Run the incident response process end to end and reconstruct what happened — the six IR phases, sound evidence handling and chain of custody, disk and memory forensics, log and network analysis, malware triage, and containment, recovery, and lessons learned.
Before you start
Practice on your own systems, public forensic challenge images, or authorized incidents — never on data you have no right to examine. The tooling is open source (The Sleuth Kit / Autopsy, Volatility, Wireshark). Analyze malware only in an isolated, disposable lab.
The Incident Response Process
When an alert becomes an incident, a repeatable process keeps a crisis from becoming chaos. Learn the six phases and why preparation decides how the other five go.
Evidence Handling & Chain of Custody
Evidence that isn’t preserved soundly is worthless — in court and in analysis. Capture volatile data in the right order, image without altering, and prove integrity with hashes.
Disk Forensics
The disk holds the persistent story — files, deleted data, and the operating system’s own records of what ran and when. Learn where the artifacts live and how to read them.
Memory Forensics
RAM holds what the disk never sees — running malware, decrypted data, network connections, and injected code. Analyze a memory capture to catch what hides from disk.
Log & Network Forensics
Logs and captured traffic show the attack across systems and over the wire — lateral movement, command-and-control, and exfiltration. Reconstruct the path, end to end.
Malware Triage
When you recover a suspicious file, you need to know what it does — without infecting yourself. Triage safely with static and dynamic analysis in an isolated lab.
Containment, Recovery & Lessons
Understanding the incident isn’t the end — you must stop the bleeding, remove the attacker completely, restore safely, and make sure it can’t happen the same way again.