Home > RMF Training > First Responder: Digital Evidence Collection & Triage

First Responder: Digital Evidence Collection & Triage

5 Days Hands-On Labs

The most critical moment in a cyberattack isn't when the forensic experts arrive; it's the moment the attack is discovered. This course teaches first responders (SysAdmins, IT Staff) how to preserve the crime scene using modern forensic tools without destroying the evidence required to prosecute the attacker.

Who Should Attend?

Help Desk / SysAdmins

The first people notified of "weird computer behavior." They need to know what NOT to touch.

SOC Analysts

Tier 1 and 2 analysts needing to grab artifacts (RAM, PCAP) for Tier 3 escalation.

Security Officers

Physical security staff who seize hardware (laptops/phones) during insider threat events.

The "Golden Hour" of Volatility

Why speed matters: As soon as you pull the plug, you lose the most valuable evidence.

Volatile Data (Gone on Power-off)
  • Running Processes (Malware)
  • Network Connections (C2 IPs)
  • Decryption Keys in RAM
  • Clipboard Contents
Non-Volatile Data (Persists)
  • Files on Hard Drive
  • Registry Hives
  • Event Logs
  • Prefetch Files

Modern Forensic Lab Tools

Note: These lists are not all-inclusive; the goal is to provide multiple methods to answer any investigative question.

FTK Imager
Live Disk Acquisition
Volatility & LiMe
Advanced Memory Forensics
ELK Stack
Log Aggregation & Analysis
Wazuh
Open Source SIEM/XDR
Velociraptor
Live Response & Hunting
Eric Zimmerman Tools
Registry & Artifact Deep Dive
Autopsy
Open Source Analysis Suite
Arsenal Image Mounter
Forensic Image Mounting
And More...
KAPE, Wireshark, RegRipper +
Premium Tool Add-ons: F-Response, Axiom, or X-Ways
Available upon request (Additional licensing fees apply)

Enterprise EDR Training Add-ons

Customize your private session with vendor-specific training. *Additional fees apply.

Request Pricing
CrowdStrike Falcon
Cortex XDR
Microsoft Sentinel
SentinelOne
Rapid7 InsightIDR
Carbon Black
Cybereason
And more...

Course Syllabus

01

The Critical 15 Minutes

Immediate actions to take (and NOT take) when a breach is suspected. Securing the physical area. Disconnecting networks without killing power.

02

Volatile Acquisition (Live Response)

Using Velociraptor for rapid fleet-wide collection. Capturing RAM with LiMe/DumpIt before power-off to save encryption keys and C2 connections.

03

Dead Box Imaging

Safely shutting down the system. Using hardware write-blockers and FTK Imager to create a verified forensic clone (E01) without altering evidence.

04

Triage & Chain of Custody

Rapid analysis of Prefetch, Event Logs, and Registry Hives using Autopsy and EZ Tools to confirm the attack vector. Proper legal documentation and hashing.

Frequently Asked Questions

Will this make me a certified forensic analyst?
This course builds the foundational skills for certifications like GCFA or GCIH, but focuses specifically on the *initial response* phase—getting the data safely so the experts can analyze it later. With additional add-ons further forensic analysis techniques can be covered.
Do I need to bring my own write-blocker?
For in-person sessions, we provide all hardware. For remote sessions, we utilize software write-blocking techniques and virtualized evidence files to simulate the experience.
Digital Evidence Collection & Triage

Register for Class

$3,000.00 per student
Buy Now

Secured by Square

Paying via SF-182?

Upload Forms Here →

Need a Private Session?

We offer private group training for teams of 5 or more.

Contact Us