Skip to content
Digital Forensics and Incident Response (DFIR)

Digital Forensics and Incident Response (DFIR)

$4,295.00 Per Enrollment

Price Includes:

Courseware, Lab Access and 40 hours of Live Instruction

This advanced course in Intelligence Driven Incident Response and Modern Digital Forensics was updated for 2025. The course is designed for those conducting Hunt and Incident Response Team (HIRT) work. The course is also for those conducting Incident Response work and or those conducting Digital Forensics work.

As this course is about Incident Response (IR) and Digital Forensics (DF), it is fast-paced and full of labs that are not likely to be completed in the time frame of the 40-hour course. For special requests, this course can be extended to 80 hours and or customized.

Got Questions?

For more information about your specific needs, call us at (301) 220 2802 or complete the form below:

No classes currently scheduled, please call for more information.

Location

Days & Times

Date

 

Learn More About Digital Forensics and Incident Response

 

Jump To:

     

    Class Schedule

    • Greenbelt & Live-Online

      03/24/25 - 03/28/25

       Mon-Fri (8:30am-5pm)

    • Greenbelt & Live-Online

      04/28/25 - 05/02/25

       Mon-Fri (8:30am-5pm)

    • Greenbelt & Live-Online

      06/23/25 - 06/27/25

       Mon-Fri (8:30am-5pm)

    • Greenbelt & Live-Online

      07/28/25 - 08/01/25

       Mon-Fri (8:30am-5pm)

    Get your Digital Forensics and Incident Response (DFIR) training in our convenient IT training centers in Maryland or Virginia.

     

    Who Should Take the Digital Forensics and Incident Response is Course

    DF and IR are separate domains. This combines them to make the analysts and responders actionable on the job. Both of which are advanced courses in that the topics will assume learners have some background in these spaces. That means a master’s degree in information security or Cybersecurity and or 5-10 years of experience doing this work.

    • Security Operations Center (SOC) Employees
    • Anyone interested in hunting Advanced Malware
    • Anyone interested in performing Hunt and Incident Response Team (HIRT) work.
    • Anyone interested in hunting down malware in enterprise class networks.
    • Anyone interested in hunting down malware in endpoints in enterprise class networks.

    Why You Should Take Digital Forensics and Incident Response

    DF and IR are separate domains. This combines them to make the analysts and responders actionable on the job. Both of which are advanced courses in that the topics will assume learners have some background in these spaces. That means a master’s degree in information security or Cybersecurity and or 5-10 years of experience doing this work.

    Having said that, the course does assume that not all learners are taught the same and strives to normalize the learner’s knowledge base by covering some engineering basics like how NMAP looks on the wire to an analyst, how DOS and DDOS attacks manifest. e.g., Servers are not actually ‘knocked over’ the servers are idle. This is studied in detail for both IPv4 and IPv6 protocols.

    The course also covers Modern BOTNET architecture, the student is not required to have that information prior to attending the course.

    The course also covers Wireshark, again from the engineering perspective, in every single lab. The students will be fully proficient in hunting malware after working through the labs in this course.

    Further, the students will have a plethora of resources to continue learning more and more after the class on their own. Honing their skills and learning more and more malware families and the associated Tactics, Techniques, and Procedures (TTPs).

    The material in this course is compressed down into 40 hours from approximately 160 hours. Therefore, if particular groups want customization, the course can easily be customized.

    Prerequisites

    • Network+
    • Security+
    • Some working experience is required to gain a working proficiency out of the course

    Note: If the student has Network+ and Security+ knowledge, this course will still be quite intense. This course is described as ‘intense’ by learners with master’s degrees in Cybersecurity and those learners with many years of experience working in Security Operations Centers (SOCs). This does not mean the learner wont learn if they do not have this advanced knowledge base, it means they may not get quite out of it as much as ‘they could have’. The primary objective for this course is the make the learner ‘actionable’ on the job after completing this course.

    Related Job Titles

    The course is designed for those conducting Hunt and Incident Response Team (HIRT) work. The course is also for those conducting Incident Response work and or those conducting Digital Forensics work.

    • Office 365 Administrator
    • IT Support Technician
    • Business Analyst
    • Project Manager
    • Collaboration Specialist

    DFIR Course Objectives

    DF Objectives:

    • Enable the learner to recognize that data cannot be erased from persistent storage media like HDDs, USB Drives, SSD Drives, nor Random Access Memory (RAM).
    • Enable the learner to recover data from persistent storage media and RAM during investigations
    • Enable the learner to understand some of the key components of The Windows Operating system from the engineering perspective. e.g., Windows Registry, Encryption, how Windows boots, inner workings of file systems, Race Conditions, how modern day vulnerabilities manifest (buffer overflows), How to recover deleted files, etc.
    • Enables the learners to deepen their understanding of Wireshark. The learners will use Wireshark every day in class.

    IR Objectives:

    • Enable the learner to understand malware ecosystems so they can create actionable mitigation strategies.
    • Enable the learner to gather data and timely disposition what kind of attack they are up against and further what type of malware they are dealing with.
    • Enable the learner to understand enterprise network architectures.
    • Enable the learner to understand where HIRT work should be conducted to likely catch malware propagating on enterprise class networks.
    • Enable the learner to timely respond to any type of incident in both IT and OT networks.
    • Enable the learner to hunt for Advanced Persistent Threats (APTs) within the infrastructure.

    Combined DFIR Objectives

    • Enable the learner to timely hunt down malware in enterprise class networks
    • Enable the learner to completely respond to an incident or even prior to 3rd party intervening.
    • Enable the learner to make assertions regarding an event with veracity
    • Enable the learner to adequately document an event.
    • Enable the learner to have confidence in their skills and make them actionable in this space.
    • Enable the learner to spend the year after this course building more skills and learning more malware families.

    Topics covered in the course

    • Fundamentals for incident responders
    • Network Forensics (course is heavy on network forensics and IR)
    • BOTNET Architectures and Malware Kits
    • Detection and Alerting (DNA) Strategies
    • Understanding how SYN floods manifest on enterprise architectures (DNA)
    • Honey sensors and related architecture
    • F3EAD Strategies
    • HIRT Strategies
    • Documentation of IR and DF events
    • Disk Forensics

    Labs Available for Class

    • Formbook Malware family Lab
    • Redline Stealer
    • Honeypot Architecture Lab
    • Malspam distributing StealC malware lab
    • virusshare.com
    • ICEDID Malware Lab
    • Clickfix Pushing Lumma Stealer
    • SYN Flood DOS Attacks
    • BOKBOT Malware Family Lab
    • Smart Loader Malware Family
    • KOI Loader Malware Family

    Outline of 5 Day Course

    Module 1

    • Introduction to Incident Response (IR) (1 hour)
    • Background on Classic Remote Access Trojans (RATs) (2 hours)
    • Modern Day BOTNET Architecture (2 hours)
    • Lunch – 1 Hour
    • Modern RATs (1 hour)
    • ICEDID Malware Lab Demo (interactive, instructor led) (1 hour) (propagating in the wild today)
    • Forensic Reporting
    • Forensic Reporting Lab

    Module 2

    • Understanding How HTTP Requests get from an HTTP client to an HTTP server on LAN Fabric and WAN fabric (1 hour)
    • Modern Enterprise Reference Architectures (1 Hour)
    • Break – 30 minutes
    • Modern Enterprise Honeypot Architectures (2 Hours)
    • Lunch Break – 1 Hour
    • Honeypot Lab (2 hours)
    • Remote Code Execution Exploits (1 hour)

    Module 3

    • Lifecycle of Exploitation and Payload Delivery (1 hour)
    • Ransomware Typical Attack Path Vectors (30 minutes)
    • Understanding ‘Stealers’ type of malware (1 hour)
    • Formbook Malware Lab (propagating in the wild today) (2 hours)
    • Lunch Break – 1 Hour
    • Virus Share demo and accounts creation (1 hour)
    • Smartloader to Lumma Stealer Malware Lab (2 hours)

    Module 4

    • SYN Flood Lab (1 Hour)
    • IR Lifecycle (2 Hours)
    • Responsibility Assignment Matrix (RAM) – RACI Charts for Areas of Responsibility (AOR) assignments (30 min)
    • Intelligence Driven Incident Response (IDIR) (1 Hour)
    • Lunch Break – 1 Hour
    • Kill Chain / Attack Chain Methodologies (1 Hour)
    • Mimikatz Lab (1 Hour)

    Module 5

    • Incident Response is serious business (1 Hour)
    • Understanding HSTS (1 Hour)
    • SIEM Architectures for Detection and Alerting (DNA) (1 Hour)
    • F3EAD Strategies (1 Hour)
    • Lunch Break – 1 Hour
    • Understanding Storage in Computer (1 Hour)
    • Redline Stealer Malware Lab (2 Hours)
    • Exam (Optional)

    DoD 8140 - Knowledge, Skills, Aptitudes, Tasks (KSATs)

    • 1.        K0480: Knowledge of malware
    • 2.        K0723: Knowledge of vulnerability data sources
    • 3.        K0724: Knowledge of incident response principles and practices
    • 4.        K0725: Knowledge of incident response tools and techniques
    • 5.        K0726: Knowledge of incident handling tools and techniques
    • 6.        K0755: Knowledge of configuration management (CM) tools and techniques
    • 7.        K0817: Knowledge of event correlation tools and technique
    • 8.        K0857: Knowledge of malware analysis tools and techniques
    • 9.        K0860: Knowledge of malware signature principles and techniques
    • 10.      K0916: Knowledge of malware analysis principles and processes
    • 11.      K1012: Knowledge of malware characteristics
    • 12.      K0682: Knowledge of cybersecurity threats
    • 13.      K0683: Knowledge of cybersecurity vulnerabilities
    • 14.      K0724: Knowledge of incident response principles and practices
    • 15.      K0725: Knowledge of incident response tools and techniques
    • 16.      K0726: Knowledge of incident handling tools and techniques
    • 17.      K0751: Knowledge of system threats
    • 18.      K0752: Knowledge of system vulnerabilities
    • 19.      K0792: Knowledge of network configurations
    • 20.      K0976: Knowledge of intelligence collection principles and practices
    • 21.      K0978: Knowledge of intelligence collection planning processes
    • 22.      K0988: Knowledge of active defense tools and techniques
    • 23.      K1009: Knowledge of threat intelligence principles and practices
    • 24.      K0498: Knowledge of operational planning processes
    • 25.      K0551: Knowledge of targeting cycles
    • 26.      K0724: Knowledge of incident response principles and practices
    • 27.      K0725: Knowledge of incident response tools and techniques
    • 28.      K0726: Knowledge of incident handling tools and techniques
    • 29.      K0751: Knowledge of system threats
    • 30.      K0752: Knowledge of system vulnerabilities
    • 31.      K0815: Knowledge of intelligence collection management processes
    • 32.      K0817: Knowledge of event correlation tools and techniques
    • 33.      K0831: Knowledge of network attack vectors
    • 34.      K0832: Knowledge of cyberattack characteristics
    • 35.      K0833: Knowledge of cyberattack actor characteristics
    • 36.      K0975: Knowledge of software application vulnerabilities
    • 37.      K0976: Knowledge of intelligence collection principles and practices
    • 38.      K0977: Knowledge of intelligence collection management tools and techniques
    • 39.      K0988: Knowledge of active defense tools and techniques
    • 40.      K0989: Knowledge of intelligence information repositories
    • 41.      K1014: Knowledge of network security principles and practices
    • 42.      K1030: Knowledge of operational planning tools and techniques
    • 43.      K1035: Knowledge of target research tools and techniques
    • 44.      K1041: Knowledge of target intelligence gathering tools and techniques
    • 45.      K1043: Knowledge of target characteristics
    • 46.      K1052: Knowledge of the Tasking, Collection, Processing, Exploitation and Dissemination (TCPED) process
    • 47.      K1062: Knowledge of surveillance tools and techniques
    • 48.      K1063: Knowledge of operation assessment processes
    • 49.      K0498: Knowledge of operational planning processes
    • 50.      K0540: Knowledge of target communication tools and techniques
    • 51.      K0551: Knowledge of targeting cycles
    • 52.      K0655: Knowledge of intelligence fusion
    • 53.      K0682: Knowledge of cybersecurity threats
    • 54.      K0724: Knowledge of incident response principles and practices
    • 55.      K0788: Knowledge of adversarial tactics principles and practices
    • 56.      K0789: Knowledge of adversarial tactics tools and techniques
    • 57.      K0815: Knowledge of intelligence collection management processes
    • 58.      K0818: Knowledge of new and emerging cybersecurity risks
    • 59.      K0857: Knowledge of malware analysis tools and techniques
    • 60.      K0976: Knowledge of intelligence collection principles and practices
    • 61.      K0978: Knowledge of intelligence collection planning processes
    • 62.      K0990: Knowledge of cyber operations principles and practices
    • 63.      K0996: Knowledge of deliberate targeting principles and practices
    • 64.      K1028: Knowledge of target development principles and practices
    • 65.      K1030: Knowledge of operational planning tools and techniques
    • 66.      K1042: Knowledge of target selection policies and procedures
    • 67.      K1054: Knowledge of red team functions and capabilities
    • 68.      K0723: Knowledge of vulnerability data sources
    • 69.      K0724: Knowledge of incident response principles and practices
    • 70.      K0725: Knowledge of incident response tools and techniques
    • 71.      K0726: Knowledge of incident handling tools and techniques
    • 72.      K0730: Knowledge of cyber safety principles and practices
    • 73.      K0755: Knowledge of configuration management (CM) tools and techniques
    • 74.      K0797: Knowledge of ethical hacking tools and techniques
    • 75.      K0927: Knowledge of configuration management tools and techniques
    • 76.      K0945: Knowledge of intelligence data gathering policies and procedures
    • 77.      K0955: Knowledge of penetration testing principles and practices
    • 78.      K0956: Knowledge of penetration testing tools and techniques
    • 79.      K0990: Knowledge of cyber operations principles and practices
    • 80.      K1133: Knowledge of cybersecurity engineering
    • 81.      K0683: Knowledge of cybersecurity vulnerabilities
    • 82.      K0697: Knowledge of encryption algorithm capabilities and applications
    • 83.      K0698: Knowledge of cryptographic key management principles and practices
    • 84.      K0984: Knowledge of web security principles and practices
    • 85.      K0480: Knowledge of malware
    • 86.      K0682: Knowledge of cybersecurity threats
    • 87.      K0683: Knowledge of cybersecurity vulnerabilities
    • 88.      K0684: Knowledge of cybersecurity threat characteristics
    • 89.      K0724: Knowledge of incident response principles and practices
    • 90.      K0725: Knowledge of incident response tools and techniques
    • 91.      K0815: Knowledge of intelligence collection management processes
    • 92.      K0817: Knowledge of event correlation tools and techniques
    • 93.      K0857: Knowledge of malware analysis tools and techniques
    • 94.      K0976: Knowledge of intelligence collection principles and practices
    • 95.      K1009: Knowledge of threat intelligence principles and practices
    • 96.      K1038: Knowledge of target critical vulnerabilities
    • 97.      K0645: Knowledge of standard operating procedures (SOPs)
    • 98.      K0657: Knowledge of network collection policies and procedures
    • 99.      K0660: Knowledge of appropriate use policies and procedures
    • 100.   K0671: Knowledge of Communications Security (COMSEC) policies and procedures
    • 101.   K0699: Knowledge of data administration policies and standards
    • 102.   S0431: Skill in applying critical thinking
    • 103.   S0444: Skill in mitigating deception in reporting and responding to incidents
    • 104.   S0489: Skill in implementing countermeasures
    • 105.   S0492: Skill in performing threat environment analysis
    • 106.   S0494: Skill in performing operational environment analysis
    • 107.   S0721: Skill in prioritizing information
    • 108.   S0834: Skill in developing technical reports S0444: Skill in mitigating deception in reporting and responding to incidents
    • 109.   S0871: Skill in performing network analysis
    • 110.   S0431: Skill in applying critical thinking
    • 111.   S0493: Skill in determining intelligence support requirements
    • 112.   S0593: Skill in handling incidents
    • 113.   S0380: Skill in facilitating cybersecurity awareness briefings
    • 114.   S0391: Skill in creating technical documentation
    • 115.   S0477: Skill in identifying anomalous activity
    • 116.   S0482: Skill in performing forensic data analysis
    • 117.   S0489: Skill in implementing countermeasures
    • 118.   S0491: Skill in processing digital forensic data
    • 119.   S0492: Skill in performing threat environment analysis
    • 120.   S0493: Skill in determining intelligence support requirements
    • 121.   S0504: Skill in identifying vulnerabilities
    • 122.   S0505: Skill in performing intrusion data analysis
    • 123.   S0530: Skill in conducting research
    • 124.   S0547: Skill in identifying malware
    • 125.   S0548: Skill in capturing malware
    • 126.   S0549: Skill in containing malware
    • 127.   S0550: Skill in reporting malware
    • 128.   S0567: Skill in deploying signatures
    • 129.   S0593: Skill in handling incidents
    • 130.   S0718: Skill in identifying cybersecurity threats
    • 131.   S0736: Skill in researching software vulnerabilities
    • 132.   S0737: Skill in researching software exploits
    • 133.   S0854: Skill in performing data analysis
    • 134.   S0856: Skill in performing digital evidence analysis