SANS FOR509 GCFR Enterprise Cloud Forensics
 
FOR509: Enterprise Cloud Forensics and Incident Response is designed to:

- Enhance your understanding of forensic data unique to cloud environments
- Implement best practices for cloud logging in digital forensics and incident response (DFIR)
- Utilize resources from major cloud service providers like Microsoft Azure, AWS, and Google Cloud Platform for evidence-gathering- Explore available logs in Microsoft 365 and Google Workspace for analyst review
- Transition forensic processes to the cloud for expedited data processing

This course equips examiners with the knowledge of how cloud service providers, including Microsoft Azure, Amazon AWS, and Google Cloud Platform, expand analysts' capabilities by offering new sources of evidence not accessible in traditional on-premise investigations. Despite the shift to cloud-based technologies, incident response and forensics remain vital, albeit with enhanced technologies and capabilities.

At its core, incident response and forensics entail tracing the breadcrumbs left by attackers, primarily found in logs. Understanding the investigation process holds more significance than the mechanics of log acquisition. The course emphasizes log analysis to swiftly familiarize examiners with cloud-based investigation techniques, emphasizing knowledge of available cloud logs, their retention policies, default settings, and event interpretation.

Hands-on labs throughout the course enable examiners to access evidence generated from common incidents and investigations, teaching them where to retrieve data and how to analyze it effectively. Data access occurs within virtual machines to ensure consistent lab experiences.

FOR509 Enterprise Cloud Forensics will equip your team to:

- Master the tools, techniques, and procedures necessary to locate, identify, and collect data across diverse locations
- Utilize new data sources unique to cloud environments
- Employ cloud-native tools for capturing and extracting traditional host evidence
- Efficiently process large datasets using scalable technologies like the Elastic Stack
- Understand available data in different cloud environments

Course Topics:

- Cloud Infrastructure and IR data sources
- Microsoft 365 and Graph API Investigations
- Azure Incident Response
- AWS Incident Response
- High-level Kubernetes Cloud logs
- Google Workspace Investigations
- Google Cloud Incident Response

Business Takeaways:

- Grasp digital forensics and incident response in cloud contexts
- Detect malicious activities within cloud environments
- Utilize cloud-native tools and services for DFIR cost-effectively
- Ensure organizational readiness to respond to cloud incidents
- Reduce adversary dwell time in compromised cloud deployments