. By capturing evidence from network-based devices, law enforcement and information security professionals can recover evidence that does not even exist on endpoint hard drives.

SEC606: Data Recovery Forensics (

SEC606 -> Dead hard drives; damaged hard drives; corrupt file systems; If you have dealt with any of these scenarios, or have ever sent a hard drive out to a data recovery company, then this is the class for you. Often data recovery techniques are enshrouded in a cloud of mystery called trade secrets. We will teach content from the professional data recovery world merging it with information in the forensics world allowing you to maintain best evidence and recover the content you need. Every forensics or data recovery specialist needs to know the information that is taught in this class!

Now, more than ever, is it necessary for the Information Security, Legal, and Government/Law Enforcement/Intelligence Communities to know and understand how to respond effectively to digital crimes. Looking forward to seeing you at SANSFIRE 2009.

Best, Rob Lee

Forensic Curriculum Lead/Faculty Fellow