Forensic science principles (Locard's exchange principle, scientific method), Digital evidence types and characteristics (volatile, non-volatile, latent), Chain of custody requirements, Legal considerations (admissibi...
Forensic science principles (Locard's exchange principle, scientific method), Digital evidence types and characteristics (volatile, non-volatile, latent), Chain of custody requirements, Legal considerations (admissibility, Daubert standard), Incident response lifecycle (NIST, SANS models), Forensic readiness planning, Roles (first responders, investigators, analysts).
Preparation phase (policies, tools, teams), Detection and analysis (indicators of compromise, triage), Containment strategies (short-term, long-term), Eradication and recovery procedures, Post-incident activities (lessons learned, reporting), Incident classification (levels, severity), Communication protocols and stakeholder management.
Acquisition methods (dead disk: dd, FTK Imager; live response), Write-blockers and validation (hashing: MD5, SHA-256), File system analysis (FAT, NTFS, ext4), Timeline reconstruction (MFT, $LogFile, superblocks), File carving (scalpel, foremost), Slack space and unallocated clusters, Metadata extraction (EXIF, MAC times).
Memory acquisition (AVML, DumpIt, LiME), Volatility framework (imageinfo, pslist, psscan, hashdump), Process injection detection (hollow process, DLL injection), Registry analysis (userassist, amcache, shimcache), Browser forensics (SQLite artifacts: history, downloads, cache), Email forensics (Outlook PST/OST, MBOX), Anti-forensics techniques (timestomping, overwriting).
Packet capture analysis (Wireshark, tcpdump), Network forensics (IoCs: C2 beacons, anomalies), Log analysis (Windows Event Logs, Sysmon, firewall logs), Cloud forensics (AWS/Azure artifacts), Mobile forensics (Android logical/physical, iOS backups), Malware forensics (static/dynamic analysis), SIEM integration (Splunk, ELK Stack).