Skip to content

Track 03 — Digital Forensics & Incident Response

Reconstruct events from the artifacts left behind and tell the story of what happened on a system — defensibly, so the timeline holds up. Acquisition through root-cause report.

What you'll be able to do

  • Acquire and verify evidence without altering it.
  • Recover and interpret artifacts from disk, memory, and the network.
  • Build a super-timeline that correlates activity across sources.
  • Drive an investigation to a root-cause verdict and write it up.

Modules

# Module What you'll learn OSS tools
01 Forensic Fundamentals & Evidence Handling Integrity, hashing, chain of custody dc3dd, sleuthkit
02 Acquisition & Imaging Capturing disk and memory soundly dc3dd, avml
03 File Systems & Carving NTFS/ext internals; recovering deleted data sleuthkit, foremost
04 Windows Artifacts Registry, event logs, prefetch, execution RegRipper, EZ tools
05 Browser & Application Artifacts User activity and app traces autopsy, hindsight
06 Memory Forensics Processes, injection, connections from RAM volatility3, MemProcFS
07 Timeline Analysis Building and pivoting a super-timeline plaso, timesketch
08 Triage & Live Response Scaling collection across hosts velociraptor
09 Network Forensics Reconstructing sessions and files from PCAP wireshark, zeek
10 Log & Cloud Forensics Investigating from logs and cloud trails hayabusa, chainsaw
11 Anti-Forensics & Detecting It Timestomping, wiping, and spotting them sleuthkit
12 Malware Artifacts in IR Handing off to deep analysis (→ T04) capa, yara
13 Incident Response Process The NIST lifecycle in practice
14 Reporting & Root-Cause Analysis A report that survives scrutiny

Phases & projects

The fourteen modules run in four phases; each ends in a project that integrates its modules into a portfolio-worthy artifact (a phase is the substantial, standalone unit — a single module is a few hours).

  • Phase 1 · Acquire & preserve (01–03) — Project: a forensically sound acquisition kit — image a training disk and capture memory, verify with hashes, and carve back deleted files, all documented with a chain-of-custody log that would survive challenge.
  • Phase 2 · Reconstruct the host (04–08) — Project: from a single compromised-host image, pull Windows artifacts, browser/app traces, and memory, then fuse them into one plaso/Timesketch super-timeline and triage it at scale with Velociraptor.
  • Phase 3 · Beyond the host (09–12) — Project: extend the investigation off the box — reconstruct sessions and files from PCAP, pivot through logs and cloud trails, spot anti-forensic tampering, and hand malware artifacts off to deep analysis (→ T04).
  • Phase 4 · Investigation & report (13–14) — Project: the track capstone — run the full NIST lifecycle and deliver a root-cause incident report where every claim traces back to an artifact.

Prerequisites

Complete Track 00 — Foundations first.

Labs use public training images and sample memory dumps. Never examine evidence you're not authorised to handle.

Capstone

Take a training disk or memory image to a root-cause incident report: acquire and verify, build a super-timeline, and reconstruct what happened — every claim tied to an artifact. Deliverable: the timeline and a report that would survive scrutiny.

The starter scaffold and acceptance checks live in plaintext-labs/forensics/capstone/.

Capstone rubric

The bar is defensibility: every claim traces to an artifact, and integrity holds. Proficient is the bar to ship.

Dimension Developing Proficient Exemplary
Evidence integrity No hashing, or hashes don't match; acquisition order unclear Image hashed on acquisition and verified before analysis; working on a copy; chain of custody noted Hashes recorded at every handoff; write-blocking/read-only demonstrated; order of volatility respected
Artifact recovery Surface artifacts only Recovered and interpreted artifacts across at least two sources (disk + memory or + network) Recovered deleted/carved data or pivoted from memory to disk to confirm a finding
Super-timeline Events listed, not correlated A timeline correlating activity across sources, with the key events called out Pivots on the timeline reconstruct the full sequence; gaps and anti-forensics noted
Root-cause verdict Conclusion not supported by artifacts A defensible root cause; every claim cites the artifact behind it Initial access → actions → impact established, with confidence levels and what's not proven stated
Reporting Notes, not a report Clear narrative an investigator could follow and reproduce Would survive scrutiny: methodology, tooling, hashes, and limitations all documented

AI & automation

AI summarises timelines, correlates artifacts, and drafts the incident narrative far faster than you can by hand. Forensic soundness sets the limit: an AI summary is a lead, never evidence — every conclusion traces back to the artifact. Automate collection and parsing; never automate the judgment about what happened.

Standards & further reading

  • NIST SP 800-86 (Forensic Techniques into Incident Response)
  • NIST SP 800-61 (Incident Handling Guide)
  • SWGDE best practices for digital evidence
  • Volatility and Sleuth Kit documentation

Comments

Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).