O'Reilly logo
live online training icon Live Online training

Introduction to Digital Forensics and Incident Response (DFIR)

Omar Santos

The number of cyber-attacks and breaches continue to rise. The field of digital forensics and incident response (DFIR) is in high-demand. Digital cybersecurity forensics, threat hunting and incident response tactics and procedures have evolved rapidly over the past several years. Incident response and digital forensics teams are tasked to identify malware, indicators of compromise, and patterns of activity in order to detect current and future intrusions.

In this course you will learn the fundamentals of incident response and digital forensics. You will learn how to create effective incident response teams and best practices on how to contain and remediate cybersecurity incidents. You will also learn how to develop how to extract and create necessary cyber threat intelligence that can help you properly scope the compromise and detect future breachesYou will also learn how to collect evidence from network infrastructure devices and endpoints; and how to preserve that evidence.

What you'll learn-and how you can apply it

  • Learn details about the incident response process and how to create an incident response plan.
  • Best practices on detecting how and when a breach occurred.
  • Identify compromised and affected systems
  • Tools to identify what attackers stole and potentially changed
  • You will learn best practices on how to contain and remediate incidents
  • Develop key sources of threat intelligence
  • Learn how to develop incident response playbooks
  • Learn digital forensics fundamentals and best practices
  • Learn network and host-based evidence collection and handling best practices.

This training course is for you because...

  • You have an understanding of cybersecurity fundamentals.
  • You want to learn different methodologies and best practices to identify, track, and contain advanced adversaries and to response and remediate cybersecurity incidents.
  • You are preparing for the CompTIA Security+, CySA+ or Cisco CCNA CyberOps certifications.

About your instructor

  • Omar Santos is a Principal Engineer in the Cisco Product Security Incident Response Team (PSIRT) within Cisco's Security Research and Operations. He mentors and leads engineers and incident managers during the investigation and resolution of security vulnerabilities in all Cisco products, including cloud services. Omar has been working with information technology and cyber security since the mid-1990s. Omar has designed, implemented, and supported numerous secure networks for Fortune 100 and 500 companies and the U.S. government. He is an active member of the security community, where he leads several industry-wide initiatives and standard bodies. Omar is often delivering technical presentations at many conferences and he is the author of over 15 books and video courses.


The timeframes are only estimates and may vary according to how the class is progressing

Segment 1: Introduction to the Incident Response Process (30 minutes)

  • You will learn the incident response process and best practices on how to establish an effective incident response program.
  • You will learn the basics of the guidelines provided in NIST Special Publication 800-61.

Segment 2: Building an Incident Response Team (30 minutes)

  • You will learn what are Computer Incident Response Teams (CSIRTs), Product Security Incident Response Teams (PSIRTs), Coordination Centers, and Managed Security Service Providers Incident Response Teams.
  • You will learn best practices that can be used to create an incident response team within your organization.

Break: 10 minutes

Segment 3: The Incident Response Plan (30 minutes)

  • Having a good incident response plan and incident response process will help you minimize loss or theft of information and disruption of services caused by incidents. It will also help you enhance your incident response program by using lessons learned and information obtained during the security incident. In this segment you will learn best practices on how to create an incident response plan within your organization.

Segment 4: Incident Response Playbooks (30 minutes)

  • In this segment you will learn what are incident response playbooks and how to create them to successfully respond to cybersecurity incidents.

Break: 10 minutes

Segment 5: Digital Forensics Fundamentals (30 minutes)

  • In this segment we will go over an introduction to cybersecurity forensics. You will learn the role of attribution in a cybersecurity investigation, the use of digital evidence. You will also learn what is chain-of-custody and how to preserve evidence.

Segment 6: Network and Host-based Evidence Collection and Handling (30 minutes)

  • In this segment you will learn fundamentals of Microsoft Windows, Linux, and mobile device forensics. You will also learn how to collect evidence from network infrastructure devices.