The International Association of Computer Investigative Specialists

CIFR: Cyber Incident Forensic Response Course

CIFR Course Overview

The concept of the IACIS intrusion investigation course was born when one of the instructors retired from law enforcement and started working Incident Response consulting. He quickly realized that there were gaps in his forensic knowledge that hindered his ability to quickly and accurately support corporate clients who were victims of a cyber intrusion (“imaging a shutdown Windows system is easy, but what’s ESXi and how do I get an image out of it?”). These gaps were further highlighted when LE peers asked for advice or recommendations for training or skill development. A list of primary functional skills was developed and provided to peers wanting to update or improve their skills in the IR arena. Unfortunately, there wasn’t any single course that covered most of these skills, much less all of them. So, it was decided to develop a one-week course, which quickly turned into a two-week course that focused on providing investigative functionality in most of these skill areas. This course became the IACIS Cyber Incident Forensic Response (CIFR) course, which focuses on teaching the combined lists of investigation concepts. While the course doesn’t make a student an expert in all these areas, the level of training is deep and broad enough so the student understands the concepts and processes and can competently apply them to an investigation. The intent is to provide “a 12-inch deep and a mile wide” approach to a broad range of investigation skills, vs. having to spend many thousands of dollars for 5 days on an “inch wide and an unnecessary mile deep” single topic, then many thousands of dollars for 5 days on yet another single topic.

CIFR uses a real network environment in the classroom to simulate a corporate network, integrating actual network and domain architecture into the instruction to increase realism. Students interact with Windows and Linux VMs in the class and are shown how their actions are presented at the local, domain, and SIEM logging levels. The course has a large number of labs, based on a belief the student learns better by doing the task vs reading about the task in bullets on a slide presentation.
The typical course attendees include:

  • LE conducting or supporting intrusion investigations
  • LE who have completed many other classes and are looking for something to grow their skillset
  • Corporate IT security
  • Corporate IT admins
  • Academia
  • RDP
  • Join a domain
  • Create Group Policies (GPOs)
  • Use net.exe commands in intrusion processes
  • SSH
  • dd image using netcat
  • dd image using ssh
  • Log analysis with Linux command line
  • Remote analysis and acquisition with FEX
  • Analysis of network captures with Wireshark
  • Generation and use of timelines
  • Analysis of website defacement incident
  • Analysis of ssh server compromise incident
  • Analysis of compromised Windows and Linux images
  • RAM capture and analysis
  • Static and dynamic malware analysis

The first week ends with two log analysis labs drawn from real-world incidents.

The second week ends with the students witnessing an attack, with a walkthrough of the attack process and the resulting intrusion or malware artifacts. Students then acquire RAM and a system image across the classroom network and spend Friday analyzing the RAM, image, and malware from the attack.

Quick Details

Core Competencies / Details

There are seven competency areas addressed in the CIFR course

  1. Network Fundamentals
  2. Log Analysis
  3. Remote Drive Imaging
  4. Network Assessment
  5. Windows Host Analysis
  6. Linux Host Analysis
  7. RAM Capture and Analysis Concepts
  8. Malware Analysis Concepts

Download PDFPlease click here to download the official CIFR Core Competencies document which includes details for each core competency.

Download DOcument

Download PDFClick to view the 2-week CIFR Course Schedule.

Download DOcument

IACIS ChairGuided by industry-leading professionals, including a distinguished IACIS Chair, the CIFR course content stays consistently updated to reflect the latest cybersecurity and digital forensic best practices.

See Upcoming Events

Apply knowledge towards:

CFCE IACIS Certification

CFCE

Certified Forensic Computer Examiner Program

CAWFE IACIS Certification

ICMDE

Certified Mobile Device Examiner

CMDE IACIS Certification

CAWFE

Certified Advanced Windows Forensic Examiner

2025 Orlando Training Conference
2025
Orlando, FL
Learn More
See More Events
Upcoming events Details of the next event for this course

Where and When is the CIFR Course Offered?

IACIS offers the CIFR course at multiple locations, accommodating the varied schedules of our professional audience. For course dates and locations, please visit our EVENTS page.

How to Register for this Course

Existing IACIS members, simply log in with your IACIS credentials and go to the PURCHASE TRAINING page to purchase and register for the course.

For non-IACIS members, the membership fee is waived with the purchase of the training course; however, to register for the course you must complete a membership application at the time of purchase. Go to the PURCHASE TRAINING page to purchase and register for the course and complete your membership application.

Register Now
Skip to content