Digital Forensics and Incident Response (DFIR) on Low-Cost Tools



3 days

Delivery Method



beginner / intermediate

Seats Available



3 days

Delivery Method



beginner / intermediate

ATTEND IN-PERSON: Onsite at Sheraton Grand, Macau

DATE: 4-6 March 2024

TIME: 09:00 to 17:00 CST/GMT+8

Date Day Time Duration
4 Mar Monday 09:00 to 17:00 CST/GMT+8 8 Hours
5 Mar Tuesday 09:00 to 17:00 CST/GMT+8 8 Hours
6 Mar Wednesday 09:00 to 17:00 CST/GMT+8 8 Hours

This course aims at introducing digital forensics and incident response (DFIR) best practices using low-cost tools.

Trainees will follow an end-to-end DFIR process model from planning and tooling, to defensible procedures, to triage & analysis. Despite using low-cost tools (often with rough edges), this course emphasizes defensible procedures, upholding evidence integrity and chain-of-custody, such that acquired evidences and findings may be admissible for legal proceedings.

Armed with the knowledge gained from this course, trainees would be able to apply the skills and knowledges to competently perform DFIR in a defensible manner when resources are strained.

What will the student get
  • Digital Forensics and Incident Response (DFIR) knowledge
  • Tool / Lab Building skills
  • DFIR Planning / Forensic Acquisition / Examination & Analysis skills


Topics Covered
  • War-Time Planning
    • Strategic Considerations
      • DFIR “Fire-Fighting” Mindset: Triage and Targeted Collection / Sniper Forensics
      • DFIR Planning: Initial Scoping, Examination Plan & Tooling
      • Admissibility & Chain of Custody
    • Tooling & Tool / Lab Building
      • Why Self-Build?
      • Building Examination Toolkit
      • Building Analysis Lab
  • Crime Scene Investigations
    • Locating Key Examination Points
    • Containment and Damage Control / or Stop Bleeding
    • Forensic Acquisition
      • Order of Volatility
      • Acquiring Memories: RAM / Hibernate File / Page File
      • Acquiring Network Artifacts: logs / SIEM and Network Packet Capture
      • Evidence Preservation Best Practices: Digital Fingerprint, Tamper-Evident Containers, Chain of Custody
  • Lab Examinations
    • The Network Aspect
      • Systems Events and Network Log Analysis
      • Network Packet Capture Analysis
    • The Computer Aspect
      • Computer Memory Analysis
      • Crash dump Analysis
      • File System Image Analysis
      • Basic OSINT and IoC
      • Basic Malware Analysis
    • Anti-Forensics and Anti-Anti-Forensics
      • Obfuscation & Hiding
  • Reporting
    • What, When, Who, What, How, Why

Why You Should Take This Course

This course introduces the digital forensics and incident response (DFIR) best practices using low-cost tools, from planning to defensible procedures, tooling and lab building to triage & analysis.

Who Should Attend

  • Information security professional
  • Incident Response Team Members
  • Digital Forensic Analysts

Key Learning Objectives

  • DFIR (as opposed to straight DF) is designed to quickly gain sufficient insights to facilitate speedy evidence-based decision making in the course of IR, to operate in so-called “fire-fighting mode”. During fire-fighting, whether to conduct a test / inspection is always consciously based on cost-benefit analyses.

  • Wherever possible, low-cost tools will be covered (<USD200 per year, email license). These tools are generally easily obtainable / procurable, such that practitioners can make use of them when budgets are tight and/or during emergencies. Irregardless of the cost, all tools have their pros and cons; understanding their powers and limitations is the key to sound DFIR practice.
  • Prerequisite Knowledge

    • Basic Windows “power user” knowledge
    • Basic Linux knowledge
    • Basic Computer Hardware knowledge
    • Basic TCP/IP knowledge
    • NO coding skills required

    Hardware / Software Requirements

    • x86/AMD64 based machine (Mac NOT supported)
    • VMware Player
    • Windows OS with 200GB+ free space
    • USB 3.0+ external storage (empty) (1TB+ x1)
    • USB 3.0+ Flash Drive (For build a bootable USB Flash Drive) (empty) x 3
      • (16GB x1, 32GB x1, 64GB+ x1)
      • (minimum 10 MB/s write speed, USB Type-A interface recommended, SanDisk Ultra series or above / Kingston Data Traveler Suggested)
    Powered USB 3.0+ hub (optional)

    Your Instructor

    Alan has ample experience handling complex dispute and litigation cases, having served as forensic examiner, e-discovery specialist, and expert witness testified before courts of laws, at multiple top-tier multinational forensic firms.

    As an digital forensics and incident response expert Alan is well respected for his deep understanding of technologies, acquired through years of diverse background in network & infrastructure security, IT audit & penetration testing, and security solution architecture & design, across nearly two decades of deeply technical engagements.

    He has presented at PacSec Tokyo (2013), DEFCON (2012), and HTCIA Asia-Pacific Conference (2012). Alan is a holder of CFE, OSCE3 (OSEP, OSWE, OSED), OSCP, OSDA, OSWA, EnCE, CISA, and GREM.

    Captain (a.k.a. Forensics and Hardware Ninja) is an independent security researcher. He focuses on hardware, UAS (Drone) security researches, and digital forensics analysis. He was the first and the only Asian who led a group of white-hat hackers to hold an in-depth, hands-on drone and hardware hacking village in BLACK HAT and DEFCON. He was also a frequent speaker and trainer in different top-notch security and forensics conferences including SANS, HTCIA, DFRWS, GCC, CodeBlue, HITB, SINCON, AVTokyo and HITCON.