T1 DFIR Foundations (3d)

    If the scheduled dates above don't suit or if there are no available dates currently listed, but you are interested in the class, kindly fill in your details below to be added to our Register of Interest.


    A member of our training team will contact you with alternative arrangements.


    DFIR is a three day course

    Cyberattacks have become a common aspect of our interconnected world. In the past, a response to such incidents would be to simply kick the attacker off and rebuild any compromised computers. But with the proliferation of skilled people employing ever more complex attack vectors, there is a call to perform a deeper forensic analysis to determine the exact attack methodologies, to better harden target systems from future attempts. 

    This three-day course is aimed to bridge the gap between traditional Security Operations Centre incident response and digital forensics. You will learn where the two disciplines overlap, and how they can work together to create a capability that is greater than the sum of its parts. 

    Executive Summary

    T1 DFIR Foundations gives practitioners a grounding in both incident response and digital forensics so they may better understand how these disciplines can work together to solve complex problems in the cybersecurity arena. The course features both theory as well as practical case studies where students will be able to use their new skills to examine data for evidence of attack using realistic data sets and tools. 

    If you are an existing Tier 1 SOC team member looking to upskill, a digital forensic analyst wanting to cross-skill, or an IT professional seeking an entry into DFIR, this is a great opportunity to increase your skills and capability.  


    Detailed course outline: 

    Day One 

    • Introduction to DF & IR 
    • DF vs IR – how and where they overlap 
    • Digital Evidence 
    • Data collection 
    • Forensic Data collection at rest 
    • Forensic Data collection at transit
    • Practical exercises 


    Day Two (Theory) 

    • File systems forensic artefacts 
    • TCP / IP (v4) 
    • Windows OS forensic artefacts 
    • Application generated forensic artefacts 
    • Encryption and obfuscation 


    Day Three (Case Studies) 

    • Common indicators of possible attack or compromise 
    • Defining a scope for data collection 
    • Processing and examining of the evidence 
    • Practical Application of Scientific methodologies (Testing and experimentation)