Digital Forensics & Incident Response, Defensive Security

CA201: Digital Forensics and Incident Response

  • Flexible Schedule

Course authored by:

Perparim Mjeku, Rinor Shehu, Altin Gashi

Pay now

18 Hours of Instruction

Includes lectures, guest speakers, and Q&A sessions

Hands-on labs

9 Labs

Live Online or On-Demand Access

Join weekly synchronous sessions or access all material and recorded lectures anytime

Beginner to Intermediate Level

Building foundational skills toward practical application and competency

Course Materials

Available after purchase

Course Overview

Digital forensics and incident response is not about collecting data it is about reconstructing attacks and responding with precision under pressure. Over three sections, the course builds practical capability in investigating and handling real-world security incidents. You will work through the full incident lifecycle, from detection and triage to containment, recovery, and post-incident analysis. The course covers evidence acquisition, including disk and memory collection, with strict attention to integrity and chain of custody. You will analyze file systems, logs, and system artifacts to trace attacker activity. Real-world scenarios such as phishing, ransomware, and identity-based attacks are examined in depth. Threat intelligence and detection techniques are integrated to improve investigative accuracy. Expect hands-on workflows and high standards by the end, you will be able to conduct effective incident response and forensic investigations in real-world environments.

What You’ll Learn

Build the ability to investigate, contain, and reconstruct cyber incidents using structured forensic and response methodologies

  • Understand the fundamentals of digital forensics and incident response (DFIR)

  • Perform alert triage, validation, and initial incident scoping

  • Apply the incident response lifecycle from detection to recovery

  • Collect, preserve, and handle digital evidence with integrity

  • Conduct disk, memory, and file system forensic analysis

  • Correlate logs and artifacts to reconstruct attacker activity timelines

  • Investigate real-world threats such as phishing, ransomware, and credential theft

  • Communicate findings through technical reports and executive briefings

Business Takeaways

Leverage evidence-driven investigations to transform incident handling into a strategic business advantage

  • Strengthen incident readiness with clear response workflows and lifecycle management

  • Improve risk mitigation through root-cause analysis and forensic insights

  • Enhance decision-making with reliable and defensible digital evidence

  • Reduce business impact through faster detection, triage, and containment

  • Support regulatory and legal requirements with proper evidence handling

  • Enable effective coordination across SOC, DFIR, and leadership teams

  • Drive continuous improvement through lessons learned from incidents

  • Increase organizational resilience against evolving cyber threats

Syllabus: 3 Sections to Transformation

The CA201 program immerses you in high-pressure incident response and digital forensics, where speed, accuracy, and judgment are critical. It covers everything from live attack detection to deep investigative analysis across systems, memory, and networks.

syllabus overview

download full syllabus

Justify Training to Your Manager

download the letter

section 1

DFIR FOUNDATIONS + DETECTION + INCIDENT RESPONSE

Focuses on detection engineering, incident response workflows, alert triage, threat hunting, and forensic investigation methodologies used in modern security operations and SOC environments.

TOPICS COVERED

  • DFIR fundamentals and practitioner mindset.
  • Role of DFIR in modern security operations (SOC ecosystem).
  • Investigation thinking models (scientific method, ATT&CK, Diamond Model).
  • Detection vs response vs forensics.
  • SOC structure, escalation, and roles.
  • Alert triage and incident validation.
  • False positives vs real incidents.
  • Detection engineering (rules, Sigma, ATT&CK mapping).
  • Threat intelligence integration (IOC, TTP, enrichment).
  • Threat hunting fundamentals (hypothesis-driven hunting).
  • Incident response lifecycle:
    Preparation, Identification, Containment, Eradication, Recovery.
  • Live incident handling and decision-making.
  • Containment strategies (host, network, identity).
  • Recovery validation and post-incident monitoring.

LABS

  • Alert Triage & Incident Validation
  • Identifying and handling suspicious files

section 2

EVIDENCE ACQUISITION + CORE & ADVANCED FORENSICS

Focuses on forensic evidence collection, disk and memory analysis, artifact correlation, timeline reconstruction, and investigative techniques used to analyze and reconstruct security incidents.

TOPICS COVERED

  • Evidence handling and chain of custody.
  • Legal defensibility and documentation.
  • Disk acquisition (live vs dead imaging).
  • Memory acquisition (RAM capture techniques).
  • Enterprise-scale evidence collection (KAPE, Velociraptor).
  • Cloud evidence acquisition (AWS, Azure, SaaS logs).
  • Windows forensics:
    Event logs, registry, Prefetch, Amcache, Shimcache.
  • File system analysis:
    NTFS, MFT, timestamps, deleted file recovery.
    Memory forensics:
    Volatility, processes, injections, network artifacts.
  • Timeline analysis:
    Building attack timelines, Plaso.
  • Artifact correlation:
    Cross-host, identity, and network correlation.
  • Building investigative narratives and confidence levels.

LABS

  • Windows Artifacts – Recycle Bin
  • Autopsy
  • Foremost
  • Volatility

section 3

THREAT INVESTIGATIONS + ADVANCED OPERATIONS + REPORTING

Focuses on real-world threat investigations, ransomware and phishing analysis, threat hunting, incident response automation, and professional DFIR reporting and communication practices.

TOPICS COVERED

  • Phishing investigations (email headers, URLs, identity pivoting).
  • Ransomware investigations (execution, spread, impact).
  • Credential theft and identity attacks (MFA abuse, privilege escalation).
  • Lateral movement and persistence techniques.
  • Data exfiltration detection and analysis.
  • Malware triage (static vs dynamic analysis).
    Threat hunting at scale.
  • Automation and SOAR (playbooks, enrichment, containment).
  • DFIR scripting (Python, PowerShell).
  • Cloud & DevOps incident response.
  • Technical reporting:
    Evidence-based writing.
    Timelines and findings.
    Remediation guidance.
  • Executive communication and business impact reporting.
  • Legal considerations and evidence admissibility.

LABS

  • Phishing Investigation (email headers + URL analysis)
  • Ransomware Investigation &
  • Timeline Reconstruction
  • DFIR Report Writing (incident report + findings + remediation)

Course Schedule
& Pricing

Looking for Group Purchase Options? See below

Next Start Date

March 5, 2026

Duration

14 Weeks Intensive

Format

Live with Zoom Meeting

What's Included

  • Hands-on Cyber Range Access
  • Expert Instructor-Led Training
  • Hands-on Cyber Range Access
  • Expert Instructor-Led Training

499€

Seats Filling Fast for January 2026

Location

Start Date

Start Time

Prishtina, Kosovo

March 20, 2026

10:30 AM (CEST)

Enlist now

Prishtina, Kosovo

April 15, 2026

4:30 PM (CEST)

Enlist now

Prishtina, Kosovo

May 10, 2026

11:00 AM (CEST)

Enlist now

Next Start Date

March 5, 2026

Duration

14 Weeks Intensive

Format

Live with Zoom Meeting

What's Included

  • Hands-on Cyber Range Access
  • Expert Instructor-Led Training
  • Hands-on Cyber Range Access
  • Expert Instructor-Led Training

499€

Seats Filling Fast for January 2026

Location

Start Date

Start Time

Prishtina, Kosovo

March 20, 2026

10:30 AM (CEST)

Enlist now

Prishtina, Kosovo

April 15, 2026

4:30 PM (CEST)

Enlist now

Prishtina, Kosovo

May 10, 2026

11:00 AM (CEST)

Enlist now

Next Start Date

March 5, 2026

Duration

14 Weeks Intensive

Format

Live with Zoom Meeting

What's Included

  • Hands-on Cyber Range Access
  • Expert Instructor-Led Training
  • Hands-on Cyber Range Access
  • Expert Instructor-Led Training

499€

Seats Filling Fast for January 2026

Location

Start Date

Start Time

Prishtina, Kosovo

March 20, 2026

10:30 AM (CEST)

Enlist now

Prishtina, Kosovo

April 15, 2026

4:30 PM (CEST)

Enlist now

Prishtina, Kosovo

May 10, 2026

11:00 AM (CEST)

Enlist now

Frequently Asked Questions

Mission-critical information for prospective operatives

What is DFIR and why is it critical in cybersecurity?

DFIR (Digital Forensics and Incident Response) is the discipline of identifying, collecting, preserving, and analyzing digital evidence and responding to active security incidents in a structured and defensible way. It acts as the bridge between detection and understanding, explaining how an attack happened, what was affected, and how to prevent it again.

You’ll develop real-world investigation capabilities, including incident triage and response lifecycle management, disk, memory, and log forensics, evidence acquisition and chain of custody, timeline reconstruction and attack analysis, and threat intelligence integration and pivoting. These are the core competencies used by incident responders, forensic analysts, and advanced SOC teams.

DFIR uses multi-source correlation, combining endpoint artifacts such as logs, registry, and file system data, memory analysis including processes and injected code, network and identity telemetry, and cloud and SaaS logs. Investigators build timelines and correlate artifacts to reconstruct attacker behavior across systems.

Incidents follow a structured lifecycle: preparation, identification, containment, eradication, recovery, and lessons learned. However, real-world response often requires trade-offs between speed and evidence preservation.

Evidence must be collected without alteration, documented at every step, and verified using hashing for integrity checks. This ensures findings are technically accurate and legally defensible, especially in regulatory or legal cases.

0
    Your Cart
    Your cart is empty