Disk forensics Operations Playbook
RCCE students will learn disk forensic acquisition and analysis including forensic imaging, file system analysis (NTFS, ext4, APFS, HFS+), deleted file recovery, timeline creation from file system metadata, and artifact extraction. RCCE students will learn to create forensically sound disk images using write blockers and imaging tools, analyze file systems for evidence of attacker activity, recover deleted files and fragments, reconstruct user and attacker activity timelines from file system timestamps, extract browser artifacts, registry hives, prefetch data, and event logs, and produce disk forensics reports that withstand legal scrutiny. This operations-focused course delivers production-ready playbooks, checklists, and standard operating procedures. Starting from foundational concepts, RCCE students will learn to build repeatable day-to-day operational workflows that ensure consistency and quality. Students receive templates and frameworks they can customize and deploy immediately in their security operations, reducing time to operational effectiveness.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Disk forensics Operations Playbook
- Execute hands-on tasks for disk forensics operations playbook
- Execute hands-on tasks for advanced cyber defense mastery
- Explain Executive Overview fundamentals
- Execute hands-on tasks for course mission
- Execute hands-on tasks for operational focus — covering Master forensic disk acquisition techniques, Production-ready playbooks & SOPs.
- Execute hands-on tasks for why disk forensics matters — covering Evidence preservation for legal proceedings.
- Execute hands-on tasks for core definitions & terminology
- Execute hands-on tasks for forensic image
- Execute hands-on tasks for write blocker
- Execute hands-on tasks for file system metadata
- Execute hands-on tasks for slack space
- Execute hands-on tasks for forensic imaging process
| Module 01 | Disk Forensics Operations Playbook |
| Module 02 | Advanced Cyber Defense Mastery |
| Module 03 | Executive Overview |
| Module 04 | Course Mission |
| Module 05 | Operational Focus |
| Module 06 | Why Disk Forensics Matters |
| Module 07 | Core Definitions & Terminology |
| Module 08 | Forensic Image |
| Module 09 | Write Blocker |
| Module 10 | File System Metadata |
| Module 11 | Slack Space |
| Module 12 | Forensic Imaging Process |
| Module 13 | Write Blocker Types |
| Module 14 | Chain of Custody Requirements |
All hands-on labs run on Rocheston Rose X OS. Students practice disk forensics operations playbook by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for disk forensics operations playbook
- Lab 2: Execute hands-on tasks for advanced cyber defense mastery
- Lab 3: Explain Executive Overview fundamentals
- Lab 4: Execute hands-on tasks for course mission
- Lab 5: Execute hands-on tasks for operational focus
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Disk forensics Operations Playbook, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI