Law Enforcement/Counterintelligence Forensics Analyst 1 - Job Role Training


Looking to become a Law Enforcement or Counterintelligence Forensics Analyst? This package consists of hands-on labs focusing on that NIST National Initiative for Cybersecurity Education (NICE) work role. Completing these labs will help you learn the skills needed for a job in the area. A follow-on package, "Law Enforcement/ Counterintelligence Forensics Analyst 2" is also available for more in-depth practice with these job skills.


Prerequisites vary by lab, but are generally: familiarity with the Unix/Linux command line and basic networking concepts (TCP/IP, DNS, etc.).


14 hours, self-paced. Pause and continue at any time.


  • Introductory File System Forensics
    Disk-based analysis is the cornerstone of cyber forensics, whether it be to track what a suspect was doing or simply to recover accidentally deleted files. This lab introduces students to the process of imaging and forensically analyzing disks, including finding artifacts such as deleted files. The free Autopsy® forensic browser will be used in addition to command-line programs from the open-source Sleuth Kit® tool set.
  • Introduction to Memory Analysis with Rekall
    Analyzing a suspect system "live", before disconnecting it and imaging the disks, often yields valuable forensic evidence. Further, it can help you determine whether a crime has been committed at all, or whether the system contains evidence at all, thereby avoiding time-consuming examination of irrelevant machines. Rekall is an advanced, open-source memory capture and analysis framework that has expanded to include a variety of live incident response tools. This lab introduces students to the Rekall framework, both for extracting evidence from memory images and for analyzing the current live state of the system. Students will learn about several Rekall tools, both on the command line and via the interactive console, for analyzing memory images. Students will then analyze several images of Windows systems with in-memory malware.
  • Windows Forensics Artifacts
    A security analyst will likely be asked some time in his or her career to conduct a forensic analysis of a Windows workstation or server. In this lab the student will learn about _forensic artifacts_ commonly found on Windows computers. Forensic artifacts are traces of user activity left behind on a computer even after the user logs out or the computer is shut down.
  • Packet Capture Analysis and Manipulation
    Get valuable experience extracting data from network packet captures! Students will use Wireshark® to analyze network packet traces containing normal network traffic and active attacks. Detailed information will be extracted from the traces by examining packets and by using Wireshark's built-in analysis and PCAP-manipulation tools.
  • Log Analysis with RSYSLOG
    This lab teaches students to setup and configure a central RSYSLOG server that will receive and store logs from FreeBSD, Linux and Windows clients.
  • Protocol Analysis I: Wireshark Basics
    Where do you begin in network traffic analysis? Learn the process for examining a live or pre-recorded packet capture file using graphical tools such as Wireshark. Is there malicious activity? Learn to think like an attacker, going through the same methods the attacker would, to assess whether what you're seeing is "normal" or signs of an attack. At the same time, students will run basic network scans using nmap, while seeing how they appear in Wireshark. Finally, students will analyze packet traces indicative of HTTP-based attacks.
  • Protocol Analysis II: Extracting Data from Network Traffic
    Build on what you learned in Protocol Analysis I, this time using command line tools and techniques. You will use the ubiquitous tcpdump program, starting with simple capture tasks and then building up to complex filtering and display options. In the process, you will dig deeply into TCP and IP header fields, learning how these can be used to find the traffic you're interested in. You will examine ICMP, SSH, and HTTP traffic, including that from web shells commonly used in attacks. With the techniques learned in this exercise, you will be able to gather and filter packet capture data from server systems, then later process it on graphical security operations workstations.


  • Law Enforcement/Counterintelligence Forensics Analyst

Stock number: