SANS Digital Forensics and Incident Response Blog

FOR408: Windows Forensic Analysis has been renumbered to FOR500: Windows Forensics Analysis

FullSizeRender (4)


The FOR408: Windows Forensic Analysis course was renumbered to FOR500: Windows Forensic Analysis. SANS renumbered the course to better reflect the course's intermediate-level material. The content of the course will remain basically the same, although it will be constantly updated to reflect changes in the field.



Why change the course number?
FOR500/FOR408 is an intermediate-level Windows forensics course that skips over the introductory material of digital forensics. This class does not include basic digital forensic analysis concepts. FOR500/FOR408 focuses entirely on in-depth, tool-agnostic analysis of the Windows operating system and artifacts. The course has been at the intermediate skill level since 2013 and a course number change to the 5 level reflects this content more accurately. The course is vigorously updated each year. The change in the course number was timed to coincide with the regularly scheduled update of the course in the Spring of 2017. SANS courses are updated as frequently as possible as part of our efforts to keep teaching material hyper-current and relevant for leading-edge problem solving.

What is the difference between FOR500 and FOR508?
FOR500 focuses on deep-dive forensic analysis of Windows operating systems and artifact locations. FOR508 teaches students how to conduct enterprise incident response and threat hunting. Its focus is on intrusion response and forensics. Each course complements the other and both should be taken to create a full operational and analytical capability.

Which course should I take first, FOR500 or FOR508?
It is recommended that FOR500/FOR408 be taken prior to FOR508 so that students obtain a firm understanding of operating system and artifact locations on Windows systems as well as demonstrable, hands-on skills in Windows forensics. However, FOR500 is not a formal prerequisite for FOR508, so the classes could be taken in any order.

How does the change in the course number affect GIAC certification?
Any current GCFE certifications will not change in any way. Any student taking FOR500/FOR408 will be taking the same exam. Additionally, DoDD 8570, DoDD 8140, and ANSI/ISO/IEC 17024 accreditation status remains unchanged.

How will the course number change affect alumni?
Anyone who wishes to retake the FOR500/FOR408 course using the alumni discount may do so if they have taken FOR408 in the past.

If you have any additional questions regarding this change, please email us at


Posted May 14, 2017 at 6:16 AM | Permalink | Reply

Eddy L

Is the number change to 500 just an administrative title correction or is there new material/content that wasn't in 408??

Posted May 19, 2017 at 8:29 PM | Permalink | Reply

Rob Lee

The course has transitioned over the past 3 years. The course is constantly updated and there is a lot of new content in it. This last update added about a new day of new content and tools.

Posted June 4, 2017 at 11:58 PM | Permalink | Reply

Alan Harper

Now i feel cheated. The material in the 408 course was produced over a year ago and a lot has happened over the year. I think SANS should offer us the new material at no charge if the new stuff was released while we were taking 408.

Posted June 7, 2017 at 4:10 PM | Permalink | Reply

Rob Lee

We update the course material consistently over the year (w/major changes with each update that we release) ''" the course is never the same twice especially after six months. We understand your concern though and have a wonderful alumni discount to take the course again at 50% off ''" contact SANS for more information on the alumni discount program.