Zero-Trust Approach to Disk forensics
RCCE students will learn disk forensic acquisition and analysis including forensic imaging, file system analysis (NTFS, ext4, APFS, HFS+), deleted file recovery, timeline creation from file system metadata, and artifact extraction. RCCE students will learn to create forensically sound disk images using write blockers and imaging tools, analyze file systems for evidence of attacker activity, recover deleted files and fragments, reconstruct user and attacker activity timelines from file system timestamps, extract browser artifacts, registry hives, prefetch data, and event logs, and produce disk forensics reports that withstand legal scrutiny. This zero-trust course applies modern security principles including least privilege, continuous verification, and explicit trust evaluation. Starting from foundational concepts, RCCE students will learn to implement zero-trust architectures that assume breach and verify every access request regardless of network location. Students build practical zero-trust implementations that align with organizational security modernization goals.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Zero-Trust Approach to Disk forensics
- Apply zero-trust principles to privilege decisions and elevation
- Execute hands-on tasks for disk forensics
- Explain Course Overview fundamentals
- Execute hands-on tasks for what you will learn — covering Forensic disk imaging fundamentals, File system analysis (NTFS, ext4, APFS).
- Apply zero-trust principles to privilege decisions and elevation, including Least privilege in forensic workflows, and Continuous verification of evidence.
- Execute hands-on tasks for target outcomes — covering Create forensically sound disk images using write blockers, Analyze file systems for attacker activity evidence.
- Explain Zero-Trust Foundations fundamentals
- Execute hands-on tasks for never trust
- Execute hands-on tasks for always verify
- Implement least-privilege enforcement across endpoints and roles, including Verify every access request, Continuous validation, and Minimum necessary access.
- Apply zero-trust principles to privilege decisions and elevation, including Implicit trust in forensic tools, Unverified evidence integrity, and Tool validation before each use.
| Module 01 | Zero-Trust Approach to |
| Module 02 | Disk Forensics |
| Module 03 | Course Overview |
| Module 04 | What You Will Learn |
| Module 05 | Zero-Trust Integration |
| Module 06 | Target Outcomes |
| Module 07 | Zero-Trust Foundations |
| Module 08 | Core Principles of Zero Trust |
| Module 09 | Never Trust |
| Module 10 | Always Verify |
| Module 11 | Least Privilege |
| Module 12 | Zero-Trust Applied to DFIR |
| Module 13 | Traditional DFIR Gaps |
| Module 14 | Zero-Trust DFIR Model |
All hands-on labs run on Rocheston Rose X OS. Students practice zero-trust approach to disk forensics by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Apply zero-trust principles to privilege decisions and elevation
- Lab 2: Execute hands-on tasks for disk forensics
- Lab 3: Explain Course Overview fundamentals
- Lab 4: Execute hands-on tasks for what you will learn
- Lab 5: Apply zero-trust principles to privilege decisions and elevation
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Zero-Trust Approach to Disk forensics, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI