Blackbox Intelligence Group
Sign in
← All modules

Cybersecurity II · Module 9

Cybersecurity II, Unit 9: Incident Response and Digital Forensics Basics

When the alert is real. The IR lifecycle, evidence handling, memory and disk forensics fundamentals, and chain of custody.

Length
360 min
Level
advanced
Track
Cyber II
Cadence
Semester 2

Career paths

Incident ResponderFoundations
Unlock this module →Request a review copyTry the free pack

Download 1-page brochure (PDF)·Share with admins, parents, or your CTE director.

What's in the lesson pack

Everything you need to teach this period.

Built by an OSCP-certified instructor who teaches this material every week. Print-ready, classroom-tested, copy-paste-able.

Teacher Guide

Locked

Lesson at a glance, learning objectives, vocabulary, pacing, mini-lessons, and discussion notes.

In-browser presenter

Locked

Full themed slide deck you can run live from your laptop. Speaker notes built in. Works offline once loaded.

PowerPoint (.pptx) export

Locked

Editable slide deck for districts that mandate PowerPoint or want to customize for their LMS.

Module overview

The full lesson plan, public.

Read everything before you commit. The plan, objectives, vocabulary, standards alignment, and pacing are open. Only the print-ready deliverables are gated.

Unit 9: Incident Response and Digital Forensics Basics

Lesson at a glance

| Item | Detail | | --------------------- | ------------------------------------------------------------------------------------------------------------------------ | | Suggested length | 6 × 60 minutes | | Recommended placement | Weeks 14–15 | | Prerequisite | Unit 8 | | Materials | Sample memory image, sample disk image, Volatility 3 (Python), Autopsy / FTK Imager, hash utility, evidence log template |

Safety: All forensics work uses sample images and lab disks. Personal devices, friends' phones, school production assets are off-limits.

Standards & credential alignment

  • NIST SP 800-61r2 Incident Handling Guide.
  • NIST SP 800-86 Integrating Forensic Techniques.
  • OffSec SOC-100 alignment.

Learning objectives

By the end of this unit, students can:

  1. Walk through the NIST IR lifecycle: Preparation → Detection & Analysis → Containment → Eradication → Recovery → Post-Incident.
  2. Establish chain of custody for digital evidence.
  3. Capture and verify a forensic image with hashing.
  4. Run basic Volatility 3 plugins on a memory image.
  5. Recognize indicators of common attacks in disk artifacts (browser history, prefetch, registry persistence, scheduled tasks).
  6. Produce an incident report with findings and timeline.

Vocabulary

  • Order of volatility - Sequence of evidence preservation, most volatile first.
  • Chain of custody - Documented who-had-what-when from collection to court.
  • Forensic image - Bit-for-bit copy of media.
  • Hash verification - Confirming the image is identical to source via SHA-256.
  • Live response - Collecting evidence from a running system.
  • Dead box - Powered-off analysis on imaged media.
  • Artifact - Forensic remnant of activity (registry, prefetch, .lnk, browser cache).
  • IOC - Indicator of Compromise.

Pacing

| Day | Focus | Deliverable | | --- | -------------------------------- | -------------------------------------------- | | 1 | IR lifecycle + chain of custody | Filled-out evidence log on a mock collection | | 2 | Imaging + hashing | Sample image with verified SHA-256 | | 3 | Memory forensics with Volatility | 3 Volatility findings | | 4 | Disk forensics with Autopsy | 3 disk artifacts identified | | 5 | Timeline construction | Combined timeline | | 6 | Incident report | 6–10 page report |

Day 1 - Lifecycle + chain of custody

NIST IR phases - discuss responsibilities at each.

Order of volatility (most → least):

  1. CPU registers, cache
  2. RAM
  3. Network state, ARP cache, running processes
  4. Temp files
  5. Disk
  6. Remote logs / monitoring
  7. Physical/printed media

Chain of custody log fields:

  • Item ID
  • Description (model, serial, hostname)
  • Source location
  • Date/time collected
  • Collected by (name + signature)
  • Hash (SHA-256)
  • Storage location
  • Each transfer: from / to / date / time / signature

Mock exercise: a "USB" is "found in the lab." Two-person team collects it, fills out the log, hashes it, places it in evidence bag, signs.

Day 2 - Imaging + hashing

Use FTK Imager (Windows) or dd + sha256sum (Linux):

# Linux dead-box image
sudo dd if=/dev/sdb of=/cases/case-001.img bs=4M status=progress conv=noerror,sync
sha256sum /cases/case-001.img | tee /cases/case-001.img.sha256

Re-hash after copy to confirm match. Put both hashes in the evidence log.

Day 3 - Memory forensics

Sample memory image (provided by teacher). Use Volatility 3:

# Image profile / OS info
python3 vol.py -f memory.dmp windows.info

# Process tree
python3 vol.py -f memory.dmp windows.pstree

# Network connections at capture time
python3 vol.py -f memory.dmp windows.netscan

# Suspicious DLLs / injected code
python3 vol.py -f memory.dmp windows.malfind

# Command-line history
python3 vol.py -f memory.dmp windows.cmdline

Students find three suspicious indicators (e.g., a process running from \AppData\Local\Temp\, a connection to a non-RFC1918 destination on a high port, a malfind hit).

Day 4 - Disk forensics

Open sample disk image in Autopsy. Examine:

  • Browser history (Chrome / Firefox / Edge SQLite databases).
  • Prefetch (C:\Windows\Prefetch) - programs that ran.
  • Run keys in registry (HKLM\Software\Microsoft\Windows\CurrentVersion\Run).
  • Scheduled tasks (C:\Windows\System32\Tasks).
  • Recently opened files (%AppData%\Microsoft\Windows\Recent).

Document three artifacts that contribute to the timeline.

Day 5 - Timeline construction

Combine memory + disk findings into a single chronological timeline:

2025-03-14 09:42:15Z  User johndoe logged on (4624)
2025-03-14 09:43:02Z  Outlook.exe spawned (Sysmon 1)
2025-03-14 09:43:11Z  invoice.pdf.exe written to C:\Users\johndoe\Downloads (Sysmon 11)
2025-03-14 09:43:28Z  invoice.pdf.exe executed; child cmd.exe powershell.exe -enc <b64>
2025-03-14 09:43:30Z  Outbound TCP to 198.51.100.42:4444 (Sysmon 3)
2025-03-14 09:43:55Z  Scheduled task "AdobeUpdater" created (4698)
...

Land the line: "The timeline is the story. Build it; test it; defend it."

Day 6 - Incident report

Template:

# Incident Report - INC-2025-001
## Executive Summary
## Scope + Authorization
## Timeline (above)
## Evidence Inventory + Chain of Custody Log
## Analysis
## Indicators of Compromise (IOCs)
  - File hashes
  - IPs / domains
  - Registry keys
  - Scheduled task names
## Containment + Eradication actions
## Recovery
## Lessons Learned
## Appendix

Common misconceptions

  • "I'll just look at it real quick." - The first action contaminates evidence. Stop. Image. Then look.
  • "Antivirus cleaned it; case closed." - AV cleans known bad. The IR analyst confirms scope and looks for what AV missed (persistence, lateral movement, exfil).

Assessment

  • Day 1 mock chain-of-custody log.
  • Day 2 imaged + hashed deliverable.
  • Day 3 + 4 findings with screenshots.
  • Day 5 timeline.
  • Day 6 incident report - heavy weight.

Career connection

DFIR analysts: $90K–$150K. Senior consulting DFIR (Mandiant / CrowdStrike Services / Unit 42): $150K–$250K+. Court-qualified examiners earn more.

Homework

Read CISA "Containment, Eradication, Recovery" excerpt. Identify two containment actions you would have used in this unit's case had you been on the team in real time.

Ready to use this in class?

Unlock the full Cybersecurity II edition.

All teacher guides, worksheets, scenarios, quizzes, answer keys, and the in-browser presenter for every module in the track. Site-license pricing for schools and districts. Free review copies for verified educators.

View pricingRequest review copySee full curriculum