Hands-On Cloud forensics
RCCE students will learn how to collect, preserve, and analyze digital evidence in cloud environments across AWS, Azure, and GCP. RCCE students will learn to acquire cloud-native logs including CloudTrail, Activity Log, and Audit Logs, preserve volatile cloud resources before termination, reconstruct attacker activity across cloud services, analyze IAM permission changes, investigate unauthorized resource provisioning, and build forensic timelines from distributed cloud telemetry. The course covers legal considerations for cloud evidence, chain of custody in shared responsibility models, and forensic imaging of cloud-based virtual machines. This practice-intensive course emphasizes applied skills through lab exercises, real-world scenarios, and production-realistic workflows. Starting from foundational concepts, RCCE students will learn by doing, building muscle memory and practical confidence through repeated hands-on engagement. Students complete exercises that mirror actual workplace tasks, ensuring skills transfer directly to their professional roles.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Hands-On Cloud forensics
- Execute hands-on tasks for hands-on cloud forensics
- Execute hands-on tasks for 4 credit hrs
- Execute hands-on tasks for learning objectives
- Monitor and audit privilege usage; detect escalation attempts
- Execute hands-on tasks for what is cloud forensics?
- Execute hands-on tasks for key characteristics — covering Evidence distributed across providers, No physical disk access in most cases.
- Execute hands-on tasks for vs traditional forensics — covering Evidence distributed across providers.
- Design a scalable privilege management architecture with policy and enforcement, including Most forensic control, and Limited OS access.
- Execute hands-on tasks for software as a service — covering Most forensic control.
- Integrate privilege controls with identity providers and SIEM telemetry, including Physical infrastructure security, and Hypervisor-level logging.
- Execute hands-on tasks for customer responsibilities — covering Application-level log collection, IAM audit configuration.
- Execute hands-on tasks for jurisdictional challenges — covering Data may reside in multiple countries, Conflicting national privacy laws.
| Module 01 | Hands-On Cloud Forensics |
| Module 02 | 4 Credit Hrs |
| Module 03 | Learning Objectives |
| Module 04 | Activity Log, Audit) |
| Module 05 | What Is Cloud Forensics? |
| Module 06 | Key Characteristics |
| Module 07 | vs Traditional Forensics |
| Module 08 | Cloud Service Models & Forensic Impact |
| Module 09 | Software as a Service |
| Module 10 | Cloud Provider Responsibilities |
| Module 11 | Customer Responsibilities |
| Module 12 | Jurisdictional Challenges |
| Module 13 | Admissibility Requirements |
| Module 14 | Privacy Regulations |
All hands-on labs run on Rocheston Rose X OS. Students practice hands-on cloud forensics by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for hands-on cloud forensics
- Lab 2: Execute hands-on tasks for 4 credit hrs
- Lab 3: Execute hands-on tasks for learning objectives
- Lab 4: Monitor and audit privilege usage; detect escalation attempts
- Lab 5: Execute hands-on tasks for what is cloud forensics?
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Hands-On Cloud forensics, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI