DFIR & Digital Forensics
Investigate to an expert-grade, defensible standard — acquire and preserve evidence, analyze disk, memory, log and network, build timelines, triage malware in isolation, and write findings that hold up.
// The loop
acquire (write-once) → hash & preserve → analyze → correlate into a timeline → triage (lab-safe) → find contradictions → report (source-backed) → save as a reusable playbook
// The 6-phase roadmap
- 01 IR process & evidence handling
- 02 Disk & filesystem forensics
- 03 Memory forensics
- 04 Log & network forensics
- 05 Malware triage (lab-safe)
- 06 Reporting & expert-grade deliverables
The investigation course. It trains toward defensible, expert-grade forensics: the ability to acquire, preserve, and analyze evidence to a standard that holds up — and to write findings that survive scrutiny.
What makes it forensics and not “poking at files” is that every claim is backed by a hashed artifact and a defensible step. Malware is handled lab-safe only — triaged in isolation, never executed outside it. All work happens on owned, lab, authorized, or public-challenge data, with chain of custody from the first step.