• +45-23 28 11 42
  • info@scc-eu.dk



This post is also available in: enEnglish


Duration : 80 Hours

The Incident Response & Forensics course will teach you how to establish incident response capabilities and prepare your organization to carry out investigations. The course also provides practitioners the skills needed to excavate and analyze malicious software, resulting from Advanced Persistent Threats and other emerging intrusion techniques. Students learn how to dissect malware and formulate mitigation strategies for preventing future penetration. The hands-on lab exercises covered in the course incorporate significant real-world experience necessary for delivering world -class results in the field.

Target Audience

  • Computer Forensics Investigators
  • Law Enforcement Personnel
  • Information Security Managers
  • Threat/Incident Responders
  • Malware Analysts
  • IT Professionals
  • Cyber Crime Attorneys
  • Private investigators
  • Compliance Officers
  • Auditors


  • Establish and fortify an organization’s security, forensics, and incident response capabilities
  • Customized private sessions, tailored towards organizations’ unique environments
  • Detailed step-by-step and how-to instructions
  • Instructor-led and student-performed hands-on exercises
  • Real-world simulations of forensics challenges
  • Seasoned expert instructors with real-world hands-on consulting and training experience
  • Arsenal of take-aways (tools, templates, guides, and relevant forensics resources)
  • Up-to-date course content, addressing emerging forensics challenges
  • Small class sizes ensuring maximum student-instructor interaction
  • Vendor-neutral content – covering commercial and freeware tools

Pre- requisites

Background in IT as well as software development or intelligence.

Course Outline

Module 1: Incident Response Process

  • Building Incident Response Capability
  • Preparation
  • Incident Readiness Planning
  • Identification
  • Containment
  • Eradication
  • Recovery
  • Lessons Learned

Module 2: Legal Considerations

  • Internet Laws and Statutes
  • Legal Concerns and Privacy Issues
  • Court Admissibility of (Volatile) Evidence

Module 3: Evidence Collection

  • Volatile Data Collection
    • Pros and Cons of System Shutdown
    • Order of Volatility (Memory, Process, Network, Registry Court
  • Hard Drive imaging
    • Physical Image
    • Logical Image
  • Full/Partial Drive Encryption Scenarios
  • Documenting the Cyber Crime Scene
  • Collecting Additional Storage Devices, Sticky Notes, etc.

Module 4: Evidence Preservation

  • Securing the Evidence Chain of Custody

Module 5: Preparing Incident Response Tools

  • Statically Linked Binaries
  • Import Library
  • Incident Response Tools Selection

Module 6: Hackers’ Methods of Maintaining Presence (Persistence Methods)

  • Surviving Reboots
  • Autoruns
  • Services
  • Service Host Services
  • Stubpath
  • Scheduled Tasks
  • Windows Firewall

Module 7: System Compromise Indicators (Quickly Detecting and Confirming Intrusions)

  • Firewall, IDS, etc.
  • Temporary Internet Files
  • Anti-Virus Logs · Hosts File
  • DNS Cache
  • Running Services
  • Critical Log Files
  • Network Connections
  • Memory
  • Recycled Bin
  • Hidden and Protected Files

Module 8: Volatile Data

  • Collection and Analysis on a Live System
  • Collection and Analysis of Physical and Process Memory
  • Volatile Evidence in Incident Response
  • Court Admissibility of Volatile Evidence Running Services

Module 9: Memory Forensics

  • Physical Memory Acquisition
  • Extracting and Examining Processes
  • Network Connections · Extracting Crucial Artifacts
  • Windows Registry Analysis Running Services
  • User Activity Reconstruction

Module 10: Windows Registry Analysis

  • Monitoring Registry Changes
  • System Information
  • Users Activities
  • AutoStart Locations

Module 11: Network Analysis

  • Capturing and analyzing network packets
  • Leveraging IDS/IPs rules and signatures to detect attacks
  • Analyzing malicious payload in network packets Running Services

Module 12: Forensics

  • Timeline Analysis
  • File Signature Analysis
  • Hash Analysis

Module 13: Malware Analysis

  • Malware Taxonomy
  • Malware Threats
  • Malware Analysis Methodologies
  • Identifying and Protecting against Malware
  • Memory-Resident Malware
  • Memory Imaging Tools/Techniques
  • Memory Analysis Tools
  • Static Analysis
  • Dynamic Analysis
  • Malicious Document Analysis
  • Malware Challenges

Module 14: Cyber Threat Intelligence

  • Developing and leveraging threat intelligence to detect, respond, and defeat sophisticated attacks
  • Automating threat detection and response

Module 15: Building Incident Response Tool Suite

  • Building Trusted Toolkits
  • Testing the Tools Hash Analysis