Intro to Digital Forensics & Incident Response (DFIR01)
"Experienced forensic professional with practical experience to tell from. Did really well with our non-usual class (all FireEye engineers) and often asked feedback and input on where to focus on from our perspective."
This eye-opening hands-on course provides a comprehensive overview of Digital Forensics and Incident Response (DFIR). The course starts with a review of recent incidents and how the IR and digital forensics were handled. Typical goals of IR and digital forensics are covered with an emphasis on defining what an "incident" is and the desired outcome of the incident response, based on risk and business objectives. Goals of DFIR range from placing a suspect behind a keyboard, to determining malware Indicators of Compromise (IOCs), or to merely recovering "as quickly as possible."
The Incident Response Methodology, based on NIST (National Institute of Standards and Technology) Special Publication 800-61r2, Computer Security Incident Handling Guide, is investigated in the IR portion of this course. Each of the four primary IR Life Cycle Phases - (1) Preparation, (2) Detection & Analysis, (3) Containment, Eradication, & Recovery, and (4) Post-Incident Activity are addressed in detail, using sample incidents to facilitate class discussions. Part of Incident Response includes malware analysis and digital forensics. Each major digital forensics phase - evidence acquisition, evidence analysis, reporting, and expert witness testimony is addressed. Numerous hands-on exercises, case studies, and challenges keep attendees engaged in a CTF (Capture the Flag) atmosphere. This hands-on environment provides ample opportunities for attendees to apply and practice concepts taught in the course.
General knowledge of computer, networking, and operating system fundamentals. Some exposure to file systems and network traffic analysis is recommended.
Incident Response Overview
Incident Response Phases
Digital Forensics Overview
Digital Forensics Evidence Acquisition
Digital Forensics Evidence Analysis
Digital Forensics Reporting
Digital Evidence Acquisition
Chain of Custody
Order of Volatility
Hard Drive Acquisition
AccessDATA FTK Imager
Disk Imaging Tools
dd and dclfdd
Disk Image Formats
Network Traffic Analysis
NTFS Alternate Data Streams
The Sleuth Kit
Incidents in the News
Incident Response Methodology
Incident Response Goals
Incident Response Process Lifecycle
Detection and Analysis Phase
Containment, Eradication, & Recovery Phase
Post-Incident Activity (Lessons Learned) Phase
Incident Response Policy
Incident Response Communications Plans
Incident Response Tools and Toolkits
Incident Response Checklist
Disk Image Analysis
Evidence Handling Procedures
Sample SOFTWARE and tools Used
Belkasoft Live RAM Capturer
AccessData FTK Imager
Continuing Education Credits
We offer private onsite courses, at your location. We love to travel and will gladly send a trainer to your location. Please Contact Us for more information.
Live, Instructor-Led Training with a dynamic trainer that is a cybersecurity professional. Instructors have real-world experience with the material covered in the course.