Intro to Digital Forensics & Incident Response (DFIR01)

"Experienced forensic professional with practical experience to tell from. Did really well with our non-usual class (all FireEye engineers) and often asked feedback and input on where to focus on from our perspective."

This eye-opening hands-on course provides a comprehensive overview of Digital Forensics and Incident Response (DFIR). The course starts with a review of recent incidents and how the IR and digital forensics were handled. Typical goals of IR and digital forensics are covered with an emphasis on defining what an "incident" is and the desired outcome of the incident response, based on risk and business objectives. Goals of DFIR range from placing a suspect behind a keyboard, to determining malware Indicators of Compromise (IOCs), or to merely recovering "as quickly as possible." 

The Incident Response Methodology, based on NIST (National Institute of Standards and Technology) Special Publication 800-61r2, Computer Security Incident Handling Guide, is investigated in the IR portion of this course. Each of the four primary IR Life Cycle Phases - (1) Preparation, (2) Detection & Analysis, (3) Containment, Eradication, & Recovery, and (4) Post-Incident Activity are addressed in detail, using sample incidents to facilitate class discussions. Part of Incident Response includes malware analysis and digital forensics.  Each major digital forensics phase - evidence acquisition, evidence analysis, reporting, and expert witness testimony is addressed. Numerous hands-on exercises, case studies, and challenges keep attendees engaged in a CTF (Capture the Flag) atmosphere. This hands-on environment provides ample opportunities for attendees to apply and practice concepts taught in the course.  


General knowledge of computer, networking, and operating system fundamentals.  Some exposure to file systems and network traffic analysis is recommended.

The instructor knew his stuff and he was organized.
— Information Assurance Manager, The Boeing Company


  • Incident Response Overview

  • Incident Response Phases

  • Digital Forensics Overview

  • Digital Forensics Evidence Acquisition

  • Digital Forensics Evidence Analysis

  • Digital Forensics Reporting

Topics Covered

  • Digital Evidence Acquisition

  • Chain of Custody

  • Hashing

  • Order of Volatility

  • Memory Acquisition

  • Hard Drive Acquisition

  • Digital Forensics

  • Reporting

  • AccessDATA FTK Imager

  • Slack Space

  • Disk Imaging Tools

  • Write Blockers

  • dd and dclfdd

  • Disk Image Formats

  • Memory Analysis

  • Network Traffic Analysis

  • Volatility

  • Hex Editors

  • NTFS Alternate Data Streams

  • Scalpel

  • The Sleuth Kit

  • Expert Witness

  • Network Miner

  • TCP/IP

  • Incidents in the News

  • Incident Response Methodology

  • NIST 800-61

  • Prevention

  • Detection

  • Incident Response Goals

  • Incident Response Process Lifecycle

  • Preparation Phase

  • Detection and Analysis Phase

  • Containment, Eradication, & Recovery Phase

  • Post-Incident Activity (Lessons Learned) Phase

  • Incident Response Policy

  • Incident Response Communications Plans

  • Incident Response Tools and Toolkits

  • Incident Response Checklist

  • Hiding Data

  • Steganography

  • Disk Image Analysis

  • File Carving

  • Foremost

  • Autopsy

  • Evidence Handling Procedures

  • Faraday Bags

  • Wireshark

Sample SOFTWARE and tools Used

  • WinMD5Free

  • MoonSols DumpIt

  • Belkasoft Live RAM Capturer

  • Volatility Framework

  • JPHS

  • Wireshark

  • VMware

  • Network Miner

  • AccessData FTK Imager

  • Autopsy

  • Foremost

Course Duration

3 days

Continuing Education Credits




We offer private onsite courses, at your location.  We love to travel and will gladly send a trainer to your location. Please Contact Us for more information.


Live, Instructor-Led Training with a dynamic trainer that is a cybersecurity professional. Instructors have real-world experience with the material covered in the course.