Tactical Digital Forensics

Course Length:



$7500 per person


This two-week course teaches students to perform the fast and efficient digital forensics required to discover and investigate an Advanced Persistent Threat. Students learn the types of tactics and procedures a threat actor uses to evade detection, and develop the real-world skills to locate malicious elements on a network and respond appropriately. Students acquire a fundamental understanding of how to effectively discover breaches and triage attacks within a network. A hands-on capstone exercise assesses students’ abilities in response to an intrusion detection incident and grades each individual on the use of forensics analysis techniques to determine the attack method, associated implants, embedded tools and files, attack timeline, and origin of the attack.

What you will learn:

  • Students receive a textbook to accompany classroom instruction.
  • The class offers a unique combination of digital forensics and malware analysis.
  • Classroom exercises demonstrate how to reverse-engineer an attack.
  • Theory and exercises review modern methods used by threat actors to gain access to remote networks.
  • A capstone event assesses students’ use of forensics analysis techniques to determine a threat’s attack method, associated implants, embedded tools and files, attack timeline, and origin of the attack.

Course Outline:

Anatomy of an Attack

  • A day in the life of an advanced threat
  • Process Interrogation
  • Search for forensics tool suites
  • Learn to find running malware
  • Discover methods of malware persistence

Memory Analysis

  • Practice volatile memory capture (RAM dumps)
  • Perform volatile memory forensics

File Forensics

  • Identify Advanced Persistent Threats
  • Analyze dynamic executable files
  • Recover deleted files and other artifacts
  • Network Traffic Forensics
  • Extract files from network traffic
  • Discover malicious network activity indicators

Windows Internal Forensics

  • Interrogate processes for indications of malware
  • Review the Windows boot process
  • Learn about forensics artifacts
  • Review event logs for unusual entries in PowerShell
  • Perform USB device timeline analysis

Responsive Actions

  • Identify and document Indicators of Compromise
  • Discover anti-forensics tools and methods
  • Discover and analyze malware


If this course is not on the current schedule of open enrollment courses and you are interested in attending this or another course as an open enrollment, please contact us at (410)956-8805 or ati@aticourses.com. Please indicate the course name, number of students who wish to participate. and a preferred time frame. ATI typically schedules open enrollment courses with a 3-5 month lead time. For on-site pricing, you can use the request an on-site quote form, call us at (410)956-8805, or email us at ati@aticourses.com.

Request On-Site Quote