Skip to Content

Advanced Incident Response, Threat Hunting, and Digital Forensics 


Request for price


Length: 5 day (40 hours)

 

FOR508 is an intensive, 6-day program that shifts the defensive mindset from reactive to proactive. It assumes the adversary is already inside your network and teaches you how to hunt them down. The course focuses heavily on Enterprise-scale forensics, where you must analyze dozens or hundreds of systems simultaneously rather than just one.

The curriculum utilizes the SIFT Workstation and advanced toolsets like F-Response and Volatility to perform deep-dive memory and timeline analysis. The course culminates in a Day 6 "Capstone" challenge where students compete in a real-world breach simulation.

Core Skills: Deep familiarity with Windows OS internals and command-line interfaces (PowerShell/CMD).

Networking: Solid understanding of TCP/IP and common enterprise protocols (SMB, Kerberos, WMI).

Recommended Prior Training: SANS FOR500 (Windows Forensic Analysis) is highly recommended as a baseline. While not a "hard" prerequisite, FOR508 skips basic forensic concepts (like file recovery or basic registry analysis) to focus immediately on advanced intrusion analysis.

Incident Response Team Members: Who handle advanced persistent threats (APTs) and sophisticated ransomware.

Threat Hunters: Looking to proactively identify dormant breaches.

Experienced Digital Forensic Analysts: Who need to scale their skills from "single machine" to "enterprise network."

SOC Tier 2/3 Analysts: Transitioning into specialized forensic or hunting roles.

Red Teamers: Seeking to understand the forensic "footprints" they leave behind

Course objectivesCourse outlines

Course objectives

After completing this course, students will be able to:

    • Execute Threat Hunts: Use a hypothesis-driven approach to find attackers who have bypassed traditional security alerts.
    • Master Memory Forensics: Identify "fileless" malware, process injection, and rootkits directly in RAM.
    • Analyze Advanced Timelines: Create and interpret "Super Timelines" (integrating file system, event logs, and registry data) to reconstruct an attacker's every move.
    • Detect Lateral Movement: Identify the subtle artifacts of Pass-the-Hash, Silver Tickets, and WMI-based pivoting.
    • Defeat Anti-Forensics: Recover evidence from Volume Shadow Copies and analyze advanced NTFS structures to find hidden data.
    • Produce Damage Assessments: Clearly determine what data was accessed, modified, or exfiltrated during a breach.

Course outlines

    • Day 1: Advanced Incident Response & Threat Hunting
      • Modern adversary tradecraft and the MITRE ATT&CK framework.
      • Scalable hunting methodology using F-Response and SIFT.
      • Identifying persistence: Investigating WMI, Scheduled Tasks, and modern "Coercion" attacks.
    • Day 2: Intrusion Analysis
      • Deep dive into Credential Theft (LSASS, SAM, and Kerberos attacks).
      • Windows Event Log analysis at scale (focusing on lateral movement IDs).
      • Investigating PowerShell-based attacks and remote execution.
    • Day 3: Memory Forensics in IR & Threat Hunting
      • Volatile data acquisition and the "Order of Volatility."
      • Process analysis: Finding hidden, injected, or orphaned processes.
      • Advanced memory techniques: Hunting for hooks, drivers, and DLL injections.
    • Day 4: Timeline Analysis
      • Creating a "holistic" picture of the attack.
      • Super Timelines: Using log2timeline and Plaso to aggregate thousands of artifacts.
      • Analyzing temporal proximity to distinguish legitimate user activity from attacker movement.
    • Day 5: Advanced Adversary & Anti-Forensics Detection
      • Deep NTFS analysis: MFT, $LogFile, and $UsnJrnl.
      • Volume Shadow Copy (VSC): Traveling back in time to see deleted attacker tools.
      • Uncovering anti-forensic tricks (timestamp stomping, log clearing).
    • Day 6: The APT Intrusion Forensic Challenge
      • A full-day capstone where you work in teams.
      • You are given access to multiple system images from a massive enterprise breach.
      • Objective: Identify the "Beachhead," map the lateral movement, and present a full report to management.