This specialist-level course is for professionals whose role requires them to capture and analyse data from ‘live’ systems. It introduces the latest guidelines and artefacts on current Windows operating systems, and teaches essential skills for conducting an efficient and comprehensive investigation.

Course Overview

This five-day course is designed to provide you with the confidence and skills to isolate, investigate and extract evidence from a live networked environment (as you would expect to find in a home or business network) during or after a cyber incident.

You will spend a large proportion of the course practising these skills and methods in both physical and virtual network environments that replicate the challenges faced by investigators in both the office and home cyber event scenarios.



You will need a good understanding and experience of:

  • The forensic investigation process
  • Windows and Linux operating systems
  • Command line interface
  • Computer networks

We strongly recommend completion of the 7Safe CFIP and CLFP courses as a minimum before attending this course.


This is an intensive training course designed for experienced forensic investigators and cyber security practitioners who already have a good knowledge of forensic investigation and want to extend their skills, including:

  • Law enforcement officers & agents
  • Digital investigators
  • Cyber incident response team members
  • IT security officers
  • System/Network Administrators/Engineers
  • eDiscovery consultants

Delegates will learn how to


You will learn and practice the critical skills needed to identify the correct forensic artefacts in a live network environment and how to preserve, extract and interpret them. We will show you how to correctly acquire and handle dynamic forensic evidence so that you do not inadvertently alter or destroy vital clues that could potentially result in your investigation failing or the resultant evidence being inadmissible in court.

Upon completion of the course you will:

  • understand how home and office networks work
  • be able to reduce your digital footprint when accessing a network
  • have the skills to identify and capture network traffic
  • be able to identify a cyber event
  • have the knowledge of how to examine and analyse relevant data artefacts
  • be able to identify and capture relevant log files
  • understand how to identify and collect volatile data types
  • be able to secure and access a live network
  • have the ability to identify devices attached to a network
  • be able to identify and collect suspect network traffic (Ethernet and Wi-Fi)
  • have learnt remote network collection methodologies and techniques


This course will enable you to:

  • Learn a number of methodologies for undertaking a sound cyber investigation
  • Acquire and practice new techniques to extract relevant data from a live networked
  • environment
  • Gain confidence when identifying and capturing live operating system artefacts
  • Improve your ability to respond effectively to a cyber event



Throughout the course, your time will be equally split between being taught the methods and principles required to isolate, investigate and extract evidence in a live network environment and applying these in practical, hands-on exercises based on real life scenarios, created in a set of physical and virtual networks. Topics covered will include:

1. Investigation Principles and Strategy

a. ACPO Guideline - The Four Principles

b. Competency

c. ISO Standards

d. Applicable Law

2. Computer Networks

a. What is a computer network?

b. Types of computer network

c. Network topologies

3. Network Reference Models

a. OSI Model

b. TCP/IP Model

4. Network Addressing

a. IPv4

b. IPv6

c. MAC Address

5. Network Protocols

a. Ports

b. What are protocols?

c. Transport layer protocols

d. Other protocols of interest

6. Network Environments

a. Home network

b. Business/office network

c. Public network

7. Network Devices

a. Computer (Desktop/Server)

b. Hub

c. Switch

d. Router

e. Other devices

8. Information Gathering

  1. Analysis Environments

  2. Identifying equipment

  3. Accessing a network

  4. Network mapping

  5. Network traffic

  6. Accessing Nodes (Computer, Switch, Router, other devices)

  7. Reducing your digital footprint

  8. Windows Management Instrumentation Command Line

  9. PowerShell

  10. Remote imaging and data collection

9. A Cyber Analysis Process

a. Correlating Results

b. Data Interpretation

10. Simplifying Complex Evidence

a. Subject knowledge levels

b. Clarity, simplicity, brevity

c. Reporting