5
Reference pages
4
NIST IR phases
1
Hands-on lab
When prevention fails — and at some point it always does — incident response and digital forensics are what limit the damage and answer the inevitable question: what happened, who did it, what did they take, and how do we make sure it doesn't happen again?
Most of this course is defense: configure, harden, monitor. This module is the discipline you apply when those have already been bypassed. It's a smaller module deliberately — the goal is to give you the foundational vocabulary and process so when you take dedicated DFIR coursework later (Rolling Thunder Security 4xx series), nothing feels foreign.
10.A
Reference pages
10.01
Live
→
10.02
Live
→
10.03
Live
→
10.04
Live
→
The IR Lifecycle
NIST SP 800-61's four phases — Preparation, Detection & Analysis, Containment Eradication Recovery, Post-Incident Activity — with the artifacts and decisions that live in each.
Evidence Handling & Chain of Custody
Order of volatility, hashing for integrity, write-blockers for disk imaging, chain-of-custody documentation. What separates evidence a court will accept from evidence it won't.
Network Forensics
Packet captures vs NetFlow. Wireshark fundamentals. The "five Ws" of any network conversation: who talked to whom, when, how much, and over what protocol.
Host Forensics
Volatile memory acquisition, disk imaging, registry hives, the Windows artifacts (Prefetch, Shimcache, Amcache, MFT) and Linux equivalents (auth.log, bash history, systemd journal) that tell the story of what ran when.
10.B