Category Topic What you will learn

Deploy Elastic Stack

Deploy Elastic SIEM
Deploy TheHive Case Management
Deploy Cortex
Deploy MISP
Deploy Beats Agent on EndPoints This course is designed to give you flexibility to make your own SOC environment which can
Configure Elastic SIEM be easily replicated into production. You will learn the engineering side of things in terms of
Create your own FOSS SIEM Lab
Integration of Elastic SIEM+TheHive deployment and configuration of each components (SIEM, Case Management solution,
Integration of TheHive+Cortex+MISP Threat Intel Platform, Orchestration platform any many more) of a real world modern SOC.
Configuration of TheHive
Configuration of Cortex
Configuration of MISP
Create ELK SIEM Visualization + Dashboards
Create ELK SIEM Detection Rule
Course Overview
Introduction to SecOps
Introduction to SIEM
Introduction to FOSS SIEM: Wazuh
Setting up your SIEM Lab with Wazuh (On-Prem & Cloud)
Cyber Security Frameworks
This course will introduce you to Wazuh and will explain how it works and how it can be used
Introduction to Cyber Kill Chain
for threat detection. In the context of blue team operations, Wazuh is a SIEM (Security
Setting up and Integrating Endpoint Agents with Wazuh
Information Event Management) system that is used to collect, analyze, aggregate, index and
Simulation Environment Overview
analyze security-related data consequently allowing you to detect intrusions, attacks,
Incident Detection and Response with SIEM-101 Command and Control (C2) with APT Simulator
vulnerabilities, and malicious activity.
Threat Detection and Active Response with Wazuh
Detecting Process-level Attacks with Wazuh
This course is designed is such a way, that any beginner or any working professional can learn
Detecting File-level Attacks with Wazuh
the Wazuh SIEM tool event flow, architecture, design & difference.
Introduction to Vulnerability Management
Finding Vulnerabilities in Endpoints and Production Servers with Wazuh
Introduction to FIM (File Integrity Monitoring)
FIM with Wazuh
Create Custom FIM Rules
Provoking FIM Active Response
Introduction to SYSMON
Windows Logs on Steriod! Sysmon
Setting up Windows Defender with Wazuh
PowerShell Logging and Wazuh
Integrating Wazuh with VirusTotal
Identifying Malware with VirusTotal and Wazuh
This course is an advanced level IR course which is designed on Wazuh. In this course you will
What is PsExec
learn Proactively securing IT infrastructure, How to create scripts that will act on security
Detecting PsExec usage with Wazuh
incidents automatically
Incident Detection and Response with SIEM-201 Introduction to Process Injection
How to monitor and have the possibility to analyze incidents with centralized information,
Detecting Process Injection attacks with Wazuh
Create decoders and rules that will be used in event analysis
Introduction to Process Hollowing
Install and configure agents on Windows and Linux machines and many more
Detecting Process Hollowing attacks with Wazuh
Detecting Follina (CVE-2022-30190) attack with Wazuh
Monitoring and Detecting USB drives in Windows using Wazuh
Introduction to NIDS
Introduction to Suricata NIDS
Integrating Suricata with Wazuh for Log Processing
1. Key Differences in Modern Windows Operating Systems
Windows OS components 2. Important aspects of Windows OS components
 1. Purpose of the investigation
2. Type of incident being investigated
3. Identification of critical systems and data
4. Preservation of evidence
5. Analysis of evidence
6. Determine the extent of the incident
7. Identify the source of the incident
8. Determine the scope of the impact
9. Provide recommendations to prevent future incidents
10. Collaboration with stakeholders
11. Compliance with legal and regulatory requirements
12. Timelines and milestones for the investigation
13. Reporting and communication plan
Define Forensics Investigation Goals 14. Budget and resource allocation.
1. Introduction to Windows Live Response and its purpose in incident response
2. Understanding the different stages of Windows Live Response, from data acquisition to
analysis
3. Tools and techniques for conducting Windows Live Response, such as custom scripts,
Windows Sysinternals, and Windows Event Logs
4. Best practices for maintaining chain of custody and ensuring data integrity during Windows
Live Response
5. Common use cases for Windows Live Response, including malware detection, data theft
investigations, and insider threat investigations
6. Case studies of successful Windows Live Response investigations and how they were
conducted
7. The role of automation in Windows Live Response and how it can improve the efficiency
and accuracy of investigations
8. Future trends in Windows Live Response, including the impact of cloud computing and the
Windows Live Response growth of endpoint detection and response (EDR) solutions.
1. Different types of RAM acquisition processes
RAM Acquisition Process 2. Live case study
1. Different types of Disk acquisition processes
Disk Acquisition Process 2. Live case study

1. Introduction to Windows image mounting and examination

Digital Forensics and Advanced Incident Response 2. Types of Windows image files (WIM, VHD, VHDX, etc.)
3. Mounting and dismounting Windows image files
4. Examining file systems and registry hives in mounted Windows images
5. Extracting files and data from mounted Windows images
6. Comparing and analyzing multiple Windows images
7. Best practices for maintaining the integrity of Windows images during examination
8. Common tools and utilities for Windows image mounting and examination
9. Limitations and challenges of Windows image examination
10. Case studies and examples of Windows image examination in digital forensics
Windows Image Mounting + Examination investigations.
1. Introduction to NTFS: background and history
2. Key features and advantages of NTFS compared to other file systems
3. NTFS file and directory structure
4. Overview of NTFS metadata and data storage
5. NTFS permissions and access control lists (ACLs)
6. Alternate data streams in NTFS
7. NTFS transaction logs and journaling
8. NTFS compression and encryption options
9. NTFS recovery options and tools
NTFS File System Overview 10. Comparison of NTFS with other file systems like FAT and exFAT.
1. What is document and file metadata?
2. Common types of document and file metadata
3. How to view and edit document and file metadata
4. Document and file metadata in different file formats (e.g. PDF, DOCX, JPG)
5. The importance of document and file metadata in digital forensics
6. How metadata can be used in e-discovery
7. Metadata privacy and security concerns
8. Best practices for managing and protecting document and file metadata
Document and File Metadata 9. Future trends and developments in document and file metadata.
 1. What is file system carving?
2. How does file system carving work?
3. Different file carving techniques
4. Common file types recovered through file carving
5. Benefits and limitations of file system carving
6. File carving tools and software
7. Use cases of file system carving in digital forensics
8. Challenges and best practices for file system carving
9. Future of file system carving in digital forensics
Introduction to File system carving 10. Case studies and examples of successful file system carving investigations.
1. Overview of Windows Registry
2. Understanding registry hives
Understanding the registry structure 3. Knowledge of registry keys, values, and data types
1. Identifying registry keys associated with suspicious activity
2. Analyzing changes made to the registry
Examining the registry for evidence 3. Examining registry keys and values for timestamps and other metadata
1. Understanding how registry entries can be deleted
2. Techniques for recovering deleted entries
Recovering deleted registry entries 3. Examining recovered entries for evidence

1. Identifying registry keys and values that are commonly associated with malware
2. Analyzing changes made to the registry by malware
Registry Forensics Detecting Malware through Registry Analysis 3. Using registry analysis to identify indicators of compromise (IOCs)
1. Examining user-specific registry keys and values for evidence of activity
2. Using registry analysis to identify user account changes, application usage, and other user
Identifying user activity through registry analysis behavior
1. Examining system-specific registry keys and values for evidence of activity
2. Using registry analysis to identify system changes, application usage, and other system
Identifying system activity through registry analysis behavior
1. Identifying registry keys associated with encryption keys
Recovering encryption keys from the registry 2. Using registry analysis to recover encryption keys
1. Using registry analysis as part of a larger digital forensics investigation
Analyzing registry data for digital forensics 2. Correlating registry data with other sources of evidence
1. Using registry analysis to identify the scope of an incident
Leveraging the registry for incident response 2. Identifying compromised systems through registry analysis

1. Overview of file download evidence: What constitutes file download evidence, how it can
be collected, and what type of data it can reveal.
2. Types of file download evidence: A discussion of different types of file download evidence,
such as browser history, file metadata, and temporary files.
3. Identifying file download evidence: Techniques for identifying file download evidence,
including examining web browser history, searching for relevant file types, and examining
temporary files.
4. Analyzing file download evidence: Approaches for analyzing file download evidence,
including timeline analysis, keyword searching, and data correlation.
5. Chain of custody for file download evidence: Procedures for maintaining the chain of
custody of file download evidence, including documenting collection procedures and storage
protocols.
6. Legal considerations for file download evidence: Legal considerations for file download
evidence, including privacy concerns, admissibility in court, and compliance with relevant
laws and regulations.
7. Challenges in collecting file download evidence: An examination of common challenges in
collecting file download evidence, such as encryption, deletion, and data fragmentation.
8. Tools and technologies for analyzing file download evidence: A review of different tools
and technologies that can be used to analyze file download evidence, including forensics
Evidence of File Downloads software and network analysis tools.
 1. Understanding search indexing and how it works on Windows operating systems.
2. Locating and examining search index files, such as Windows.edb and the associated log
files.
3. Analyzing Windows search queries using tools like Event Viewer, PowerShell, or
Sysinternals Process Monitor.
4. Examining browser search history in Internet Explorer, Edge, Chrome, Firefox, and other
popular web browsers.
5. Identifying and retrieving deleted or hidden search history data from the Windows Recycle
Bin or other locations on the file system.
6. Analyzing search history data to identify patterns or trends in user behavior, including
common search terms, times of day, or days of the week.
7. Using search history data to reconstruct a user's activities or intentions, such as searching
for specific files, websites, or other information.
8. Correlating search history data with other sources of digital evidence, such as web
browsing activity, file access logs, or user account information.
9. Understanding the limitations and challenges of using search history data in digital
investigations, such as potential privacy concerns or incomplete or inaccurate data.
10. Best practices for collecting, preserving, and analyzing search history data in a forensically
sound and defensible manner, including appropriate use of tools and techniques,
Windows 7, Windows 8/8.1, Windows 10/11 Search History documentation, and chain of custody considerations.

1. Understanding the importance of typed paths and directories in forensic investigations

Forensicate User's Artefacts
2. Techniques for identifying typed paths and directories in Windows operating systems
3. Analyzing typed paths and directories in a forensic investigation: tools and methods
4. Best practices for preserving typed paths and directories as evidence in a forensic
investigation
5. Common artifacts associated with typed paths and directories in Windows operating
systems
6. Interpreting typed paths and directories in the context of a digital forensic investigation
7. Examples of how typed paths and directories can be used to reconstruct user activity on a
Windows system
8. Limitations and challenges associated with analyzing typed paths and directories in a
forensic investigation
9. Comparing typed paths and directories between different Windows operating systems and
versions
10. Investigating typed paths and directories in relation to other forensic artifacts, such as file
Typed Paths and Directories access logs and registry keys.
1. Overview of UserAssist
2. UserAssist Registry Keys
3. UserAssist Data Analysis
4. UserAssist Data Interpretation
5. Use Cases for UserAssist
6. Limitations of UserAssist
UserAssist 7. Best Practices for Collecting UserAssist Data
1. Introduction to Prefetch files
2. Purpose of Prefetch files in Windows
3. How to access and interpret Prefetch files
4. File structure of Prefetch files
5. Types of information stored in Prefetch files
6. Prefetch file naming conventions
7. Prefetch file location and organization
8. Prefetch file analysis tools and techniques
9. Identifying and analyzing patterns in Prefetch files
Prefetch Analysis 10. Limitations and challenges of Prefetch file analysis
 1. What is SRUM and what does it stand for?
2. Overview of how SRUM works and its purpose in Windows operating systems.
3. Differences between SRUM and other Windows data collection methods (e.g. event logs,
performance counters).
4. Key data points collected by SRUM and their potential significance in forensic
investigations.
5. Analyzing SRUM data to identify patterns of user activity.
6. Limitations and challenges of using SRUM data in investigations.
7. Tools and techniques for working with SRUM data, including free and commercial options.
8. Case studies of successful investigations using SRUM analysis.
9. Best practices for incorporating SRUM analysis into forensic workflows.
SRUM Analysis 10. Future developments and potential enhancements to SRUM data collection and analysis
Overview of USB devices
1. Overview of USB devices and their significance in digital forensics
USB device identification
2. USB device identification and analysis
Extraction and analysis
3. Extraction and analysis of data from USB devices
Connection History
4. Investigating USB device connection history and usage
Detecting USB related malware
5. Detecting and analyzing USB-related malware
USB Forensics 6. Tracing USB activity in Windows event logs
7. Using USB device fingerprints to track and identify suspects
8. Best practices for USB forensics and preserving chain of custody
Trace USB from Win event logs 9. Case studies and real-world examples of USB forensics in action
USB device fingerprint 10. Limitations and challenges of USB forensics, including encryption and anti-forensic
Best practices for USB forensics techniques.
How email works
Email Header Examination
Extended MAPI and X Headers 1. Introduction to Email Forensics
Email Sample acquisition 2. Email Recovery Techniques
3. Email Header Analysis
4. Email Content Analysis
Email Forensics
5. Email Filtering and Searching
6. Email Client Artifacts
7. Email Service Provider Logs
8. Email Authentication and Encryption
9. Email Spoofing and Phishing
Business Email Compromise Investigation 10. Email Evidence Presentation and Documentation
Overview of Windows Event Logs and SYSMON
1. Overview of Windows Event Logs and SYSMON: This topic could cover the basics of what
Windows Event Log Analysis
these tools are, how they work, and what types of data they can capture.
SYSMON Configuration
2. Windows Event Log Analysis: This could cover different types of Windows event logs (e.g.
Application, Security, System) and how to interpret their contents to gain insights into system
activity.
3. SYSMON Configuration: This topic could cover how to configure and customize the
Analysis of SYSMON Data behavior of the SYSMON tool to capture specific types of data, including examples of
common use cases.
Windows Event log and SYSMON Forensics 4. Analysis of SYSMON Data: This topic could cover how to parse and interpret the data
captured by SYSMON, including examples of how to identify suspicious activity based on
various types of events.
Correlating Event Log and SYSMON Data 5. Correlating Event Log and SYSMON Data: This topic could cover how to combine data from
Windows event logs and SYSMON to gain a more complete picture of system activity,
including how to use tools like Splunk or ELK to analyze and visualize the data.
6. Incident Response and Forensic Analysis with Event Logs and SYSMON: This topic could
cover how to use Windows event logs and SYSMON data as part of a larger incident response
or forensic investigation, including how to identify, triage, and remediate potential security
Incident Response and Forensic Analysis with Event Logs and SYSMON incidents.
1. Goals of Malware Analysis
2. Malware Research- Challenges
3. Types of Malware
Intro to MA for IR 4. Malware Analysis Techniques
 1. Static Analysis Tools
Tools Required 2. Dynamic Analysis Tools

1. Creating your own malware analysis lab in VM + in cloud

2. Get Cockoo Sandbox up and running
Build Your Manual Malware Analysis Lab 3. Caution using online sandbox- Hybrid, Joe Sandbox, Anyrun, Virtual Total, Intezer
1. Static Analysis with GUI
2. Property Analysis with Free AV
3. Strings Analysis
4. Static Analysis with Metadata
Binary Static Analysis 5. Static Analysis with String Behaviour
1. Dedonate Malware in Sandbox
2. Watch execution
3. Plot graphical workflow of Malware Execution
Malware Analysis for Incident Responders
Binary Dynamic Analysis 4. Gather further IOC
1. PDF Information Gathering
2. Parse PDF to Analyze
3. Dump any encoding technique out of PDF
4. Identify suspicious elements of PDF
PDF Analysis 5. Extract all Stream from PDF
1. Deobfuscate powershell codes
2. PS Code Analysis
3. Trace malicious nature from PS
4. Extract malicious code from other files
5. Detonate on Wine
Malicious PowerShell Analysis 6. Extract IOCs from JS Files
1. Deobfuscate JS using AST and Partical Evaluation technique
2. Shell Code Analysis
3. Trace malicious nature from JS
4. Extract malicious code from other files
5. Detonate on Wine
Script Analysis 6. Extract IOCs from PS Files
AWS and Cloud Essentials

AWS CLI

1. AWS and Cloud Essentials

2. Introduction to cloud computing
3. Creating AWS Account
4. Shared Security Responsibility model
5. AWS CLI
6. Prereqs
7. Install and Update
8. Quick Setup
AWS EC2 Compute Essectials
9. AWS EC2 Compute Essectials
10. What is EC2
11. EC2 Types
12. Launch First EC2 Instance
13. Accessing your EC2 Instance
14. AWS EC2 Storage Essentials
15. What is EBS
 15. What is EBS
16.EBS Typs
17. EC2 Snapshots
18. AWS EC2 Network Essential
19.EC2 VPC
20. EC2 Security Groups
AWS EC2 Storage Essentials
21. VPC Peering
Forensicating AWS EC2
22. Routing Table
23. EC2 NACLs
24. AWS EC2 Security Logging Essentials
25. AWS CloudTrail
26. EC2 CloudTrail API calls
27. EBS CloudTrail API Calls
28. VPC Flow Logs
29. EC2 Host Logs
AWS EC2 Network Essential 30. AWS EC2 Compromise Usecase
31. EC2 Backdoor
32. EC2 Network Anomali
33. Cryptominig
34. EC2 Recon Activity
35. EC2 Trojan Activity
36. EC2 Unauthorized Access
37. AWS EC2 Incident Response
38. IR Lifcycle for AWS EC2
39. Capture EC2 Metadata
AWS EC2 Security Logging Essentials 40. Isolate EC2
41. EC2 Termination Protection
42. Detach Autoscaling
43. Deregister ELB
44. Forensics Readiness
45. AWS EC2 Isolation
46. EC2 Isolation via Security Group
47. EC2 Isolation via NACLs
AWS EC2 Compromise Usecase 48. EC2 Isolation via route tables
49. EC2 Isolation via Internet Gateway
AWS EC2 Incident Response 50. AWS EC2 Forensics
AWS EC2 Isolation 51. Acquiring Forensics Evidence in EC2
52. Provision a Forensics Workstation
53. Attach Evidence for analysis
AWS EC2 Forensics
54. Runbook for Disk Analysis
55. AWS EC2 Memory Analysis
Memory Fundamentals
Role of Memory
Reboot sustainability
Order of volatility in Memory
The need of Memory Forensics
Memory Acquisition Process
Memory Acquisition Challenges
Windows Acquisition Tools + Lab
Magnet RAM Capture
MoonSols DumpIt
Rekall winpmem
Belkasoft RAM Capturer
Accessdata FTK Imager
Windows Native Solution
Windows Memory Leak
Memory Leak
Capture Process Memory
Linux Acquisition Tools + Lab
AVML
memcapture
Introduction to MacOS Acquisition Tools
OSXPmem
Introduction to Analysis Tools
Volatility2
 Volatility3
MemProcFS
Orchi
Memory Forensics is an interesting topic and now a days a very crucial skill that Incident
Volatility Workbench
Responder should have to climb above the food chain. This course has been developed from
Volutility
absolute basics and with hands on practice for everyone. Memory forensics is an integral part
Memory Management
of successful incident response investigations. Over the last year, incident response
Memory Management
procedures have grown from investigating single computer images at time to investigating
Swapping
hundreds of thousand machines all at once. In the beginning of every investigation, the
Virtual Memory & Paging
attacker is way ahead. Incident responders need to find ways to get ahead of the attackers
Address Translation
quickly and kick them out of our networks. While there has been a lot of light shed on scaling
Windows Memory Analysis + Lab
hard drive artifact-based investigations to large numbers of endpoints, the memory forensics
Analysis roadmap
Memory Forensics MasterClass part has been the neglected part of classical forensics for a while. This course will help you to:
Image Identification
Processes and DLLs
Understand how Memory works in modern operating systems
Networking
Understand the memory forensics process from absolute zero
Registry
Learn how tools like volatility can help you to analyze the Memory for traces of an attack
Kernel Memory and Objects
Understand the best time saving ways to identify the root cause for an incident with memory
Creating Timeline
forensics
Quick tips for analysis
Learn how advanced attackers try to evade defensive process and how to identify them
Linux Memory Analysis + Lab
through memory forensics
Creating volatility profile
Learn how to use modern tools for analyzing your raw data
Memory Parsing with volatility
Memory Injection Techniques
ShellCode Injection
Reflective DLL Injection
Process Hollowing
AtomBombing
Inline Hooking
Hunting Malware in Memory + Lab
malfind
Yara Scan
Process Extended View
Timers
Callbacks
Case Studies
Case study1
DLL Injection
Case study2
Ransomware Infection
Case study3
Docker Memory Forensics + Lab
Docker Basics
Docker Components
Why Docker Forensics
Tools Required
Usecase1- Container Breakout
Usecase2- credential exposure
Useful Docker Commands for analysis
Introduction to Mobile Forensics
Basic of Mobile Operating System
Basic knowledge on Mobile Phone Forensic Hardware
Acquisition of Data
Acquisition Tools used process:
I.Cellebrite UFED 4PC
II.MobilEdit Forensic Express
III.iTunes Backup for iPhone devices
IV.Other open source tools
Analysis of Acquired data
This course will introduce you to basic requirements for handling incidents on Mobile Devices
Introduction to Mobile Forensics Analyzed Tools used process:
and the best possible ways to acquire data and analyze them in forensically sound manner
I.Cellebrite Physical Analyser
II.Autopsy
III.Belkasoft Evidence Center
IV.Magnet Axiom
Other open source tools
 WhatsApp Data Recovery and Backup Process
Decrypt WhatsApp Data and Retrieve Deleted WhatsApp Message using open source
tools
Report Generation
Case Studies
Introduction to Linux Forensics
Top 10 Forensic Artefacts and Data Sources in Linux
Understanding Structured Investigation Process This course will introduce you to basic requirements for handling incidents on Linux
Introduction to Linux Forensics Setting Up a Lab to Practice Linux Forensics Environment and the best possible ways to acquire data and analyze them in forensically
How to Investigate Linux System Logs sound manner
How to investigate Linux Systemd Journal
How to investigate Linux User Artefacts