Skip to content

Training Tracks
Analyst Defense Labs
Free Training
Events
Log In

Training Tracks
Analyst Defense Labs
Free Training
Events
Log In

Advanced Enterprise DFIR

Current Status

Not Enrolled

Enroll in this course to get access

Price

Closed

Get Started

Take this Course

Analyst II: Advanced DFIR Track

This course is included in the Analyst 2 – DFIR Training Track and Hero Bundle Training. Enroll to access the course.

> View Course Syllabus

Support & FAQs

Please use our Support & FAQ page to find more information and reach out to us and join our Discord community for general conversation topics and networking.

Important: Virtual Labs

Your lab VM is a Windows virtual machine in the cloud. This means it may take a few minutes until they are started up and available.
Whenever you have less than 15 minutes remaining, you will have the option to extend your lab by 1 hour.
VMs are persistent. When a lab VM is stopped, it will be stored and you can resume the VM at a later point.
Terminating a VM will destroy the VM and data will be lost.
For the best experience, it’s recommended to use Google Chrome where you will have copy and paste functionality.

Tools Used

Splunk, Velociraptor, Plaso, Timesketch, Yara, Sigma, Wireshark, Zeek, Volatility3, CyberChef, EricZimmerman Tools, bulk_extractor, Hayabusa, PEStudio, BrowsingHistoryView

Certificate of Completion

Once you finish the course you will receive your Certificate of Completion!

Average Review Score:

★★★★★

DFIR 301

By str4int on 30 November, 2025 at 09:46

★★★★★

I just finished the 301 Advanced Enterprise DFIR course and honestly loved it.
The content was clear, well-structured, and surprisingly engaging. The explanations were easy to follow without oversimplifying anything, and the hands-on parts really helped tie everything together. It’s definitely one of the most solid and interesting DFIR courses I’ve taken so far.
Highly recommend.

You must log in and have started this course to submit a review.

Username or Email Address

Password

Remember Me

Course Content

Welcome and Course Overview Sample Lesson

Course Logistics

301 Online Lab VM

You don't currently have access to this content

Ransomware Response

Threat Landscape: Ransomware Attacks

You don't currently have access to this content

Incident Analysis: Core Techniques and Approaches

You don't currently have access to this content

Incident Management: Documenting Findings and Creating Timelines

You don't currently have access to this content

Scenario Introduction

Case: Ransomware Scenario

You don't currently have access to this content

Investigation Timeline

You don't currently have access to this content

Timeline Template and Notes Taking

You don't currently have access to this content

1) Network Traffic Analysis

PCAP and Zeek Introduction

You don't currently have access to this content

PCAP Analysis With Wireshark 4 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/4 Steps

Lab: Wireshark Overview and Analyzing a HTTP Packet Sequence

Lab: PCAP Statistics and Initial Indicators

Lab: Analyzing IPs and Time Frames of Activity

Lab: Visualizing Beaconing with IO Graphs

Zeek Logs Analysis 4 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/4 Steps

Lab: Zeek Logs Overview and Parsing

Lab: HTTP Requests Analysis

Lab: Data Exfiltration Analysis

Lab: Detecting Lateral Movement

Network Traffic Analysis Findings

You don't currently have access to this content

2) Log Analysis

Log Analysis Introduction

You don't currently have access to this content

Event Log Analysis with Splunk 12 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/12 Steps

Splunk Analysis Overview

Lab: Splunk Introduction and Warm Up Exercises

Lab: Analyzing the Ransomware Process Tree

Lab: Scoping for Compromised Systems via Network Indicators

Lab: Visualizing Network and Beaconing Activity

Lab: Performing Root Cause Analysis

Lab: Initial Access Process Analysis

Lab: Initial Access and Privilege Escalation Process Analysis

Lab: Using Splunk SPL for Detecting Anomalies

Lab: Analyzing Scheduled Tasks and PowerShell Events

Lab: Windows Services and Lateral Movement Analysis

Lab: Logon Events and Timeline Analysis

Sigma Detection Rules 3 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/3 Steps

Sigma Detection Framework Introduction

Lab: Writing and Applying Sigma Rules to Detect PowerShell Scripts

Lab: Leveraging Open Source Rules for Detecting Malicious PowerShell Launch Parameters

Log Analysis Conclusion

You don't currently have access to this content

3) Remote Threat Analysis

Remote Analysis with Velociraptor 11 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/11 Steps

Remote Forensic Analysis with Velociraptor

Lab: Introduction Into Velociraptor and Hunts

Lab: Process Analysis at Scale

Lab: Identifying Suspicious Logon Activity and Lateral Movement

Lab: Identifying and Analyzing Persistence Mechanisms

Lab: Analyzing Evidence of Execution with Amcache

Lab: FileSearches with FileFinder

Lab: Identifying Recent File Activity Within a User’s Downloads Folder

Lab: Filtering Suspicious Files Within Time Frames

Lab: Uncovering Created and Deleted Files

Remote Analysis Conclusion

4) Forensic Analysis

Forensic Analysis 2 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/2 Steps

Investigation Timeline – Phase 2

Forensic Analysis Process Overview

Data Collection 2 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/2 Steps

Data Collection within Enterprise Environments

Lab: Data Collection with Velociraptor and KAPE

Disk Analysis – DC1 5 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/5 Steps

Disk Analysis Introduction

Lab: Gathering System Information

Lab: Analyzing Registry Artifacts and Malicious Windows Services

Lab: File Creation and Deletion Analysis Using MFT and USN Journal

DC1 Incident Timeline Review

Disk Analysis – CLIENT1 5 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/5 Steps

Lab: Analyzing User Registry Hives

Lab: Analyzing System Registry Hives for Execution and Persistence Mechanisms

Lab: Analyzing the MFT for Malicious Files Created

Lab: Browsing History Analysis

Lab: Phishing Email Analysis

Memory Analysis – CLIENT1 6 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/6 Steps

Lab: Setting Up Volatility and Extracting Initial Memory Image Information

Lab: Identifying Suspicious Processes

Lab: Analyzing Evidence of Network Activity

Lab: Establishing Process Owners and Privileges

Lab: Creating and Analyzing Timelines with Volatility

CLIENT1 Incident Timeline Review

5) Malware Analysis

Malware Collection and Analysis Introduction

You don't currently have access to this content

PowerShell Scripts Analysis 3 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/3 Steps

Lab: a.ps1 DomainPassWordSpray Script Analysis

Lab: Reconstructing the 1.ps1 Ransomware Script via ScriptBlocks

Lab: Decrypting Files with the Refactored Ransomware Script

PE Files Analysis 2 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/2 Steps

Lab: PE File Analysis on update.exe

Lab: PE File Analysis on launcher.dll

Malware Detection with Yara Rules 3 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/3 Steps

Introduction Into Pattern Detection with Yara Rules

Lab: Detecting Malicious PE Files and Section Headers

Lab: Detecting Malicious PowerShell Payloads in Memory

6) Timeline Analysis

Timeline Creation and Analysis Techniques 4 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/4 Steps

Introduction Into Timeline Analysis and Plaso Tools

Lab: Creating System Timelines from Data Collections with Plaso Tools

Lab: System Timeline Analysis Techniques with Timeline Explorer

Lab: Rapid Event Log Timeline Creation and Analysis with Hayabusa

7) Self-Guided Timeline Investigations

Investigation Introduction and Objectives

You don't currently have access to this content

Preparation: Splunk Timeline Analysis

You don't currently have access to this content

Preparation: TimeSketch Timeline Analysis

You don't currently have access to this content

Execution: Timeline Analysis Guide

You don't currently have access to this content

8) Post-Incident Activities

Reporting & Findings 3 Topics

You don't currently have access to this content

Lesson Content

0% Complete 0/3 Steps

Reporting Overview

MITRE Att&ck TTPs and IOCs

Incident Response Report – Template

Conclusion

Attack Scenario Reveal

You don't currently have access to this content

Course Conclusion and Next Steps

You don't currently have access to this content

Training

Training Tracks Analyst Defense Labs Hero Bundle Events

Company

About Us Contact & Support Imprint Terms & Conditions Privacy Policy

Community

Blog Join Discord Affiliate Program Career FAQs Subscribe to Newsletter →

Manage Consent

To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Functional Functional Always active

The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Preferences Preferences

The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

Statistics Statistics

The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

Marketing Marketing

The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

Manage options
Manage services
Manage {vendor_count} vendors
Read more about these purposes

Preferences

{title}
{title}
{title}

Scroll to Top

Training Waitlist

Join our waitlist and get notified when training becomes available.

Contact Information

First Name

Last Name

Country

email

Professional Experience

role

linkedin

I'm interested in

training

Personal Training Group Training Workshops Corporate Training

*By submitting this form, you’re agreeing that we will contact you and to receive our free email newsletter. (You’ll never be spammed and you can unsubscribe at any time.) We do not share your information with third-parties.