Digital Forensics & DFIR — CYBY

FC-07

Incident response and digital forensics. NIST/SANS IR framework, Volatility 3, Autopsy, Plaso. From first triage to court-grade forensics report. Requires FC-06.

45 lessons9 modulesAdvanced3 themes

Start Learning ← All Courses

MEMORY HEX DUMP — PID 4892

volatility3 · malfind

PE Header

Imports

C2 IP / Beacon

0x0000

4D5A90000300000004000000

MZ......

0x000C

FFFF0000B800000000000000

........

0x0018

400000000000000000000000

@...........

0x0060

FF15A41040006A00FF159810

[email protected].....

0x00A0

C0A801C21F90000000000000

........

0x00B0

474554202F626561636F6E00

GET /beacon.

⚠ Injected code detected

Volatility 3 · Scanning...

Why DFIR is the most in-demand specialization

Numbers that explain everything

76 daysaverage time between breach and detection in a corporate network

95%of malware leaves recoverable digital artifacts

$120K+annual salary of a Senior DFIR Analyst / Forensics Investigator in the US

30 TBof device data examined by a DFIR team during a major incident

After the course you will be able to

Not theory — real investigations with actual disk images and memory dumps

🚨Conduct a full IR cycle following NIST/SANS: Preparation, Detection, Containment, Recovery

🔬Create a forensic disk image, verify the hash, and examine NTFS, ext4, APFS artifacts in Autopsy

🧠Analyze a RAM dump with Volatility 3: find injected code, C2 connections, encryption keys

🌐Examine PCAP files: detect C2 beaconing, DNS tunneling, and data exfiltration

🪟Extract Windows Artifacts: Prefetch, Amcache, ShimCache, Registry, Event Logs

⏱️Build a Super Timeline of an attack with Plaso and Timesketch — from first artifact to exfiltration

🦠Perform malware triage: static analysis of PE headers and dynamic analysis in ANY.RUN

📋Write a court-grade forensics report: chain of custody, Executive Summary, technical details

Real investigations in the course

We break down high-profile incidents like DFIR teams — from first artifacts to the full attack picture

DFIR case2017

NotPetya 2017 — how forensics reconstructed the attack

NotPetya paralyzed Maersk, Merck, and hundreds of companies. DFIR teams reconstructed the full attack vector through Windows Event Logs, MFT tables, and network traffic artifacts. A lesson on the importance of logging.

Lesson 8 · Windows Timeline and artifacts

Memory Forensics2021

Emotet — detection through memory dump

Emotet disguised itself as legitimate processes and lived only in memory. Only through Volatility was it possible to extract C2 server configs, encryption keys, and a victim list from the infected machine's RAM dump.

Lesson 22 · Memory Forensics with Volatility

Career2023

DFIR freelancer — $300/hr for expert testimony

A Senior DFIR specialist with courtroom experience shared how to enter the independent forensics market: notarized reports, court testimony, and a $300/hr rate as an expert witness.

Lesson 43 · Career and monetization in DFIR

Course Program

9 modules · 45 lessons · 3 themes: Incident Response, Digital Forensics, Investigation & Reporting

Where this course leads

FC-07 — entry into one of the highest-paid and most scarce specializations in cybersecurity

$7,000 — $18,000/mo

DFIR Lead / IR Manager

Lead an incident investigation team at major companies or IR firms. High demand, acute shortage of specialists.

VolatilityAutopsyIR методологияReporting

Track:FC-07 → MC-07 → DFIR Lead

$5,000 — $13,000/mo

Malware Analyst / Reverse Engineer

Analyze malware for antivirus companies, Threat Intel teams, or government agencies.

GhidraIDA Prox86 ASMYara

Track:FC-07 → Malware Analysis → RE

$4,000 — $10,000+/mo

Expert Witness / Forensic Examiner

Prepare expert reports for court proceedings. Work with law enforcement and corporate lawyers.

Chain of CustodyCourt ReportsFTKEnCase

Track:FC-07 → Certification → Expert Witness

Who this course is for

🔬

SOC Analysts

You work in a SOC and want to move from alert response to deep incident investigation with forensic tools

⚔️

After FC-05 / FC-06

You know offense and defense, now you want to learn how to reconstruct the full picture — artifacts, timeline, Attribution

⚖️

Legal track

Interested in forensic examination, working with law enforcement, or preparing expert reports for court proceedings

Become an expert
in digital forensics
world-class

48 hours with Volatility, Autopsy, Wireshark and Ghidra. Real disk images and memory dumps in a secure lab.

Start Learning ← All Courses

FC-07 — Digital Forensics & DFIR

Incident Investigation

Lessons45

Modules9

LevelAdvanced

Themes3

Volatility 3 and Autopsy

Real disk images and RAM dumps

3 real DFIR investigations

Career track after completion