CIFR: Cyber Incident Forensic Response


IACIS started down the path of an incident response class about 7-8 years ago.  We developed the Network Forensic Analysis (NFA) class and taught it for several years. It was a one week class that focused on the network level investigation, primarily covering a variety of logs and how to analyze them.  We quickly concluded that we were still missing out on a lot of endpoint information, so we expanded it to two weeks.  This became the Cyber Incident Forensic Response (CIFR) class, which teaches investigation concepts for both the network and endpoint levels.  While the class doesn’t make a student an expert in all these areas, the level of training is deep and broad enough so the student understands the concepts and processes and can apply them to an investigation, gaining competency the more the skills are used.

Many class attendees fall into one of these categories:

  • LE tasked with conducting or supporting intrusion investigations
  • LE who have completed all other classes and are still looking for something to grow their skillset
  • LE anticipating retiring in the next few years and wanting to develop skills suitable for corporate life
  • Corporate IT security
  • Corporate IT admins

Course Syllabus: CIFR Syllabus

One of the distinguishing aspects of this class is that we do a lot of realistic hands-on exercises and labs.

These 20+ exercises include:

  • Joining a domain
  • Use of net.exe commands
  • Using Wireshark to reinforce network concepts
  • Wireshark investigation scenario
  • Using Linux for log analysis (cut, grep, egrep, regex, etc.)
  • Remote imaging using ssh/dd (2 labs)
  • Remote imaging using dd/netcat
  • Remote imaging using FTKi CLI/netcat
  • Remote imaging/analysis with NBD Server
  • Remote analysis with Forensic Explorer (FEX)
  • Remote analysis with Google Rapid Response (GRR)
  • Compromised web server log analysis
  • SSH attack scenario
  • Windows event log analysis
  • Compromised Windows image analysis (including registry analysis)
  • Linux compromised image analysis (including bash history analysis)
  • RAM acquisition
  • RAM analysis with Bulk Extractor
  • RAM analysis with Volatility
  • Configure REMNUX system
  • Dynamic malware analysis (malware metadata, malware runtime behavior, trojaned document analysis)
  • Attack the systems (mimikatz, meterpreter backdoor shells with Empire, ransomware)
  • Capstone attack exercise: remote imaging/analysis, RAM analysis, image analysis, malware runtime analysis, shellcode script decoding and analysis

The class network includes a Xen server hosting a number of Windows and Linux VMs.  Throughout the two weeks, each student is assigned a VM as their “victim” or target of their analysis labs.  For example, during the FTK Imager CLI imaging lab, each student practices by connecting to their assigned VM, doing the processes with FTK to acquire an image, then pipe the image to netcat to send it across the network to their forensic analysis system to receive the image.  On the last Thursday of class, we end the day by launching a series of attacks against all the VMs, then have the students perform their imaging/analysis across the network on Friday.  They can either image to their forensic system and do analysis or they can do the analysis remotely using FEX or GRR.  They can also capture RAM from their compromised system and do RAM and malware analysis as part of their investigation.




* On-Site Check-in Times (student pickup of equipment, ID card, IACIS info) are:

             Sunday, April 26, 2020 : 1800 – 2100

             Monday, April 27, 2020: 0700 – 0800

* Please make arrangements to arrive in time to check-in so that you may be in class

   promptly the first day.


PREREQUISITE: A basic understanding of Windows, Mac and Linux Operating Systems would be helpful, but is not required.

EQUIPMENT: (students receive):

Microsoft Windows Domain Kindle book, Wireshark Labs Kindle book, External USB drive, USB stick, several VMs that can be used for investigations (REMNUX, GRR, Fedora analysis system, LosBuntu)


Existing IACIS members simply log in with your credentials and go to the products page to purchase and register for the course.

For non-IACIS members, the membership fee is waived with the purchase of the training course; however, to register for the course you must complete a membership application at the time of purchase.

Apply for membership and purchase the course on the PRODUCTS PAGE.

COST: $2,795 US Dollars

  • Cancellation of this class may occur if there are insufficient students registered. In the event of a cancellation, personnel will typically be notified by email within 48 hours of the registration closure date. IACIS is not responsible for any individual expenses incurred as a result of a cancellation. The limit of IACIS financial liability is a full refund of the course fee.

****Payment MUST BE RECEIVED at least 45 days prior to the first day of class. Any payment arrangements other than payment through the website or payment via invoice must be approved by the IACIS Treasurer prior to admittance into the course. Please contact the treasurer for questions and approval (

Cancellations within 45 days from the start of class to 31 days from the start of class will be subject to a $150 cancellation fee. There will be no refunds within 30 days from the start of class.****


Please read the following notes regarding this class:

  1. Classes begin at 8:00 AM ET and conclude at 5:00 PM ET, each day, with a one hour lunch break. Classes will end at 4:00 PM ET on the last day of class. Please do not arrange for departing flights prior to 7:00 PM ET to allow time for travel to the airport and any security clearances.
  2. The dress code for the conference is business casual (collared shirts and slacks).The wearing of shorts, flip flops, tank tops, etc. is not allowed in the classroom. Personal computers are not permitted in the classroom. Students are required to attend all classes to successfully complete the program. Students who fail to meet the attendance requirements will not be issued a certificate at the conclusion of the program.


The 2020 course will be taught at the Caribe Royale Hotel, 8101 World Center Drive, Orlando, Florida 32821 (USA).  This hotel is close to the Orlando International Airport, has a large pool, spacious workout facility and is very close to Disney World and Universal Studios.

BOOK HERE or via phone by calling the following numbers:

Reservations Toll Free: 1-800-823-8300 or our local number 407-238-8000.

Rates are good for 4/17 – 5/9/2020 while room supplies last