+91-9999508202 [email protected]

Digital Forensics and Incident Response Training

Beginner • Advanced

digital forensics and incident response training


Digital forensics and incident response training is a comprehensive and detailed program designed specifically for corporate incident responders and forensics investigators. With digital forensics playing a crucial role in threat hunting and incident response, it is essential for organizations to understand why enterprise forensic is necessary, how to correlate incident response with forensics, and how to perform digital investigations and collect digital evidence for an APT attack.

The training is aimed at providing participants with a deep understanding of the techniques and methods used in the field of digital forensics, with a specific focus on Windows forensics correlation with incident response. It covers the entire spectrum of DFIR, including Live response, Dead forensics, Live forensics, Network Forensics, Email Forensics, Browser forensics, Disk Forensics, Memory forensics, malware hunting, and investigating the advanced persistent threats tools, techniques, and procedures in an organization.

Participants will learn investigation and analysis techniques for gathering and preserving evidence, as well as incident response workflows in SOC environments. The training is tailored towards an APT use case, and participants will receive accompanying coursework and certification to demonstrate their expertise in the field of incident response and Windows forensics.

Overall, the Digital forensics and incident response training is a highly detailed and comprehensive program that provides organizations with the knowledge and skills necessary to effectively handle incidents and investigations in today’s ever-evolving threat landscape.

What You’ll Learn

  • DFIR Process methodologies
  • Forensics Triage , Collection and Event Analysis
  • Windows Internals , Artifacts and Registry Incident investigations
  • Removable Media , Browser and Email Investigations for Rapid Response
  • Memory Forensics for APT Analysis
  • Initial Access to Lateral Movement and Persistence Detection

Training Modules

Digital Forensics and Incident Response Fundamentals
  • What is corporate digital forensics 
  • why corporate digital forensics is different from criminal investigations
  • The forensics correlation with incident response
  • why we need deep forensics in APT hunting
  • Understating the APT and attacks
  • What is MITRE & AT framework for investigations
  • Basic Forensic Process
  • Forensics 6A’s
  • Physical Protection of Evidence
  • Chain of custody
  • Forensic Investigator roles
  • Investigation Methods in breached environments
  • Understanding the complexity of investigation case
  • Enterprise Training Case –  A detailed threat hunting , threat intelligence and IR team investigation case
Data Triage and Event Log Analysis
  • Windows operation systems anatomy for forensics point of view
  • NTFS file system overview 
  • Documents and File metadata understanding
  • File and stream carving tools and techniques
  • Web browsers private search Artifact recovery and examination
  • Email artifacts recovery and examination
  • Application Execution History via UserAssist, Prefetch, Windows Timeline
  • System Resource Usage Monitor (SRUM), and BAM/DAM
  • Detecting the System hacking events with prefetch , shimcache
  • Live memory forensics vs Dead forensics 
  • Identify the insecurities in machine with amcache
  • Windows Log Parsing and environment setup
  • Windows multiple Events correlation for forensics in depth
Windows System Analysis for Incident Response
  • System Analysis
    • Identify the Current Control Sets
    • Document the System Timezone , name and version
    • Wireless, Wired, VPN, and Broadband Network Auditing
    • Perform Device Geolocation via Network Profiling
    • Identify System Updates and Last Shutdown Time
    • Registry-Based Malware Persistence methods 
  • Additional Windows OS Artifacts
    • Windows Search Index Forensics
    • Extensible Storage Engine Database Recovery and Repair
    • Thumbs.db and Thumbcache Files
    • Windows Recycle Bin Analysis 
    • Windows Timeline Activities Database
    • Evidence of File Downloads
    • Office and Microsoft 365 File History Analysis
    • Windows Search History changes
    • Typed Paths and Directories
    • Recent Documents (RecentDocs)
    • Open Save/Run Dialog Boxes Evidence
  • Shellbag Forensics
    • Shortcut Files (.lnk) – Evidence of File Opening
    • Windows 7-11 Jumplists – Evidence of File Opening and Program Execution
    • Shellbag – Evidence of Folder Access
    Windows Registries and Removable media Investigations
    • Registry Core
      • Hives, Keys, and Values
      • Registry Last Write Time
      • MRU Lists
      • Deleted Registry Key Recovery
      • Identify Dirty Registry Hives and Recover Missing Data
      • Rapidly Time-lining Multiple Hive
    Investigating Memory for Anomaly Detection
    • Windows process architecture for memory mapping
    • memory analysis vs volume shadow copies detections
    • KDBG ,VAD tree , PEB and EPRROCESS in depth for memory analysis
    • Memory blocks and hibernation internconnection analysis
    • Importance of Cache Data in memoery analysis 
    • Evidence mapping in Memory with APT detection  techniques
    • Analysing  memory for rootkits and dll hijacking ,hollowing  investigations
    • Windows process injections anatomy and investigations 
    • In-depth APT malware attacks investigations
    • Python for modern memory investigations
    • Anti-forensics techniques and evidence for investigations
    • Forensics timeline science and super-timelining for anti-forensics techniques 
    Browser Forensics
    • History and Cache
    • Searches and Downloads
    • Understanding Browser Timestamps
    • Private Browsing and Artifact Recovery
    • IE and EdgeHTML InPrivate Browsing analysis
    • Private Browsing analysis
    • Investigating the Tor Browser
    • SQLite and ESE Database Carving and additional Browser Artifacts
    • Identifying Selective Database Deletion
    • DOM and Web Storage Objects analysis
    • Rebuilding Cached Web Pages
    Email Investigations
    • Evidence of User Communication
    • Email Header Examination
    • Email Authenticity
    • Determining a Geographic Location
    • Extended MAPI Headers
    • Host-Based Email Forensics
    • Exchange Recoverable Items
    • Exchange Evidence Acquisition and Mail
    • Exchange Search and eDiscovery
    • Unified Audit Logs in Office 365
    • Google Workspace (G Suite) Logging
    • Recovering Data from the G Suite
    • Webmail Acquisition
    • Business Email Compromise analys
    Removable Media and BYOD Investigations
    • Removable Media Vendor/Make/Version
    • Unique Serial Number identification
    • Last Drive Letter
    • MountPoints2 Last Drive Mapping Per User (Including Mapped Shares)
    • Volume Name and Serial Number
    • The username that Used the USB Device
    • Time of First USB Device Connection
    • Time of Last USB Device Connection
    • Time of Last USB Device Removal
    • Auditing BYOD Devices at Scale
    • Investigating wiped evidences of USB mount points
    APT Incident Response Primer
    • Understanding the attacks and techniques for privilege escalation
    • Identify events of privilege escalation
    • PowerShell for forensics and live detection of active directory attacks
    • Network forensics and evidence detection in corporate networks
    • Extract files from network packet capture and proxy cache files, allowing follow-on malware analysis or definitive data loss determinations
    • Use historical NetFlow data to identify relevant past network occurrences, allowing accurate incident scoping
    • Reverse engineer custom network protocols to identify an attacker’s command-and-control abilities and actions
    • Examine traffic using common network protocols to identify patterns of activity or specific actions that warrant further investigation
    • Incorporate log data into a comprehensive analytic process, filling knowledge gaps that may be far in the past
    • Prepare an report for Incident Response Anatomy and Detection .
    Who Can Apply For The Training ?
    • Individuals holding a bachelor’s degree and a curiosity for acquiring advanced proficiencies in Defensive Security.
    • Professionals aspiring to advance their careers within the Blue team domain, focusing on growth opportunities.
    • Individuals possessing a bachelor’s degree in an IT-related field and desiring a transition into the Security Operations Center (SOC) team.
    • IT Managers aiming to enhance their expertise in SOC technical strategies through upskilling.
    • Members of the Blue team seeking to elevate and refine their current skill set.
    Training Delivery Details

    On-Demand Live Training

    Join virtual Codefensive training experience, right from the comfort of your own home! Our industry-leading instructors will deliver interactive courses via live stream, giving you the ultimate in cybersecurity education. Following each class, you’ll have the opportunity to enjoy a keynote from top industry professionals. Choose the ultimate in cybersecurity education and join us today!

    Self-Paced Training

    Self-paced, the ultimate in flexible cybersecurity learning! With unlimited access to your training, you can learn at your own pace, wherever and whenever it’s convenient for you. Our program includes all labs, exercises, and live support from Codefensive subject matter experts to ensure your success. Join us now to take control of your cybersecurity education!

    Basics of Computer Networks
    Basics of Cyber Security

    Ready to Get Started?

    Book an free consultation and Join the right training for you .