Forensics
──
Forensics
This course equips students with the practical and strategic skills required to operate within modern Security Operations Centres (SOCs) and conduct advanced digital forensic investigations. Structured in two integrated parts, it covers foundational and advanced forensic techniques — including memory forensics, file system analysis, and SIEM platforms — alongside real-world SOC operations, detection engineering, threat intelligence, and the application of AI in cyberdefence. Designed to reflect current industry roles and aligned with the ENISA European Cybersecurity Skills Framework (ECSF), the course prepares graduates to respond confidently to complex cyber incidents across a wide range of operational environments.
Main Topics
- 1. Introduction to Digital Forensics
- 2. Data Acquisition, File Data, and Metadata
- 3. Windows Native Artifacts
- 4. Web Browser Artifacts
- 5. Advanced Forensic Concepts
- 6. SOC Fundamentals
- 7. Insident Response
- 8. SIEM Operations and Alert Triage
- 9. Threat Intelligence and CTI
- 10. AI in Cyberdefence and SOC Automation
General Competences
The General Competences that students should have acquired include:
- Adapting to new situations
- Decision-making
- Working independently
- Team work
- Production of free, creative and inductive thinking
- Professional communication
- Thinking out of the box
Skills
Based on the above, upon completion of the course, students are expected to be able to:
- Acquire and analyze volatile and non-volatile evidence (memory, disk, cloud) preserving chain-of-custody.
- Develop Sigma/YARA detection rules from forensic artefacts and ATT&CK mappings.
- Operate SIEM platforms to pivot from alerts to deep forensic investigations.
- Automate triage workflows with scripting and SOAR playbooks.
- Produce defensible forensic reports suitable for legal proceedings.
Knowledge
Forensics course provides students with practical and strategic skills to operate within modern Security Operations Centers (SOCs) and conduct advanced digital forensic investigations. The course is divided into two integrated parts: the first focuses on foundational and advanced digital forensics techniques, while the second explores real-world SOC operations, detection engineering, threat intelligence, and the use of AI for enhancing cyberdefence capabilities. Students will gain hands-on experience across a variety of tools and techniques including memory forensics, file system analysis, Security Information and Event Management (SIEM) platforms, detection rule writing, and incident response. The course is designed to reflect current industry roles and frameworks, including the ENISA European Cybersecurity Skills Framework (ECSF), and prepares students to operate confidently on the front lines of cyber warfare, digital crime investigation, and high-impact security operations in the real world.
Upon completion of this course, the students will be able to:
- Describe the structure, roles, and workflows of a modern SOC, including SOC tiers and related cybersecurity functions
- Configure and operate SIEM systems for threat detection and alert management
- Develop, tune, and test detection logic (e.g., Sigma/YARA rules) for identifying malicious behavior
- Conduct incident response processes including triage, containment, eradication, and recovery
- Apply structured threat intelligence using frameworks such as MITRE ATT&CK
- Implement machine learning and AI-based techniques for anomaly detection, alert triage, and automation in SOC environments
- Conduct disk-based forensic investigations, including imaging, metadata analysis, and filesystem artifact interpretation
- Acquire and analyze memory using appropriate tools (e.g., Volatility) for malware discovery
- Design and execute threat hunting operations based on hypotheses and adversary behaviors
- Simulate SOC teamwork and role-based operations in incident scenarios using real-world toolsets
- Prepare structured technical reports and communicate incident findings to both technical and executive stakeholders
Competences
Students will be able to:
- Lead incident-response investigations through containment, eradication and lessons-learned phases.
- Mentor SOC analysts in threat-hunting methodologies and hypothesis-driven investigations.
- Coordinate with legal counsel and law-enforcement on evidence handling and disclosure.
- Maintain lab environments and toolchains in accordance with industry accreditation (e.g., ISO 17025).
- Uphold ethical standards and impartiality during high-impact investigations.