CIFR: Cyber Incident Forensic Response

The concept of the IACIS intrusion investigation training class was born when one of the instructors retired from law enforcement and started working Incident Response consulting.  He quickly realized that there were gaps in his forensic knowledge that hindered his ability to quickly and accurately support corporate clients who were victims of a cyber intrusion (“imaging a shutdown Windows system is easy, but what’s ESXi and how do I get an image out of it?”).  These gaps were further highlighted when LE peers asked for advice or recommendations for training or skill development. A list of primary functional skills was developed and provided to peers wanting to update or improve their skills in the IR arena. Unfortunately, there wasn’t any single class that covered most of these skills, much less all of them.  So, it was decided to develop a one-week class which quickly turned into a two-week class that focused on providing investigative functionality in most of these skill areas.  This class became the IACIS Cyber Incident Forensic Response (CIFR) class, which focuses on teaching the combined lists of investigation concepts.  While the class doesn’t make a student an expert in all these areas, the level of training is deep and broad enough so the student understands the concepts and processes, and can competently apply them to an investigation.  The approach is to provide “an inch deep and a mile wide” approach to a broad range of investigation skills, vs. having to spend many thousands of dollars for 5 days on an “inch wide and an unnecessary mile deep” single topic, then many thousands of dollars for 5 days an another single topic.

CIFR uses a real network environment in the classroom to simulate a corporate network, integrating actual network and domain architecture into the instruction to increase realism. Students interact with Windows and Linux VMs running on a Xen hypervisor server in the class, and are shown how their actions are presented at the local, domain and SIEM logging levels. The class has a large number of labs, based on a belief the student learns better by doing the task vs reading about the task in bullets on a slide presentation.

Throughout the 2- week class students will cover topics and lab exercises that include:

  • LE tasked with conducting or supporting intrusion investigations
  • LE who have completed all other classes and are still looking for something to grow their skillset
  • Corporate IT security
  • Corporate IT admins
  • The first week ends with two log analysis labs drawn from real-world incidents.

The second week ends with the students witnessing an attack, with a walkthrough of the attack process.  Students then acquire RAM and a system image across the classroom network and spend Friday analyzing the RAM, image, and malware from the attack. Click here to view Schedule


WHEN:  April 24 – May 05, 2023

COST: $3,495.00 US Dollars

Classroom laptops will be given to the students to take home and keep.


Registration for this course is closed.

****Payment MUST BE RECEIVED at least 45 days prior to the first day of class. Any payment arrangements other than payment through the website or payment via invoice must be approved by the IACIS Treasurer prior to admittance into the course. Please contact the treasurer for questions and approval (

Cancellations within 45 days from the start of class to 31 days from the start of class will be subject to a $150 cancellation fee. There will be no refunds within 30 days from the start of class.****

* On-Site Check-in Times (student pickup of equipment, ID card, IACIS info) are:

             Sunday, April 23, 2023: 1800 – 2100

             Monday, April 24, 2023: 0700 – 0800

* Please make arrangements to arrive in time to check-in so that you may be in class promptly the first day.


Please read the following notes regarding this class:

  1. Classes begin at 8:00 AM ET and conclude at 5:00 PM ET, each day, with a one-hour lunch break. Classes will end at 4:00 PM ET on the last day of class. Please do not arrange for departing flights prior to 7:00 PM ET to allow time for travel to the airport and any security clearances.
  2. The dress code for the conference is business casual (collared shirts and slacks). The wearing of shorts, flip flops, tank tops, etc. is not allowed in the classroom. Personal computers are not permitted in the classroom. Students are required to attend all classes to successfully complete the program. Students who fail to meet the attendance requirements will not be issued a certificate at the conclusion of the program.


The course will be taught at the Caribe Royale Hotel, 8101 World Center Drive, Orlando, Florida 32821 (USA).  This hotel is 16 miles from the Orlando International Airport, it has a large pool, spacious workout facility and is close to Disney World and Universal Studios.


Due to an unprecedented situation with Caribe Royale, the hotel is completely booked for week one of the 2023 IACIS Training event.   

IACIS is currently working with Orlando Marriott to determine if we can use it as overflow, but at the time of this writing we have no information on what they have available or if they will honor GSA rates. We will update this site as new information become available.

​​NAME​   ​​PHONE​  
Embassy Suites by Hilton Orlando Lake Buena Vista South   1(407)597-4000  
​​Orlando Marriott World Center​    1(407)239-4200  
Gaylord Palms Resort & Convention Center   1(407)586-0000  
​​Walt Disney World Swan​    1(407)934-3000  
Walt Disney World Dolphin Resort   1(407)934-4000  

Also, if you are government employee you may be able to use to find GSA rate lodging in the area.   

Please note: Availability at the Caribe Royale may change as time gets closer to the event so it is recommended that you check with the Caribe Royale often by using booking via this Caribe Royale Hotel link here. As a reminder, if you are not a Caribe Royale Hotel guest and require daily parking on hotel property during the event you will be responsible for all associated parking fees. 

Or book via phone by calling the following numbers: 

Reservations Toll Free: 1-800-823-8300/1-888-258-7501 or our local number 407-238-8000. 


If IACIS is unable to hold their 2023 Orlando training event, then all students who have registered and paid, will have the option of a full refund or a reserved seat at the 2024 training event.  IACIS is not responsible for any outside expenses (e.g. travel and accommodation) in the event of the training event being cancelled.  Anyone who paid for training will receive complimentary membership through the year that his/her training takes place.