Cloud forensics Playbook for Teams: Field Guide
RCCE students will learn how to collect, preserve, and analyze digital evidence in cloud environments across AWS, Azure, and GCP. RCCE students will learn to acquire cloud-native logs including CloudTrail, Activity Log, and Audit Logs, preserve volatile cloud resources before termination, reconstruct attacker activity across cloud services, analyze IAM permission changes, investigate unauthorized resource provisioning, and build forensic timelines from distributed cloud telemetry. The course covers legal considerations for cloud evidence, chain of custody in shared responsibility models, and forensic imaging of cloud-based virtual machines. This team-oriented course builds collaborative workflows and organizational playbooks for security operations. At an expert level, RCCE students will learn to create and implement standardized procedures that enable consistent performance across team members and shifts. Students develop the documentation, communication, and coordination skills needed for effective team-based security operations.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Cloud forensics Playbook for Teams: Field Guide
- Execute hands-on tasks for cloud forensics playbook for teams
- Execute hands-on tasks for field guide
- Explain Course Overview: Cloud Forensics Field Guide fundamentals
- Execute hands-on tasks for evidence collection — covering Acquire cloud-native logs.
- Execute hands-on tasks for attacker reconstruction — covering Reconstruct attacker activity paths.
- Execute hands-on tasks for timeline building — covering Build forensic timelines.
- Execute hands-on tasks for team playbooks — covering Collaborative SOC workflows.
- Execute hands-on tasks for learning objectives
- Execute hands-on tasks for cloud log acquisition — covering Master CloudTrail, Activity Log, Audit Logs.
- Execute hands-on tasks for volatile resource preservation — covering Snapshot VMs before termination, Track permission escalation chains.
- Execute hands-on tasks for iam forensic analysis — covering Track permission escalation chains.
- Execute hands-on tasks for team playbook development — covering Build runbooks for SOC teams, Create escalation decision trees.
| Module 01 | Cloud Forensics Playbook for Teams |
| Module 02 | Field Guide |
| Module 03 | Course Overview: Cloud Forensics Field Guide |
| Module 04 | Evidence Collection |
| Module 05 | Attacker Reconstruction |
| Module 06 | Timeline Building |
| Module 07 | Team Playbooks |
| Module 08 | Learning Objectives |
| Module 09 | Cloud Log Acquisition |
| Module 10 | Volatile Resource Preservation |
| Module 11 | IAM Forensic Analysis |
| Module 12 | Team Playbook Development |
| Module 13 | Build runbooks for SOC teams |
| Module 14 | Cloud Forensics Fundamentals |
All hands-on labs run on Rocheston Rose X OS. Students practice cloud forensics playbook for teams: field guide by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for cloud forensics playbook for teams
- Lab 2: Execute hands-on tasks for field guide
- Lab 3: Explain Course Overview: Cloud Forensics Field Guide fundamentals
- Lab 4: Execute hands-on tasks for evidence collection
- Lab 5: Execute hands-on tasks for attacker reconstruction
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Cloud forensics Playbook for Teams: Field Guide, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI