Artifact collection Incident Handling: Field Guide
RCCE students will learn digital forensics acquisition, evidence handling, timeline reconstruction, memory and disk analysis, and forensic reporting. RCCE students will learn to collect and preserve digital evidence following forensically sound procedures, reconstruct attack timelines from multiple artifact sources, perform forensic analysis on endpoints, memory, networks, and cloud environments, and produce investigation reports that withstand legal and regulatory scrutiny. This incident response course prepares students to act decisively during security incidents with structured workflows and clear decision frameworks. Starting from foundational concepts, RCCE students will learn containment, evidence collection, eradication, and recovery procedures specific to this domain. Students practice incident scenarios that build the composure, coordination, and documentation skills essential for effective incident handling.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Artifact collection Incident Handling: Field Guide
- Execute hands-on tasks for artifact collection
- Execute hands-on tasks for incident handling: field guide
- Execute hands-on tasks for digital forensics acquisition, evidence handling & forensic reporting
- Execute hands-on tasks for evidence collection & handling
- Execute hands-on tasks for analysis & reporting — covering Collect digital evidence forensically sound, Reconstruct attack timelines from artifacts.
- Explain Incident Handling Foundations fundamentals — covering Apply structured IR workflows and decision frameworks.
- Execute hands-on tasks for what is digital forensics?
- Execute hands-on tasks for key principles — covering Scientific examination of digital evidence, Preserve original evidence integrity.
- Execute hands-on tasks for forensic soundness — covering Any action must not alter the evidence; if alteration is unavoidable, document it completely.
- Execute hands-on tasks for incident handling framework
- Integrate privilege controls with identity providers and SIEM telemetry, including Industry standard IR lifecycle.
- Execute hands-on tasks for key principle: forensics and ir are parallel tracks — covering IR focuses on restoring operations; forensics focuses on understanding what happened.
| Module 01 | Artifact Collection |
| Module 02 | Incident Handling: Field Guide |
| Module 03 | Digital Forensics Acquisition, Evidence Handling & Forensic Reporting |
| Module 04 | Evidence Collection & Handling |
| Module 05 | Analysis & Reporting |
| Module 06 | Incident Handling Foundations |
| Module 07 | What Is Digital Forensics? |
| Module 08 | Key Principles |
| Module 09 | Forensic Soundness |
| Module 10 | Incident Handling Framework |
| Module 11 | DFIR Integration Points |
| Module 12 | Key Principle: Forensics and IR Are Parallel Tracks |
| Module 13 | Volatile Evidence |
| Module 14 | Non-Volatile Evidence |
All hands-on labs run on Rocheston Rose X OS. Students practice artifact collection incident handling: field guide by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for artifact collection
- Lab 2: Execute hands-on tasks for incident handling: field guide
- Lab 3: Execute hands-on tasks for digital forensics acquisition, evidence handling & forensic reporting
- Lab 4: Execute hands-on tasks for evidence collection & handling
- Lab 5: Execute hands-on tasks for analysis & reporting
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Artifact collection Incident Handling: Field Guide, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI