Lesson 1Email and messaging sources: mailbox exports, SMTP/IMAP logs, message headers, retention policies, and eDiscovery considerationsThis section covers evidentiary artifacts from email and messaging platforms, including mailbox exports, protocol logs, message headers, retention rules, and eDiscovery workflows, emphasizing authenticity, completeness, and defensible collection methods suitable for Eritrea.
Mailbox export formats and toolsSMTP, IMAP, and POP server logsMessage headers and routing analysisRetention and legal hold policiesChat and collaboration message exportsLesson 2Overview of corporate evidence sources: endpoints, servers, cloud services, email, collaboration platforms, VPN, DLP, MDM, SaaS audit logsThis section provides a structured overview of common corporate evidence sources, including endpoints, servers, cloud services, email, collaboration platforms, VPN, DLP, MDM, and SaaS audit logs, highlighting typical artifacts and access considerations in Eritrean businesses.
Endpoint and workstation artifactsServer and database log sourcesEmail and collaboration platformsNetwork, VPN, and remote access logsDLP, MDM, and SaaS audit telemetryLesson 3Data Loss Prevention and SIEM sources: DLP alerts, content inspection logs, SIEM event correlation and alert ingestion patternsThis section explores Data Loss Prevention and SIEM platforms as rich evidence sources, explaining DLP alert artifacts, content inspection logs, SIEM normalization, correlation rules, alert triage, and ingestion patterns that affect completeness and investigative value in Eritrea.
DLP alert metadata and contextContent inspection and fingerprint logsEndpoint versus network DLP signalsSIEM parsing and normalization rulesCorrelation rules and use case tuningLesson 4Application and collaboration platform evidence: audit logs, file version history, sharing links, access control lists, and collaboration metadataThis section focuses on application and collaboration platforms, examining audit logs, file version histories, sharing links, access control lists, and collaboration metadata, and explains how to reconstruct user actions and document access during investigations in Eritrean settings.
Application audit and activity logsFile version history and recoverySharing links and external accessAccess control lists and permissionsCollaboration comments and reactionsExporting workspace audit trailsLesson 5Prioritization and legal holds: determining scope for quick preservation and issuing legal hold notices to custodians and systemsThis section explains how to prioritize evidence and implement legal holds, defining scope, identifying custodians and systems, issuing hold notices, coordinating with legal and HR, and monitoring compliance to prevent spoliation or premature deletion in Eritrea.
Scoping custodians and data sourcesRisk-based evidence prioritizationDrafting and issuing legal holdsCoordinating with legal and HR teamsMonitoring hold compliance and releaseLesson 6Network and perimeter evidence: VPN logs, proxy and firewall logs, NetFlow, packet captures (PCAP) collection and retention best practicesThis section details network and perimeter evidence, including VPN, proxy, and firewall logs, NetFlow and IPFIX records, and packet captures, with guidance on time synchronization, storage, filtering, and defensible retention strategies for investigations in Eritrea.
VPN authentication and session logsProxy and web gateway activity logsFirewall rule hits and deny eventsNetFlow and IPFIX flow recordsPacket capture collection strategiesNetwork log retention and rotationLesson 7Mobile and removable media: mobile device backups, MDM logs, USB device histories and Windows device installation logsThis section examines mobile devices and removable media as evidence sources, focusing on backup artifacts, MDM telemetry, USB usage traces, and Windows device installation logs, with attention to preservation, validation, and chain of custody in Eritrean contexts.
iOS and Android backup artifactsMDM inventory and compliance logsUSB connection and usage historiesWindows device installation recordsPreserving mobile and USB evidenceLesson 8Server and cloud data acquisition: API-based exports, storage snapshots, object storage metadata, cloud provider audit logs (AWS CloudTrail, Azure AD logs, Google Workspace audit)This section addresses server and cloud data acquisition, including API-based exports, storage snapshots, object storage metadata, and cloud provider audit logs, with emphasis on scoping, throttling, integrity validation, and cross-region evidence preservation for Eritrea.
Agent-based versus agentless collectionHypervisor and VM snapshot workflowsObject storage metadata and versionsAWS CloudTrail and CloudWatch logsAzure AD and Microsoft 365 auditsGoogle Workspace and GCP audit logsLesson 9Endpoint data acquisition: live response, volatile data capture, full disk imaging, filesystem snapshotsThis section covers endpoint data acquisition techniques, including live response, volatile memory capture, full disk imaging, and filesystem snapshots, with attention to tool selection, minimizing impact, and maintaining evidentiary integrity and documentation in Eritrea.
Live response triage proceduresRAM and volatile data collectionFull disk and partition imagingFilesystem and volume snapshotsValidating hashes and chain of custody
