Roadmap

Incident Responder

The specialist called when a confirmed breach is underway. Leads the investigation, directs containment, eradicates the threat, and restores operations while preserving evidence and documenting everything for legal, compliance, and lessons-learned purposes.

OPTIMISTIC 2 yearsREALISTIC 3–4 years

Stage 00

Computer & IT Fundamentals

Non-negotiable foundation. IR analysts investigate at the hardware and OS level, so you must understand what you are looking at.

Computer Hardware

CPU, RAM, storage types (HDD, SSD, NVMe) — roles in a system, forensic implications
How data persists on magnetic vs solid-state storage — forensic recovery differences
NIC, motherboard — component roles
Physical vs virtual machines — VMware snapshot forensics, cloud instance acquisition

Number Systems

Binary, hexadecimal, decimal — reading and converting
Memory addresses, file hashes, registry values — all use hex
Data sizes — bit, byte, kilobyte through terabyte

How Operating Systems Work

Kernel vs user space
Processes, threads, memory management — virtual memory, paging
File systems — NTFS, ext4, FAT32 — metadata, slack space, unallocated space
System calls, boot process — BIOS/UEFI → bootloader → kernel → init

Software Basics

How programs compile and execute — PE file format (Windows), ELF format (Linux)
Static vs dynamic libraries — DLL hijacking relevance
Environment variables, services vs applications
Code signing — Authenticode, how attackers bypass or forge signatures

Virtualization

Type 1 and Type 2 hypervisors
Snapshot forensics — acquiring VM snapshots as evidence
Cloud instance acquisition — differences from physical disk imaging

Resources

CS50 (Harvard, free)
Professor Messer CompTIA A+ (free YouTube)
TryHackMe Pre-Security path (free)

Stage 01

Operating Systems in Depth

IR analysts investigate Windows and Linux systems at the file, registry, process, and memory level. Cold familiarity with both is required.

Windows — Forensic Depth

Full directory structure and forensic significance of each location: C:\Windows\Prefetch — execution evidence; C:\Windows\System32\winevt\Logs — event log files; C:\Users\[user]\AppData — browser artifacts, recent files, shellbags; C:\ProgramData — application data, sometimes used for malware staging; C:\Windows\Temp and C:\Users\[user]\AppData\Local\Temp — common malware drop locations; C:\Windows\System32\Tasks — scheduled task XML files; C:\Windows\SysWOW64 — 32-bit subsystem on 64-bit Windows
Registry forensic significance: HKLM\System\CurrentControlSet\Services — installed services; HKLM\Software\Microsoft\Windows\CurrentVersion\Run/RunOnce — startup persistence; HKCU\Software\Microsoft\Windows\CurrentVersion\Run/RunOnce — user-level persistence; HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options — debugger hijacking; AppInit_DLLs — DLL injection persistence; UserAssist — GUI application execution evidence (ROT13 encoded); ShimCache (AppCompatCache) — application execution evidence; MuiCache — executed program display names; BAM/DAM (Background Activity Monitor) — execution timestamps; TypedPaths — recently typed paths in Explorer; RunMRU, OpenSaveMRU — recently run and opened files
Windows artifacts for IR: Prefetch — execution evidence, C:\Windows\Prefetch\[executable]-[hash].pf; Shimcache (AppCompatCache) — HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatCache; Amcache — C:\Windows\AppCompat\Programs\Amcache.hve — program execution with SHA1 hashes; LNK files — shortcut files revealing recently accessed files and paths; Jump Lists — recently accessed files per application; Shellbags — folder access history even after deletion; Thumbcache — image thumbnail evidence; Recycle Bin — $RECYCLE.BIN, deletion timestamp, original path; MFT — Master File Table, NTFS metadata for every file; USN Journal — NTFS change log, file creation/modification/deletion history; Volume Shadow Copies — point-in-time snapshots, ransomware deletion target
Windows memory forensics — LSASS, credential storage, injected code
Windows Event Log IDs — full T2 knowledge plus: 4697 — service installed (slightly different from 7045); 5140 — network share accessed; 5145 — network share object access check; 4663 — object access — file/key access auditing; 4656 — handle requested for object; 4660 — object deleted; 4670 — permissions on object changed

Linux — Forensic Depth

Filesystem hierarchy and IR-relevant locations: /var/log/ — all log directories; /tmp and /dev/shm — volatile staging locations used by attackers; /home/[user]/.bash_history — command history; /home/[user]/.ssh/ — authorized_keys, known_hosts, private keys; /etc/cron.d/, /etc/crontab, /var/spool/cron/ — persistence via cron; /etc/systemd/system/ — systemd service persistence; /etc/passwd, /etc/shadow, /etc/sudoers — account and privilege evidence; /proc/[PID]/ — live process investigation
Linux forensic artifacts: bash_history — command evidence (gaps indicate clearing); /var/log/auth.log — authentication and sudo evidence; auditd logs — syscall-level activity if enabled; lastlog — last login per user; wtmp/btmp — successful/failed login history; /etc/passwd GID 0 entries — root-equivalent account persistence; SUID/SGID binaries — privilege escalation persistence; LD_PRELOAD and /etc/ld.so.preload — library injection persistence
Timestamps — MACB (Modified, Accessed, Changed, Birth) — understanding each
Inode data — file metadata without file name, linking to MFT equivalent concept

Resources

TryHackMe Windows Fundamentals 1/2/3
TryHackMe Linux Fundamentals 1/2/3
OverTheWire Bandit
HTB Academy Windows Fundamentals
13Cubed YouTube channel (Windows forensics, free)

Stage 02

Networking Fundamentals

IR analysts reconstruct network-based attacker activity. Every phase of the kill chain produces network artifacts.

OSI Model — All 7 Layers

Layer attack mapping — where each common attack type operates

TCP/IP

Full handshake and teardown analysis
TCP flags, UDP, ICMP tunneling

IP Addressing

Subnetting, CIDR, private ranges, NAT attribution impact, IPv6

Protocols — Full Depth

DNS, DHCP, HTTP/HTTPS/TLS, SMB, RDP, SSH, Kerberos, LDAP, WinRM, NetBIOS/LLMNR, DCOM/RPC, MSSQL — full understanding for investigation context
Email protocols — SMTP, IMAP, POP3 — phishing investigation relevance
Cloud APIs — HTTPS to AWS/Azure/GCP endpoints — cloud IR context

Common Ports — Full Reference

20/21 FTP | 22 SSH | 23 Telnet | 25 SMTP | 53 DNS | 67/68 DHCP | 80 HTTP | 88 Kerberos | 110 POP3 | 135 RPC | 137-139 NetBIOS | 143 IMAP | 389 LDAP | 443 HTTPS | 445 SMB | 636 LDAPS | 993/995 IMAP/POP3S | 1433 MSSQL | 3306 MySQL | 3389 RDP | 5355 LLMNR | 5432 PostgreSQL | 5985/5986 WinRM | 8080/8443 alt HTTP

Network Infrastructure — IR Context

Firewall log analysis for attack reconstruction
Proxy logs for C2 callback identification
DNS logs for exfiltration and C2 detection
NetFlow analysis — conversation-level traffic without payload

Resources

Professor Messer Network+ (free YouTube)
TryHackMe networking modules

Stage 03

Security Fundamentals

Full security fundamentals required. Security+ is the baseline cert.

Security Fundamentals

CIA Triad, AAA, threat/vulnerability/risk
Authentication, cryptography — symmetric, asymmetric, hashing, PKI, TLS
Malware types — all categories with behavioral characteristics
Attack types — full catalog including LotL, Pass-the-Hash, Kerberoasting, supply chain
Defensive controls — SIEM, EDR, SOAR, DLP, IDS/IPS
Frameworks — NIST CSF, MITRE ATT&CK, Cyber Kill Chain, CIS Controls, NIST 800-53, NIST 800-61, PCI-DSS, HIPAA, GDPR, DoD 8570
IR frameworks — NIST SP 800-61 and SANS PICERL in full detail

Resources

Professor Messer Security+ SY0-701 (free YouTube)
Jason Dion Security+ (Udemy)

Stage 04

Traffic Analysis & Network Forensics

IR analysts reconstruct attacker network activity from PCAPs, NetFlow, proxy logs, and DNS logs.

Wireshark — Advanced

All T1 and T2 Wireshark skills
tshark — command-line scripting of PCAP analysis
TLS decryption with pre-master secret log
JA3/JA3S fingerprinting for C2 tool identification
Reconstructing lateral movement traffic — SMB auth, RDP, WinRM sessions
Identifying credential exposure in cleartext protocols
Kerberoasting and AS-REP Roasting traffic patterns
LLMNR/NBT-NS poisoning patterns
DCSync traffic — DRSUAPI GetNCChanges from non-DC source
DNS tunneling — dnscat2, iodine traffic signatures

Network Forensics Tools

tcpdump — advanced filtering, scripting, pcap replay
NetworkMiner — automated host, file, credential extraction
Zeek — full log suite, investigation pivoting by uid/conn_uid
Suricata — rule analysis, eve.json investigation, alert-to-PCAP correlation
Arkime — full PCAP search and session reconstruction
Rita — beacon detection on Zeek conn.log
Snort — legacy rule format for environments still running it
NetworkMiner — passive reconstruction from PCAP
nmap — understanding scan output in investigation context (not IR tool itself)

NetFlow Analysis

NetFlow vs IPFIX vs sFlow — protocol differences
NetFlow collectors — ntopng, Elastic, Plixer
What NetFlow reveals — conversation-level data (src/dst IP, port, bytes, packets, duration) without payload
Using NetFlow for lateral movement detection — internal host communication patterns
Using NetFlow for data exfiltration — outbound byte volume spikes
Limitations — encrypted traffic, no payload, sampling rate impact on accuracy

Resources

Malware-Traffic-Analysis.net (free PCAPs)
HTB Academy Network Traffic Analysis module
TryHackMe Wireshark rooms
Rita (github.com/activecm/rita, free)

Stage 05

Log Analysis — Multi-Source

IR requires simultaneous correlation across Windows event logs, Sysmon, EDR, firewall, proxy, DNS, cloud, and application logs to reconstruct a full attack chain.

Multi-Source Timeline Reconstruction

Normalizing timestamps — UTC everywhere, epoch conversion, ISO 8601
Timeline tools — log2timeline/Plaso for automated super-timeline creation
Plaso — psort.py for filtering and sorting super-timeline output
Timeline Explorer — Eric Zimmermann tool for CSV timeline analysis
Manual timeline building — spreadsheet or markdown for smaller investigations

Windows Event Logs — IR Depth

All T2 Event IDs plus investigation chaining for IR scenarios: Initial access chain: EID 4625 (failed logon) → 4624 (success) → 4688 (process creation) → 4698 (scheduled task); Lateral movement chain: 4648 (explicit credentials) on source → 4624 type 3 on target → 4688 child processes on target; DCSync chain: 4662 on domain controller (object access with replication permissions); Credential dumping: Sysmon 10 (LSASS access) → 4624 type 9 (new credentials) on other hosts; Persistence chain: 7045 (new service) or 4698 (scheduled task) → 4624 + 4688 on subsequent reboot/trigger

Active Directory Forensics

AD replication metadata — object change timestamps surviving log clearing
ntds.dit — AD database file, C:\Windows\NTDS\ntds.dit — offline extraction with VSS
SYSTEM hive — required alongside ntds.dit for decryption
impacket secretsdump — extracting hashes from ntds.dit
BloodHound / SharpHound — attack path analysis, understanding attacker lateral movement logic
AD tombstone data — deleted objects retained 180 days, evidence of account manipulation

Cloud Log Analysis

AWS CloudTrail — management events and data events: Key attacker actions: ConsoleLogin, CreateUser, AttachUserPolicy, CreateAccessKey, GetSecretValue, PutBucketPolicy, RunInstances, CreateRole, AssumeRole; CloudTrail Insights — anomaly detection on API call volume; S3 data event logs — object-level access tracking for exfiltration investigation; VPC Flow Logs — network traffic metadata (src/dst IP, port, protocol, bytes, accepted/rejected)
Azure Activity Log and Entra ID: Key attacker actions: Add member to role, Create user, Reset password, Create application, Add credentials to application; Entra ID sign-in logs — MFA bypass indicators, suspicious locations, legacy auth protocols; Microsoft Defender for Cloud — security alert integration; Storage account access logs — blob access for exfiltration investigation
GCP Audit Logs: Admin Activity — resource creation/modification; Data Access — object reads (requires explicit enabling); System Events — automated platform actions; Key attacker actions: SetIamPolicy, CreateServiceAccount, CreateKey, storage.objects.get

Application Logs

Web application logs — SQLi, RCE, webshell upload indicators
Database logs — SQL Server error log, MySQL general query log — SQL injection chains
Exchange / Microsoft 365 — mail flow logs, mailbox audit logs, inbox rule creation events
VPN logs — authentication events, session duration, data transfer volume
Active Directory Federation Services (ADFS) — token issuance logs for credential-based attacks

Resources

HTB Academy Windows Event Logs & Finding Evil module
Eric Zimmermann tools (free, ericzimmermann.com)
log2timeline/Plaso (free, GitHub)
TryHackMe Log Analysis rooms
SANS DFIR cheat sheets (free)

Stage 06

SIEM & EDR — Investigation Depth

IR analysts use SIEM and EDR as investigation platforms, not just alert queues. Speed of evidence gathering determines investigation quality.

SIEM for IR

Splunk SPL for IR investigations: Building complete attacker timelines from multiple sourcetypes; Correlating by username across authentication, process, and network events; Identifying all hosts a compromised user authenticated to; Finding all processes spawned by a specific parent during an incident window; Identifying data staging — large file creation in staging directories; Measuring dwell time — first attacker event to detection
Microsoft Sentinel KQL for IR: Cross-workspace queries for multi-tenant environments; Joining endpoint, identity, and network tables for full kill chain; Custom hunting queries from incident IOCs
Query patterns every IR analyst should have ready: All authentication events for a compromised user in a 7-day window; All processes spawned by cmd.exe or powershell.exe on a specific host; All outbound connections from a compromised host by destination IP and bytes; All new scheduled tasks created in a 30-day window; All failed then successful logons from external IPs

EDR for IR — Forensic Use

CrowdStrike — RTR live response for active investigation, Threat Graph for lateral movement visualization, Event Search for raw telemetry
Microsoft Defender for Endpoint — Advanced Hunting multi-table joins, Live Response for artifact collection, device timeline for chronological reconstruction
SentinelOne — Deep Visibility telemetry search, Storyline for attack chain visualization
Carbon Black — process search, network connections, binary reputation, watchlist alerts
Live response for evidence collection — running processes, network connections, file hashes, log collection, memory acquisition initiation

Resources

Splunk free training (splunk.com)
Boss of the SOC (BOTS) dataset (free)
Microsoft Learn Advanced Hunting (free)
CrowdStrike free training portal

Stage 07

Digital Forensics — Deep

IR analysts must be able to acquire and analyze forensic evidence from endpoints, memory, and storage with legally defensible methodology.

Forensics Principles

Order of volatility — CPU registers → RAM → swap/page → network state → running processes → disk → optical/removable
Evidence preservation — write blockers (hardware: Tableau T35es, software: dc3dd), hashing before and after (MD5, SHA-256, SHA-512)
Chain of custody — documentation requirements, admissibility in legal proceedings
Forensic imaging types: Physical (bit-for-bit) — dd, dc3dd, FTK Imager — captures all sectors including deleted and unallocated; Logical — files only, no deleted data, used when physical impractical; Sparse — targeted acquisition of specific artifacts; Cloud — AWS snapshot, Azure managed disk export, GCP disk image
What not to do — do not power cycle, do not run tools that write to disk, do not mount drives read-write

Memory Forensics — Full

Acquisition tools: WinPMEM — open source, works on modern Windows, outputs raw or E01; Magnet RAM Capture — free, GUI-based, good for live acquisition; DumpIt — single executable, fast acquisition; FTK Imager — memory acquisition plus disk imaging in one tool; LiME (Linux Memory Extractor) — kernel module for Linux memory acquisition
Volatility 3 — full command set for IR: windows.pslist — running processes (can be manipulated by rootkits); windows.psscan — scan memory for EPROCESS structures (detects hidden processes); windows.pstree — process tree visualization; windows.cmdline — command line arguments per process; windows.netscan — network connections and sockets at acquisition time; windows.netstat — active connections at acquisition time; windows.dlllist — loaded DLLs per process (detect injected DLLs); windows.malfind — suspicious memory regions with executable permissions not backed by file on disk; windows.handles — open handles per process; windows.svcscan — running Windows services from memory; windows.registry.hivelist — loaded registry hives; windows.hashdump — NTLM password hashes from memory; windows.cachedump — domain cached credentials; windows.lsadump — LSA secrets from memory; windows.dumpfiles — extract file objects from memory; windows.vadinfo — Virtual Address Descriptor — memory region permissions; linux.bash — recover bash history from Linux memory; linux.pslist / linux.psscan — Linux process listing

Disk Forensics — Full

FTK Imager — physical and logical image creation, E01/raw format, hash verification, evidence item management, AD1 (logical) format
Autopsy — full forensic analysis platform: Data source types — disk image, local disk, VM image, logical files; Timeline analysis — MAC time event ordering; Keyword search — regular expression and exact match across image; Hash database lookup — NSRL known-good, custom malicious hash sets; Recent documents and web artifacts — automatic extraction; Communication artifacts — email, messaging apps; Android/iOS artifacts — mobile forensics basics; Report generation — HTML and Excel output
Sleuth Kit (TSK) command-line tools — fls, icat, fsstat, img_stat for scripted analysis
Eric Zimmermann tools — comprehensive Windows artifact parsing: MFTECmd — Master File Table parsing, creation/modification/access/change timestamps; PECmd — Prefetch file parsing, execution evidence and linked files; AppCompatCacheParser — Shimcache parsing, execution evidence; AmcacheParser — Amcache.hve parsing with SHA1 hashes; RECmd — Registry Explorer, browsing and parsing registry hives; JLECmd — Jump List parsing (recently accessed files per application); LECmd — LNK file parsing (shortcut file metadata); SBECmd — Shellbag parsing (folder access history); WxTCmd — Windows Timeline (ActivitiesCache.db) parsing; RBCmd — Recycle Bin ($I file) parsing; SrumECmd — SRUM (System Resource Usage Monitor) parsing — execution and network usage history
KAPE (Kroll Artifact Parser and Extractor): Targets — defined collection sets: Windows Event Logs, Prefetch, Shimcache, Amcache, MFT, registry hives, browser artifacts, LNK files, jump lists; Modules — parsing collected artifacts with EZ tools, Volatility, etc.; triage.kape — rapid deployment collection; Remote collection via KAPE Enterprise
Velociraptor — enterprise endpoint forensic and monitoring platform: VQL (Velociraptor Query Language) — artifact collection queries; Hunt capability — run artifacts across thousands of endpoints simultaneously; Live response and forensic collection at scale; Artifact library — Windows.KapeFiles.Targets, Windows.Forensics.Prefetch, etc.

Email Forensics — Deep

Email header analysis — full Received chain reconstruction
SPF/DKIM/DMARC — validation results, spoofing indicators
X-Originating-IP — sender's true IP in some configurations
Message-ID analysis — uniqueness, origin indicators
Microsoft 365 email forensics: Message Trace — mail flow history; Unified Audit Log — mailbox access, rule creation, delegation changes; eDiscovery — legal hold, content search; Mailbox audit log — read, send, delete events per mailbox
Exchange forensics — transaction logs, mailbox database analysis
Phishing analysis workflow: Extract all URLs from email body and attachments; Detonate URLs in sandbox (Any.run, URLScan.io); Hash all attachments, check VirusTotal, MalwareBazaar; Analyze macro content in Office documents — olevba, oletools; Check for HTML smuggling, credential harvesting kits

Mobile Forensics — Awareness

iOS and Android acquisition types — full, logical, filesystem, cloud
Common mobile forensics tools — Cellebrite UFED, Magnet AXIOM, MSAB XRY (awareness level)
Mobile artifacts relevant to IR — location data, messaging apps, cloud sync

Resources

TryHackMe Windows Forensics 1/2 (free)
TryHackMe Linux Forensics (free)
HTB Academy Introduction to Digital Forensics module
HTB Academy DFIR path
13Cubed YouTube channel (free)
Eric Zimmermann tools (free, ericzimmermann.com)
KAPE documentation (free)
Autopsy documentation (free)
Volatility 3 documentation (free)

Stage 08

Malware Analysis — Triage Level

IR analysts do not need to be malware reverse engineers, but must be able to triage malware samples encountered during investigations to extract IOCs and understand behavior.

Static Analysis

File identification — file command, magic bytes, extension vs actual type
Hash calculation — md5sum, sha256sum, CertUtil on Windows — immediate VirusTotal lookup
PE file structure — DOS header, PE header, sections (.text, .data, .rsrc, .idata), imports, exports
PE analysis tools: PEStudio — PE file inspection, imports, exports, strings, VirusTotal integration; PEview — manual PE structure inspection; DIE (Detect-It-Easy) — packer/protector/compiler identification; pestudio — metadata, entropy, imported functions, strings
String extraction — strings command (Linux), FLOSS (FireEye FLARE Obfuscated String Solver) for obfuscated strings
Import analysis — which Windows API functions are imported (VirtualAllocEx, WriteProcessMemory, CreateRemoteThread = injection; InternetOpenUrl, HttpSendRequest = C2; CryptEncrypt = ransomware)
Entropy analysis — high entropy (.text with >7.0) indicates packing or encryption
Code signing — Authenticode verification, certificate chain analysis
YARA rule matching — running known-malicious YARA rules against sample

Dynamic Analysis — Sandboxing

Any.run — interactive sandbox, real-time process tree, network connections, file drops, registry changes
Joe Sandbox — automated deep analysis, full report with IOCs and ATT&CK mapping
Hybrid Analysis (CrowdStrike) — automated sandbox with community threat intelligence
Cuckoo Sandbox — open source, self-hosted option for sensitive samples
Capturing IOCs from sandbox reports: File hashes (MD5, SHA256) — all dropped files; Network IOCs — C2 IPs, domains, URLs, User-Agent strings; Registry persistence — Run keys, services, scheduled tasks written; Mutex names — unique mutex strings used to prevent re-infection; Process injection indicators — injected processes, memory permissions; File system indicators — dropped filenames, paths, extensions

Malware Behavior Categories

Droppers and loaders — first-stage execution, second-stage download
RATs (Remote Access Trojans) — C2 communication, persistence, capability overview
Ransomware mechanics — file enumeration, shadow copy deletion, encryption key management, ransom note placement
Information stealers — credential scraping targets, browser data, clipboard
Rootkits — kernel-level hooks, API hooking for detection evasion
Fileless malware — PowerShell/WMI execution, no disk artifact except in memory
Webshells — PHP/ASPX/JSP variants, detection in web server logs and file system

IOC Extraction from Malware

Network IOCs — hardcoded IPs, domains, URLs, User-Agent strings, URI paths
Host IOCs — dropped file hashes, file paths, registry keys, service names, mutex names
Behavioral IOCs — process creation patterns, network connection timing, file encryption patterns

Resources

Any.run (free tier)
Hybrid Analysis (free)
TryHackMe Malware Analysis rooms (free)
TryHackMe REMnux rooms (free)
HTB Academy Malware Analysis Fundamentals module
PEStudio (free)
FLOSS (FireEye, free)
remnux.org (free malware analysis Linux distro)

Stage 09

Scripting for IR

IR analysts write scripts to automate evidence collection, IOC extraction, timeline building, and reporting.

Python for IR

All T2 scripting fundamentals plus IR-specific applications: bulk IOC enrichment — query VirusTotal, Shodan, AbuseIPDB APIs for lists of IPs/hashes/domains; Log timeline builder — ingest multiple log formats, normalize timestamps, sort, output unified CSV; Plaso integration — scripting psort.py filters for specific timeframes and artifact types; KAPE output processor — parse KAPE module output into investigation-ready format; Registry hive parser — python-registry library for programmatic registry analysis; EVTX parser — python-evtx library for programmatic event log analysis; Email header parser — extract sender chain, SPF/DKIM results, X-headers from .eml files; Automated MISP event creation from incident IOCs; Evidence manifest generator — hash all collected files, generate chain-of-custody CSV

PowerShell for IR

Live triage scripts: Collect running processes, services, scheduled tasks, network connections, logged-on users — output to structured CSV; Hash all executables in suspicious directories and compare against known-good baseline; Extract all recently created accounts and group membership changes; Pull all Sysmon event logs for a specific time window and host; Enumerate all persistence mechanisms (run keys, scheduled tasks, services, WMI subscriptions, startup folders)
Remote collection via Invoke-Command across multiple hosts
Active Directory investigation: Find all admin accounts created in last 30 days; Find accounts with AdminSDHolder protection inconsistencies; Enumerate all SPNs (Service Principal Names) — Kerberoasting target identification; Find all accounts with "Do not require Kerberos pre-authentication" (AS-REP Roasting targets)

Bash for IR

Linux live triage — collect processes, network connections, users, cron jobs, SUID files, recent modifications
Log analysis one-liners for rapid investigation
find commands for suspicious file discovery — world-writable, recent creation, unusual permissions
Comparing file manifests before and after incident window

Resources

Python for Everybody (Coursera, free)
Automate the Boring Stuff (free)
TryHackMe Python basics
Eric Zimmermann tool documentation (free)

Stage 10

Incident Response — Leadership & Practice

Hands-on IR practice simulating real-world breach scenarios. This is where all prior stages combine under time pressure.

IR Frameworks in Practice

NIST SP 800-61 Rev 2 — full lifecycle execution
SANS PICERL — Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned
CISA IR playbooks — free official playbooks for ransomware, phishing, web application compromise

Incident Scenarios — Full Execution

Ransomware response: Isolate all affected hosts via EDR; Identify patient zero — earliest encrypted files, earliest suspicious process; Determine initial access vector — phishing, RDP brute force, vulnerable public service; Map lateral movement path from patient zero to full deployment; Identify data exfiltration (double extortion) — outbound transfer evidence; Validate backup integrity before restoration; Reconstruct full timeline for executive brief
Business Email Compromise (BEC): Identify compromised mailbox via sign-in log analysis; Review OAuth consents granted — persistent access even after password reset; Audit inbox rules created — auto-forward to external address; Review sent mail for lateral phishing or supplier fraud emails; Assess financial transactions initiated during compromise window; Full account remediation — password reset, MFA re-enrollment, OAuth consent revocation, rule deletion
APT / Long Dwell Investigation: Start from known IOC and work backward; Identify earliest artifact across all available log sources; Map full lateral movement path — which hosts, which accounts, which techniques; Identify persistence mechanisms deployed (may be multiple); Assess data staged and exfiltrated; Determine scope — number of affected systems, duration of access
Supply Chain Compromise: Identify all systems with affected software installed; Determine if malicious update was executed (not just installed); Hunt for C2 beacons from affected hosts using vendor-provided IOCs; Assess privilege level of compromised software — SYSTEM service vs user application

IR Documentation

Incident ticket structure — every action logged with timestamp, analyst, action, result
Evidence log — every artifact collected with hash, collection time, method, analyst
Formal incident report structure: Executive summary — what happened, business impact, current status; Timeline — chronological sequence from initial access to detection to containment; Technical details — affected systems, attacker TTPs, IOCs; Root cause — actual initial access vector, contributing factors; Response actions — containment steps, eradication actions, recovery steps; Recommendations — detection improvements, architectural changes, process updates
Lessons learned facilitation — structured meeting format, blameless retrospective
Regulatory notification — GDPR 72-hour breach notification, HIPAA breach notification, SEC 4-day material cybersecurity incident disclosure

Practice Platforms

CyberDefenders — complex multi-artifact IR investigations (Endpoint, Network, Memory forensics combined)
TryHackMe — Digital Forensics and Incident Response path
HTB Academy — DFIR track, Incident Handling with Splunk
Blue Team Labs Online — IR challenge scenarios
DFIR.training — curated list of DFIR practice resources (free index)
Boss of the SOC (BOTS) — Splunk-based investigation with realistic attacker data

FAQ

Common questions

How long does it take to become an Incident Responder?

2 years optimistic at 20–25 hours/week, 3–4 years realistic. The fastest path runs SOC T1 → SOC T2/Threat Hunter → IR Analyst, because each step builds the investigation depth IR demands. Pure self-taught paths exist but require obsessive lab practice — there's no substitute for the experience of confirming a real incident and choosing what to contain first. Salaries skew higher than SOC because the work is harder and the bar is higher.

Which certifications matter for IR roles?

GCIH (GIAC Certified Incident Handler) is the canonical IR cert and most-listed in postings. GCFE for endpoint forensics depth. GCFA for advanced forensics. CySA+ as an entry-level signal. SANS-track certs are expensive but the content is genuinely the gold standard for IR. Consulting firms (Mandiant, CrowdStrike Services, Unit 42, Secureworks) sponsor SANS frequently for hires they want to develop.

Do I need a degree to do incident response?

Helpful but not required. Federal IR roles often require a bachelor's plus clearance. Corporate and consulting IR routinely hire self-taught analysts with strong portfolios and lab work. What you do need: forensic instinct, calm under pressure (incidents are stressful), and clear technical writing. IR reports are the deliverable — if you can't write a clean one, you can't progress past T1.

What separates a hired Incident Responder?

Documented investigation writeups. Public CTF DFIR challenge solutions, lab investigations using Sysmon + Velociraptor, sample IR reports on public datasets — these signal capability beyond theoretical knowledge. Other differentiators: malware analysis basics (static + sandbox), cloud incident response (AWS, Azure, M365), and at least one full IR report sample showing scoping, timeline, root cause, and remediation. Consulting firm IR analysts earn $105K–$130K+ with consulting premiums.

Incident Responder

Common questions

Related roles