O'Reilly logo
live online training icon Live Online training

Introduction to Digital Forensics and Incident Response (DFIR)

Topic: Security
Omar Santos

The number of cyber-attacks and breaches continue to rise. The field of digital forensics and incident response (DFIR) is in high-demand. Digital cybersecurity forensics, threat hunting and incident response tactics and procedures have evolved rapidly over the past several years. Incident response and digital forensics teams are tasked to identify malware, indicators of compromise, and patterns of activity in order to detect current and future intrusions.

In this course you will learn the fundamentals of incident response and digital forensics. You will learn how to create effective incident response teams and best practices on how to contain and remediate cybersecurity incidents. You will also learn how to develop how to extract and create necessary cyber threat intelligence that can help you properly scope the compromise and detect future breachesYou will also learn how to collect evidence from network infrastructure devices and endpoints; and how to preserve that evidence.

What you'll learn-and how you can apply it

  • Learn details about the incident response process and how to create an incident response plan.
  • Best practices on detecting how and when a breach occurred.
  • Identify compromised and affected systems
  • Tools to identify what attackers stole and potentially changed
  • You will learn best practices on how to contain and remediate incidents
  • Develop key sources of threat intelligence
  • Learn how to develop incident response playbooks
  • Learn digital forensics fundamentals and best practices
  • Learn network and host-based evidence collection and handling best practices.

This training course is for you because...

  • You have an understanding of cybersecurity fundamentals.
  • You want to learn different methodologies and best practices to identify, track, and contain advanced adversaries and to response and remediate cybersecurity incidents.
  • You are preparing for the CompTIA Security+, CySA+ or Cisco CCNA CyberOps certifications.

About your instructor

  • Omar Santos is an active member of the cybersecurity community, where he leads several industry-wide initiatives. He is the lead of the DEF CON Red Team Village; the chair of the Common Security Advisory Framework (CSAF) technical committee; the co-chair of the Forum of Incident Response and Security Teams (FIRST) Open Source Security working group; and has been the chair of several initiatives in the Industry Consortium for Advancement of Security on the Internet (ICASI). His active role helps businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to increasing the security of their critical infrastructures.

    Omar is the author of over twenty books and video courses, as well as numerous white papers, articles, and security configuration guidelines and best practices. Omar is a principal engineer of the Cisco Product Security Incident Response Team (PSIRT), where he mentors and leads engineers and incident managers during the investigation and resolution of cyber security vulnerabilities. Additional information about Omar’s current projects can be found at omarsantos.io and you can follow Omar on Twitter @santosomar.


The timeframes are only estimates and may vary according to how the class is progressing

Segment 1: Introduction to the Incident Response Process (30 minutes)

  • You will learn the incident response process and best practices on how to establish an effective incident response program.
  • You will learn the basics of the guidelines provided in NIST Special Publication 800-61.

Segment 2: Building an Incident Response Team (30 minutes)

  • You will learn what are Computer Incident Response Teams (CSIRTs), Product Security Incident Response Teams (PSIRTs), Coordination Centers, and Managed Security Service Providers Incident Response Teams.
  • You will learn best practices that can be used to create an incident response team within your organization.

Break: 10 minutes

Segment 3: The Incident Response Plan (30 minutes)

  • Having a good incident response plan and incident response process will help you minimize loss or theft of information and disruption of services caused by incidents. It will also help you enhance your incident response program by using lessons learned and information obtained during the security incident. In this segment you will learn best practices on how to create an incident response plan within your organization.

Segment 4: Incident Response Playbooks (30 minutes)

  • In this segment you will learn what are incident response playbooks and how to create them to successfully respond to cybersecurity incidents.

Break: 10 minutes

Segment 5: Digital Forensics Fundamentals (30 minutes)

  • In this segment we will go over an introduction to cybersecurity forensics. You will learn the role of attribution in a cybersecurity investigation, the use of digital evidence. You will also learn what is chain-of-custody and how to preserve evidence.

Segment 6: Network and Host-based Evidence Collection and Handling (30 minutes)

  • In this segment you will learn fundamentals of Microsoft Windows, Linux, and mobile device forensics. You will also learn how to collect evidence from network infrastructure devices.