Cyberange

Training · DFIR · Practitioner programme

Pull the disk. Capture the memory. Write the report a regulator will read.

An evidence-first DFIR programme built on real engagement telemetry. Six forensic specialisms — host, memory, network, malware RE, cloud, ICS/OT — taught in the order an incident demands them. Chain of custody as a drilled habit, not a memorised slide.

Browse tracks Cohort schedule

The training gap

Most DFIR courses teach you the tools. They don't teach you the discipline.

Anyone can run Volatility against a memory capture. Few can decide, under time pressure, which capture to take, in which order, before which containment action — and then write the result in a form that survives a regulator review and a court submission. The tools take a week. The discipline takes the programme.

01

Tool-led, not lifecycle-led

A course on "memory forensics" teaches you to use Volatility. It does not teach you when memory matters more than disk, or when you have already lost it.

02

Chain of custody as theory

Every textbook explains chain of custody. Few programmes drill it. The habit is built one preservation exercise at a time, with the seal numbers checked and the timestamps audited.

03

Specialisms left out

Cloud forensics, identity forensics, and ICS/OT forensics are the disciplines that real incidents demand and most curricula skip. We don't skip them.

Six specialisms

The disciplines a complete DFIR practitioner can switch between mid-incident.

Each specialism is a 2- to 3-week module. The full programme covers all six in sequence, paced to how an actual incident unfolds — preservation primitives first, deep technical analysis later, cloud and OT specialisms layered over the foundation.

Six DFIR specialisms: host forensics, memory forensics, network forensics, malware reverse engineering, cloud forensics, ICS/OT forensics. Each shows representative tools and artefacts. HOSTdisk · file system · NTFS · ext4 · APFS · registry · prefetch · amcache · shimcacheMEMORYvolatile state · process trees · DLLs · injected code · credentials in clearNETWORKwire-level evidence · PCAP · NetFlow · C2 beacon patterns · tunnel detectionMALWARE REattacker tooling · static + dynamic · config extraction · IOC derivationCLOUDcontrol-plane forensics · CloudTrail · Activity · IAM trail · OAuth · snapshot evidenceICS / OTindustrial systems · PLC firmware · HMI logs · engineering station2–3 WEEKS PER MODULE · FULL PROGRAMME 14 WEEKS · CAPSTONE INCIDENT IN WEEK 14CHAIN OF CUSTODY DRILLED EVERY WEEK

What you do on the programme

Six modules. Six exhibits. One incident-report portfolio you can show at interview.

Image a live system

Write-blocked drive acquisition. Hash verification. Memory capture from a running host. Every step logged, every hash recorded, every container labelled.

Reconstruct the timeline

Filesystem timelines (MFT, USN, $LogFile). Registry timelines (UserAssist, ShellBags). Process-execution timelines (Prefetch, ShimCache, AmCache). Cross-reference. Find the gap.

Analyse a live capture

Volatility against a memory image. Find the hidden process, the injected DLL, the in-memory loader the EDR missed. Recover credentials the attacker thought were transient.

Take apart a malware sample

Static triage with a hex editor and disassembler. Dynamic analysis in an isolated sandbox. Config extraction. C2 signatures. Hand off the IOCs as if to a live IR.

Work a cloud trail

CloudTrail event reconstruction. IAM-policy abuse paths. OAuth-app over-permission detection. The fastest-changing forensic surface and the one you have to handle on day one.

Write the four reports

Technical narrative for IR peers. Executive summary for the board. Regulator-grade timeline. Counsel-grade evidence catalogue. Same facts, four audiences, four registers.

Sample week · Memory forensics · week 4 of 14

The week you stop trusting the EDR alone.

A representative memory-forensics week — the discipline that recovers what disk forensics cannot. By Friday, every cohort member can land on a captured image and tell you what was alive in RAM at the moment of acquisition.

  1. Monday

    Capture techniques

    Live RAM acquisition on Windows, Linux, macOS. Hibernation files. Pagefile / swap recovery. Hypervisor-assisted capture for VMs. Verify integrity hashes against the live system.

  2. Tuesday

    Process trees and parent-child anomalies

    Walk a real captured image. Identify the unsigned binary spawned by Word. The PowerShell child of a non-shell parent. The svchost with the wrong command line. Argue your findings.

  3. Wednesday

    Code injection — the four techniques you must recognise

    Classic DLL injection. Reflective loading. Process hollowing. Module overwriting. Each technique has a memory signature; each signature has a Volatility plugin. You match them.

  4. Thursday

    Credentials in memory

    LSASS structure analysis. NTLM and Kerberos secret recovery. The wreckage one credential dump leaves in memory. Discuss when you tell the customer their domain is compromised before you tell anyone else.

  5. Friday morning

    Capstone capture

    You receive a fresh, unbriefed memory image and 90 minutes. Find the persistence mechanism, the C2 channel, the injected payload. Write a one-page technical summary. Hand it in.

  6. Friday afternoon

    Cohort debrief

    Every cohort member presents their capstone findings. The instructor compares against ground truth. The misses are graded harder than the hits — what did you not see, and why didn't you look?

Tooling coverage

The open-source DFIR toolchain, learned to the point of muscle memory.

Acquisition

dd, FTK Imager (CLI), Linux LiME, AVML, hypervisor memory dumping, write-blocker discipline.

Disk + file system

TSK / Autopsy, plaso / log2timeline, MFTECmd, RECmd, ShellBags Explorer, USN parsers.

Memory

Volatility 3, Rekall, MemProcFS. Plugin authoring for the cases your incident demands and Volatility doesn't ship.

Network

Wireshark, tshark, Zeek scripting, Suricata rule authoring, NetFlow analysis, PCAP triage at scale.

Malware RE

Ghidra, x64dbg, radare2, IDA Free, YARA authoring, sandboxing in isolated containers.

Cloud control plane

CloudTrail / CloudWatch parsers, Azure Activity Log analysers, GCP audit-log queries, cloud-snapshot evidence acquisition.

OT artefacts

PLC firmware extractors, HMI log parsers, engineering-station registry investigations, Modbus / OPC-UA capture analysis.

Reporting + evidence

Chain-of-custody templates, hash-manifest generation, audit-grade case management, four-audience report assembly.

What you walk away with

A practitioner you can put on the next breach.

Incident-report portfolio

Six full incident write-ups across the six specialisms. Technical, executive, regulator, counsel — four registers each.

Tier-graded certification

A 24-hour capstone incident in week 14. Pass to certify; the rubric is the same one used to grade live engagements.

Court / regulator readiness

Chain-of-custody habit drilled every week. By exit, you have produced evidence packs that will hold up to scrutiny.

Hiring pipeline access

Cyberange consulting team, sovereign and BFSI SOCs, regulator forensic units. Referral, not portal applications.

Mapped to

  • CERT-In Directions · 6-hr window
  • NCIIPC CII evidence handling
  • NIST SP 800-86
  • NIST SP 800-61 r2
  • ISO/IEC 27037 · 27042
  • ENISA digital evidence
  • RFC 3227

Practice

"Chain of custody is a habit, not a knowledge. The habit is built one preservation drill at a time, with the seal numbers checked and the timestamps audited. You don't get a second chance at hour zero of a real incident."
DFIR Training · teaching principleThe case for drilled evidence discipline over textbook chain-of-custody.

Fourteen weeks. Six specialisms. One portfolio.

Weekend and weekday cohorts. Corporate cohorts on request. Single-specialism modules available standalone for working DFIR practitioners.

See current cohorts Train a team