WEEK 5
Incident Response & Forensics
NIST Guidelines, Policy Management & Evidence Handling
Topics
Labs
Complete
Forensics Fundamentals
NIST SP 800-86 Concepts
Four-phase forensic process, evidence collection, order of volatility, and documentation.
TOPIC 5.7Forensic Evidence Elements
Volatile vs non-volatile evidence, file system artifacts, memory forensics, and log sources.
TOPIC
Governance & Policy
Security Policy Management
Policy hierarchy, AUP, data classification, regulatory compliance (GDPR, HIPAA, PCI).
TOPIC 5.4Protected Data
PII, PHI, PCI data types, classification levels, DLP alerts, and breach response.
TOPIC
Intrusion Analysis
SOC Operations
SOC Metrics & Scope
MTTD, MTTR, dwell time, tier responsibilities, SLAs, and coverage metrics.
TOPIC 5.5Network & Server Profiling
Baseline establishment, anomaly detection, server profiles, and SIEM integration.
TOPIC 5.8Elements of an IRP
NIST IR phases, escalation matrices, containment strategies, and post-incident activities.
TOPIC
Hands-On Labs
What's Going On?
Class activity - collaborative incident identification and initial analysis exercise.
30-45 min
Class Activity
Logging Network Activity
Configure logging, observe packet flow, and correlate network events with log entries.
30 min
Web House
Exploring DNS Traffic
Analyze DNS patterns, detect tunneling indicators, and extract IOCs from DNS logs.
30-45 min
Eye House
Attacking MySQL Database
Understand SQL injection from a defensive perspective for SOC detection awareness.
45 min
Web House
Reading Server Logs
Parse log formats, identify security events, and build investigation timelines.
30 min
Script House
Week 5 Evaluation
Complete all topics and labs, then take the Week 5 assessment to test your incident response and forensics knowledge.
Begin Evaluation