Lesson 1Email and messaging sources: mailbox exports, SMTP/IMAP logs, message headers, retention policies, and eDiscovery considerationsThis section covers key evidence from email and chat platforms, including mailbox downloads, server logs, message details, data keeping rules, and eDiscovery processes, stressing realness, full coverage, and proper collection ways.
Mailbox export formats and toolsSMTP, IMAP, and POP server logsMessage headers and routing analysisRetention and legal hold policiesChat and collaboration message exportsLesson 2Overview of corporate evidence sources: endpoints, servers, cloud services, email, collaboration platforms, VPN, DLP, MDM, SaaS audit logsThis section gives a clear rundown of usual corporate evidence spots, like computers, servers, cloud services, email, team tools, VPN, data leak prevention, mobile management, and SaaS logs, pointing out common items and access tips.
Endpoint and workstation artifactsServer and database log sourcesEmail and collaboration platformsNetwork, VPN, and remote access logsDLP, MDM, and SaaS audit telemetryLesson 3Data Loss Prevention and SIEM sources: DLP alerts, content inspection logs, SIEM event correlation and alert ingestion patternsThis section looks into Data Loss Prevention and SIEM systems as key evidence sources, covering DLP warnings, content check logs, SIEM data matching, alert sorting, and intake patterns that impact full evidence and probe value.
DLP alert metadata and contextContent inspection and fingerprint logsEndpoint versus network DLP signalsSIEM parsing and normalization rulesCorrelation rules and use case tuningLesson 4Application and collaboration platform evidence: audit logs, file version history, sharing links, access control lists, and collaboration metadataThis section dives into apps and team platforms, checking audit logs, file change history, sharing links, access lists, and team data, and shows how to rebuild user actions and file access in probes.
Application audit and activity logsFile version history and recoverySharing links and external accessAccess control lists and permissionsCollaboration comments and reactionsExporting workspace audit trailsLesson 5Prioritization and legal holds: determining scope for quick preservation and issuing legal hold notices to custodians and systemsThis section shows how to prioritise evidence and set legal holds, defining range, spotting keepers and systems, sending hold notices, working with legal and HR teams, and checking compliance to avoid evidence loss or early wipes.
Scoping custodians and data sourcesRisk-based evidence prioritizationDrafting and issuing legal holdsCoordinating with legal and HR teamsMonitoring hold compliance and releaseLesson 6Network and perimeter evidence: VPN logs, proxy and firewall logs, NetFlow, packet captures (PCAP) collection and retention best practicesThis section details network and boundary evidence, like VPN, proxy, firewall logs, NetFlow records, and packet grabs, with tips on time matching, storage, filtering, and solid keeping strategies for probes.
VPN authentication and session logsProxy and web gateway activity logsFirewall rule hits and deny eventsNetFlow and IPFIX flow recordsPacket capture collection strategiesNetwork log retention and rotationLesson 7Mobile and removable media: mobile device backups, MDM logs, USB device histories and Windows device installation logsThis section checks mobile phones and removable storage as evidence, focusing on backups, mobile management data, USB traces, and Windows install logs, with care for keeping, checking, and custody chain.
iOS and Android backup artifactsMDM inventory and compliance logsUSB connection and usage historiesWindows device installation recordsPreserving mobile and USB evidenceLesson 8Server and cloud data acquisition: API-based exports, storage snapshots, object storage metadata, cloud provider audit logs (AWS CloudTrail, Azure AD logs, Google Workspace audit)This section handles server and cloud data grabs, including API exports, storage snaps, object data, and cloud logs, stressing range setting, speed limits, integrity checks, and multi-region keeping.
Agent-based versus agentless collectionHypervisor and VM snapshot workflowsObject storage metadata and versionsAWS CloudTrail and CloudWatch logsAzure AD and Microsoft 365 auditsGoogle Workspace and GCP audit logsLesson 9Endpoint data acquisition: live response, volatile data capture, full disk imaging, filesystem snapshotsThis section covers computer data grab methods, like live checks, memory grabs, full disk copies, and file system snaps, focusing on tool picks, low impact, and keeping evidence solid with records.
Live response triage proceduresRAM and volatile data collectionFull disk and partition imagingFilesystem and volume snapshotsValidating hashes and chain of custody
