DFIR Digital Forensics Track
The science of investigating breaches. Master disk forensics, memory analysis, and enterprise incident response.
Duration
3 Months · 12 Weeks
Weeks
12
Modules
84
Access
Curriculum
Digital Forensics Core
4w · 28 modules
Forensic Methodology and Disk Forensics
Autopsy · FTK · Evidence acquisition
Forensic Science Principles — Locard's Exchange and the Digital World
Chain of custody, evidence integrity, write blockers, forensic imaging. The non-negotiable fundamentals.
Disk Imaging — dd, FTK Imager, and Verification Hashing
Creating forensic images, MD5/SHA256 verification, imaging speed vs integrity tradeoffs, storage considerations.
File System Forensics — NTFS, FAT32, ext4 Deep Dive
MFT analysis, $USN journal, deleted file recovery, timestamps (MACB times), file slack space.
Autopsy Deep Dive — Timeline Analysis, Keyword Search, and Artefact Recovery
Full Autopsy workflow, building timelines, keyword search across images, recovering deleted files and browsing history.
Windows Artefacts — LNK Files, Jump Lists, Shellbags, Recycle Bin
Artefacts that prove user activity even after deletion. Critical for reconstructing attacker and user timelines.
Browser Forensics — History, Cookies, Cache, Downloads Across All Browsers
Chrome, Firefox, Edge artefact locations. Extracting browsing history from SQLite databases manually.
Week 1 Lab — Acquire and Analyse a Suspect USB Drive Image
Students receive a raw disk image of a USB used in a corporate data theft scenario. Must recover deleted evidence.
Windows Registry and System Forensics
Registry hives · Execution artifacts · Amcache
The Windows Registry Structure — Hives, Keys, Values, and Timestamps
How the registry is structured on disk, location of hives, dirty hives and transaction logs, manual parsing concepts.
System Information and Hardware Artefacts — Registry Forensics Part 1
Extracting OS version, timezone, computer name, network connections, and USB device history via Registry Explorer.
User Activity and Execution Artefacts — Registry Forensics Part 2
UserAssist, Shellbags, RecentDocs, RunMRU — tracking exactly what a user clicked and executed on the system.
Evidence of Execution Outside Registry — Prefetch, Shimcache, Amcache
The big three execution indicators. Proving a program ran, when it ran, where it ran from, and its size/hash.
Windows Event Log Analysis — Security, System, and Application Logs
Parsing EVTX files, critical event IDs for logons (4624), process creation (4688), service installations (7045).
Advanced Event Logs — PowerShell, Task Scheduler, WMI Logging
Detecting living-off-the-land techniques through specific operational logs. Finding malicious script blocks.
Week 2 Lab — Reconstruct a Compromise Timeline Using Windows Artefacts
Students parse registry and event logs from an infected machine to prove when the attacker landed and what they ran.
Linux Forensics and Memory Analysis
Linux logs · Volatility 3 · RAM triage
Linux Forensic Architecture — File System, Configuration, and Logs
/var/log analysis, syslog, auth.log, bash history, cron jobs, user management configuration files.
Linux Live Triage and Artefact Collection — LinEnterprise Triage
Using native commands and automation scripts to collect volatile data from a compromised Linux server.
Memory Forensics Concepts — Volatile vs Non-Volatile Data
Why RAM holds the ground truth. What disappears on reboot. Capturing RAM using LiME (Linux) and FTK Imager (Windows).
Volatility 3 Framework — Process Trees and Network Connections in RAM
Mastering Volatility commands: pslist, pstree, psscan, netscan. Finding hidden processes and active C2 connections.
Advanced Memory Analysis — Code Injection, Rootkits, and Malicious Drivers
Malfind command deep dive. Detecting injected code, DLL injection, hook detection, extracting suspicious binaries from RAM.
Extracting Credentials and Configuration Data From Memory
Dumping LSASS process from memory, pulling Wi-Fi passwords, finding encryption keys and active configuration files.
Week 3 Lab — Analyse a Memory Dump From a Ransomware-Infected Host
Students run Volatility 3 on a provided RAM capture to identify the parent malware process, its C2 IP, and injected DLLs.
Network Forensics and Month 1 Capstone
PCAP analysis · Wireshark · Zeek · Report writing
Network Forensic Collection — Full Packet Capture vs NetFlow vs Metadata
When to use each data source, collection architectures, performance and storage impacts of network logging.
Wireshark Mastery for Incident Responders — Advanced Filtering and Streams
Display filters, follow TCP/HTTP streams, extracting objects from PCAPs, bandwidth graphs, identifying anomalous traffic protocol spikes.
Automated Traffic Analysis — Zeek (Bro) Log Parsing and Extraction
Navigating Zeek conn.log, dns.log, http.log, files.log. Using command line tools (awk, grep, jq) to parse metadata.
Detecting Malicious Network Patterns — C2 Beacons, Exfiltration, Tunneling
Spotting repetitive beacon intervals, data exfiltration over DNS/ICMP, identifying Cobalt Strike traffic patterns.
Forensic Report Writing Standards — Presenting Evidence to Courts vs Executives
Executive summaries, evidence preservation sections, technical analysis, conclusions. Maintaining legal defensibility.
Chain of Custody and Evidence Management Workflow Documentation
Documenting your forensic process step-by-step. Standard operating procedures (SOPs) for enterprise DFIR labs.
Month 1 Capstone — Full Forensic Investigation and Legally Defensible Report
Students receive a disk image + network capture of an insider threat case. Must investigate and submit formal report.
Incident Response and Advanced Analysis
4w · 28 modules
Enterprise Incident Response and Triage
KAPE · Velociraptor · Enterprise triage
Enterprise IR Frameworks — NIST SP 800-61 vs ISO/IEC 27035
Preparation, Detection/Analysis, Containment/Eradication, Post-Incident Activity. Real-world incident lifecycle management.
Rapid Triage Concepts — Why Full Disk Imaging Fails in Enterprise IR
The need for speed. Collecting only critical forensic targets. Live response vs dead response in multi-thousand host networks.
KAPE (Kroll Artefact Parser and Extractor) — Automating Artifact Collection
Targets and Modules configurations. Collecting all Windows execution and system artefacts across a fleet in under 2 minutes.
Velociraptor — Open-Source Enterprise Hunting and Endpoint Triage
Deploying Velociraptor, creating hunts, collecting artifacts from hundreds of machines simultaneously via VQL (Velociraptor Query Language).
Enterprise Threat Hunting — Searching for Lateral Movement and Persistence
Hunting for unauthorized scheduled tasks, unexpected service creation, local admin additions across enterprise networks.
Scoping an Incident — Identifying the Extent of a Breach
Patient Zero discovery, lateral movement tracking, timeline synchronization across multiple compromised enterprise hosts.
Week 5 Lab — Execute a Fleet-Wide Hunt for a Hidden Attacker Backdoor
Students use Velociraptor to hunt across a 20-node simulated network to find and isolate an active threat actor.
Malware Analysis for Incident Responders
Static analysis · Dynamic analysis · Flare-VM
Malware Analysis Goals — Identification, IOC Extraction, Scope Verification
Why IR analysts do malware analysis. Basic vs advanced splits. Safety protocols: sandboxing and isolation.
Basic Static Analysis — Hashes, Strings, PE Headers, and Packing Detection
Using PEview, Pestudio, strings, Detect It Easy. Finding compiled functionality, strings, imported APIs without execution.
Setting Up an Isolated Malware Analysis Lab — Flare-VM and Remnux
Configuring secure host-only networking, snapshots, simulating internet services with INetSim and FakeNet-NG safely.
Basic Dynamic Analysis — Monitoring File System, Registry, and Network Activity
Running malware safely while tracking with Procmon, Process Hacker, Regshot, Wireshark. Finding host mutations.
Analyzing Common Infection Vectors — Malicious Documents, Scripts, and ISOs
Deobfuscating malicious VBA macros, PowerShell loaders, LNK-based payloads, and OneNote execution paths.
Extracting IOCs From Malware for SIEM and EDR Ingestion
Creating actionable detection indicators (IPs, domains, registry keys, hashes) from raw laboratory sample run logs.
Week 6 Lab — Basic Static and Dynamic Analysis of a Real Malware Sample
Students detonate an unknown executable in a safe lab sandbox, determine its function, and extract all infrastructure C2 IOCs.
Cloud Forensics and Incident Response
AWS IR · Azure logs · Container breaches
Cloud Forensics Challenges — The Loss of Physical Media Control
Ecosystem changes, API-based evidence tracking, ephemeral infrastructure, logs as primary target vs disk captures.
AWS Incident Response — CloudTrail, GuardDuty, and VPC Flow Logs Analysis
Parsing massive CloudTrail JSON layers, identifying compromised IAM credentials, finding malicious AWS API calls via Athena.
AWS Endpoint Acquisition — Forensic Snapshots of EC2 Instances
Isolating compromised instances network-side, taking EBS snapshots, attaching snapshots to forensic workstations for parsing.
Azure AD (Entra ID) and Office 365 Breach Investigations
Tracking sign-in logs, unified audit logs (UAL), discovering malicious mail forwarding configurations, OAuth app abuse analysis.
Container and Kubernetes Forensics — Investigating Microservices Breaches
Reviewing container runtime logs, auditing cluster entry points, capturing active container storage allocations on node compromise.
Automated Cloud IR Architectures — Security Playbooks and Lambdas
Designing automated response configurations: auto-revoking credentials on leak, automated instance isolation patterns.
Week 7 Lab — Investigate an Multi-Stage AWS Enterprise Environment Breach
Students parse complex CloudTrail datasets to map an attacker's movement from compromised access keys to data database exfil.
Advanced Threat Hunting and Month 2 Capstone
Complex attack chains · Log synthesis · Threat hunt
Advanced Threat Hunting — Formulating Hypotheses from Intelligence Data
Translating indicators into behavioral hunting scripts. Hunting beyond standard single-host alert boundaries.
Synthesizing Host, Network, and Application Logs for Consolidated Analysis
Correlating endpoint process events with network traffic flow timelines to identify silent command and control tunnels.
Investigating Advanced Living-off-the-Land Attack Frameworks
Tracking administrative tool abuse: uncovering malicious WMI tracking, WinRM tunneling, and scheduled persistence loops.
Memory Forensics at Scale — Fleet Profiling and Deviation Hunting
Using automation scripts to compare volatile memory states across production blocks to identify outliers.
Month 2 Assessment Technical Review
Comprehensive practical prep question set matching major advanced incident handling concepts taught across Month 1 and 2.
Incident Timeline Visualization Techniques — Plaso and Log2Timeline
Processing structural system disk dumps through automated parsing loops to generate master CSV chronological threat timelines.
Month 2 Capstone — Enterprise Threat Hunting and Multi-Host Response Simulation
Students handle an untracked, complex network-wide simulation block: hunt endpoints, identify entry vectors, and contain threats.
Real-World Practice, Certification and Career
4w · 28 modules
Real-World IR Cases and Ransomware Response
Ransomware negotiation · Live breach simulations
Anatomy of a Modern Ransomware Incident — From Initial Access to Extortion
The current ransomware landscape: access brokers, double extortion models, threat actor groups (LockBit, BlackCat TTPs).
Handling the Golden Hour — The Critical First 60 Minutes of a Breach
Emergency triage protocols, when to pull network plugs, containment strategies without altering critical forensic traces.
Log Analysis for Ransomware Incidents — Tracking Exfiltration Targets
Analyzing file server access logs, firewall configurations, Rclone usage, mega.nz upload artifacts to prove data leakage.
Legal and Compliance Reporting Requirements — CERT-In Notifications
Understanding compliance laws in India, required timelines for cyber incident notifications to government centers.
Ransomware Negotiation and Recovery Lifecycle Management
Understanding how response firms interact with actors, insurance mechanics, decryption tool validation, recovery pathing.
Post-Incident Eradication and Environment Hardening Frameworks
Safely rebuilding Active Directory structures, mass password resets, configuration remediation to block re-entry.
Week 9 Lab — Reconstruct a Corporate Ransomware Attack Lifecycle
Students receive a multi-system corporate triage dump and must determine exactly when exfil occurred and sample entry vectors.
Interview Preparation and DFIR Portfolio
Resume · Mock interviews · Indian consulting market
Structuring the Professional DFIR Resume for Consulting vs Enterprise SOC Roles
Highlighting analysis tools, laboratory process knowledge, and documentation capabilities clearly for top-tier hiring firms.
Top 40 Forensic and Incident Handling Technical Interview Questions
Deep-dive scenario question structures asked by global consulting groups and managed security providers. Answer breakdowns.
Building a Defensible Public Portfolio — Case Study Documentation and Tools
How to legally document non-proprietary investigation walk-throughs and scripts on open channels to show hands-on competency.
Navigating the Indian DFIR Hiring Landscape — Big 4, MDRs, and Banks
Analyzing service provider tiers, internal response engineering paths, and typical corporate entry tracking patterns.
Expert Witness Testimony Basics and Digital Forensic Ethics
How forensic analysts report evidence within legal systems, cross-examination rules, maintaining absolute data neutrality.
The DFIR Career Matrix — Analyst to Incident Commander to Advisory Director
Mapping long-term professional skill needs, compensation brackets, and specialization choices across modern handling domains.
Week 10 Lab — Live Case Confrontation Mock Interview with Feedback Loops
45-minute proctored mock interview challenge: students defend an investigation finding timeline directly to a senior consulting lead.
ZDF Certification Preparation
Comprehensive review · Investigation prep · Mock exams
ZDF Examination Operational Formats and Scoring Weights
Breakdown of the formal evaluation matrix: 90-minute technical theory block paired with a 6-hour forensic laboratory case.
Comprehensive Review Block 1 — Artifact Analysis and Storage Parsing
Synthesis of host filesystem tracks, Registry pathways, Windows/Linux operation logging indicators, and memory states.
Comprehensive Review Block 2 — Network Flow, Cloud Metrics, Malware Tracking
Consolidated review of traffic pattern parsing, CloudTrail structures, and isolated static sandbox execution indicators.
ZDF Mock Technical Theory Exam Evaluation
Full-length timed practice challenge matching real exam conditions, complete with deep structural answer rationales.
ZDF Mock Practical Lab Prep — 6-Hour Simulation Workblock
Rigorous mock run: students extract multi-source system evidence, run baseline timelines, and structure report formats.
Targeted Competency Reconstruction and Guided Fix Blocks
Personalized mentor interactive support targeted at clearing trace gaps or analysis delays discovered during mock testing.
Exam-Day Time Optimization and Evidence Note-Taking Strategy
Best practices for maintaining clean data logs under tight timelines, structure mapping, and report template styling.
ZDF Certification Exam and Graduation
Exam · Certification · Placement launch
ZDF Theory Exam — 40 Questions, 90 Minutes
Proctored theory examination covering all 3 months of DFIR curriculum. Covers forensic methodology, tools, IR frameworks, and malware analysis. Pass mark: 70%.
ZDF Practical Exam — 6-Hour Forensic Investigation With Report Submission
Proctored practical: students receive multi-source evidence and must produce a complete, legally-formatted forensic investigation report.
ZDF Certificate Issued — Zharnyx Digital Forensics Certification
Digital certificate with unique ID and QR verification. Shared with hiring partners. LinkedIn post template and endorsement request guide provided.
Placement Kickoff — Profile Submission to Zharnyx Hiring Partners
Resume reviewed and submitted to active hiring partner network across DFIR, IR consulting, and managed security firms. Interview scheduling begins.
Graduation — Cohort Celebration and Zharnyx Dragons Alumni Badge
Cohort graduation session, alumni Discord access, mentorship continuity for 90 days, Zharnyx Dragons badge for LinkedIn and GitHub.
30-Day Post-Graduation Job Search Support
Weekly mentor check-ins, job application review, interview preparation support, continued lab and tool access for 30 days post-graduation.
Continuous Learning Path — From ZDF to GCFE, GCFA, and Malware Analysis
GCFE and GCFA preparation roadmap, advanced malware analysis course recommendations, threat intelligence career pathway.