Cyber Forensics & Investigation
Learn how to preserve, analyze, and present digital evidence — from compromised systems, cloud accounts, and mobile devices — using practical investigation workflows aligned with real-world incident response.
Overview
This course takes you through the full lifecycle of a digital investigation: from receiving an incident alert and preserving volatile evidence, to analyzing artefacts and presenting findings in a way that will stand up to internal reviews — and in some cases, legal scrutiny.
Who is this for?
- SOC analysts and incident responders moving deeper into forensics.
- Cybersecurity students who want practical investigation skills.
- System / network admins who end up handling “what happened?” questions.
- Law enforcement or legal support staff who work with digital evidence.
What you’ll be able to do
- Plan and execute a digital investigation with clear scope and timelines.
- Capture and preserve evidence from disks, memory, logs, and cloud sources.
- Reconstruct attacker activity using artefacts and timelines.
- Write clear, defensible forensic reports with screenshots and exhibits.
How we teach
Forensics is best learned by doing. That’s why every topic is wrapped inside a story: a compromised laptop, a suspicious USB, a strange login, or a leaked file.
- Scenario brief: what happened, what’s at stake, what’s allowed.
- Concepts: short theory on artefacts, tools, and objectives.
- Hands-on lab: you perform the acquisition & analysis.
- Timeline & findings: you extract, tag, and explain key events.
- Reporting: you convert technical work into a mini case report.
Step by step, you’ll build a repeatable investigation playbook that you can apply in SOC work, IR consulting, or internal security roles.
Curriculum
Each module is built around practical tasks. You learn how to think like an investigator, not just how to click buttons in a forensic tool.
Module 1
Foundations of Digital Forensics
Core principles: integrity, chain of custody, legal vs internal investigations, volatile vs non-volatile data, and the typical phases of an investigation (identification, preservation, collection, analysis, reporting).
Module 2
Evidence Handling & Chain of Custody
How to receive, label, and track evidence. Hashing (MD5/SHA), evidence logs, working copies vs originals, and practical dos and don’ts that prevent your investigation from being questioned later.
Module 3
Disk Forensics & File Systems
File system basics (NTFS, FAT, ext4), partitions, and slack space. Creating and working with disk images, mounting them read-only, and analyzing files, deleted artefacts, and hidden data using open-source tools.
Module 4
Memory Forensics & Live Response
When and how to perform live response, capturing RAM safely, and using memory analysis frameworks to identify processes, network connections, injected code, and in-memory-only malware.
Module 5
Windows Artefacts & User Activity
Registry hives, event logs, prefetch, jump lists, browser history, and link files. Building timelines of user activity: logins, file access, program execution, external devices, and network usage on Windows systems.
Module 6
Linux & Server-Side Forensics
Investigating Linux servers and web hosts: logs in /var/log, auth and
web logs, cron jobs, bash history, and common persistence mechanisms.
Reconstructing lateral movement and privilege escalation.
Module 7
Network & Cloud Forensics
Working with packet captures and flow logs, identifying malicious sessions, exfiltration patterns, and command-and-control traffic. Cloud log basics (e.g., IAM changes, unusual logins, API calls) and how to pull them into an investigation timeline.
Module 8
Mobile & Endpoint Artefacts (Overview)
High-level look at Android/iOS artefacts, endpoint detection logs, messaging apps, and how mobile data often supports or contradicts a primary case theory. Not a full mobile course — but enough to understand where evidence lives.
Module 9
Timelining & Story Building
Combining artefacts from multiple sources (disks, memory, logs, cloud) into a coherent timeline. Tagging events as attacker, victim, system, or noise, and validating your theory against the data.
Module 10
Reporting & Presenting Findings
Writing forensic reports: structure, executive summaries, evidentiary sections, screenshots, and appendices. How to answer: “What happened?”, “How sure are you?”, and “What should we fix now?” in language that management and legal teams can use.
Labs & Casework
Rather than isolated exercises, labs are structured as realistic mini-cases. Each one ends with a short write-up to strengthen your documentation skills.
Case 1: Suspicious USB Drive
You receive an image of a USB device plugged into an employee machine. You’ll analyze its contents, identify exfiltrated data, and confirm whether any malware was executed.
Case 2: Ransomware on a File Server
Starting from logs and a disk image, you’ll determine the initial access vector, execution chain, and data touched. You’ll also identify gaps in logging and recommend hardening steps.
Case 3: Suspicious Cloud Login
Given cloud logs and endpoint artefacts, you’ll decide whether an unusual login was benign, credential stuffing, or part of a targeted attack — and back your conclusion with evidence.
Prerequisites
Technical basics
- Basic understanding of operating systems (Windows or Linux).
- Comfort working with files, folders, and simple command-line usage.
- Some security background (SOC / blue team / general cyber) is helpful but not mandatory.
Mindset & tooling
- Curiosity to dig into details and cross-check facts.
- A laptop capable of running virtual machines or connecting to remote lab images.
- Respect for privacy and legal boundaries — we only work with lab data and authorized cases.
Not sure if your machine is enough? Reach out via the contact form and we’ll recommend a local-vs-cloud lab setup for you.
Outcomes
By the end of this course, you’ll be able to handle common digital investigations with confidence — from first alert to final report.
End-to-end investigation ability
Plan the scope, collect data, analyze it, and present conclusions using a repeatable process that you can adapt to your organization.
Stronger SOC / IR profile
You’ll be comfortable reading artefacts, logs, and timelines — skills that are heavily valued in incident response, DFIR, and blue-team interviews.
Reporting & communication
You’ll know how to explain “what happened” without drowning stakeholders in tool output, and how to justify your confidence level in each finding.
Schedule & Duration
We offer different delivery modes to fit around your work or study schedule.
| Mode | Duration | Details |
|---|---|---|
| Weekend cohort | 5–6 weeks | Live sessions with labs and guided casework each weekend. |
| Weekday evenings | 4–5 weeks | Short, focused classes with at-home labs and assignments. |
| Self-paced | Flexible | Recorded content plus access to case images and lab guides; optional doubt-clearing slots where available. |
Pricing / Engagement
Pricing varies by mode, level of mentoring, and whether you enroll individually or as a team. EMI / installment options may be available for some cohorts.
Individual
Full course access for one learner, including labs and capstone casework.
Request quote →Team / SOC batch
Designed for small SOC / IR teams with custom scenarios and the option to use sanitized internal logs as lab material (where appropriate).
Request quote →Academic / Training partner
Special structures for colleges, training institutes, or government academies looking to add practical forensics to their curriculum.
Request quote →FAQs
Is this a legal / law-enforcement course?
The course is technical first — focused on how to find and interpret evidence. We touch on legal considerations and chain of custody, but this is not a replacement for formal legal training. It’s designed to support SOC, IR, and cyber-investigation roles.
What tools will we use?
Primarily open-source and widely accessible tools for imaging, disk analysis, memory analysis, and log review. The concepts will also map cleanly to many commercial forensic suites if your organization uses them.
Do I get access to case images after the course?
Yes — in most modes you retain access to lab images and walkthrough notes for personal practice (subject to our acceptable use policy).
Will there be a certificate?
Yes, a completion certificate is provided after finishing required labs and the capstone case. It showcases your investigation and reporting skills for portfolios and interviews.
Ready to build real investigation skills?
Email info@meenexis.com or use the contact form — we’ll share batch dates, detailed syllabus, and help you choose the right learning path.
Talk to us