Lesson 1Email and messaging sources: mailbox exports, SMTP/IMAP logs, message headers, retention policies, and eDiscovery considerationsDis part cover evidence things from email and messaging platforms, including mailbox exports, protocol logs, message headers, retention rules, and eDiscovery workflows, stressing authenticity, completeness, and strong collection methods.
Mailbox export formats and toolsSMTP, IMAP, and POP server logsMessage headers and routing analysisRetention and legal hold policiesChat and collaboration message exportsLesson 2Overview of corporate evidence sources: endpoints, servers, cloud services, email, collaboration platforms, VPN, DLP, MDM, SaaS audit logsDis part give structured overview of common company evidence sources, including endpoints, servers, cloud services, email, collaboration platforms, VPN, DLP, MDM, and SaaS audit logs, highlighting typical things and access considerations.
Endpoint and workstation artifactsServer and database log sourcesEmail and collaboration platformsNetwork, VPN, and remote access logsDLP, MDM, and SaaS audit telemetryLesson 3Data Loss Prevention and SIEM sources: DLP alerts, content inspection logs, SIEM event correlation and alert ingestion patternsDis part explore Data Loss Prevention and SIEM platforms as rich evidence sources, explaining DLP alert things, content inspection logs, SIEM normalization, correlation rules, alert triage, and ingestion patterns dat affect completeness and investigative value.
DLP alert metadata and contextContent inspection and fingerprint logsEndpoint versus network DLP signalsSIEM parsing and normalization rulesCorrelation rules and use case tuningLesson 4Application and collaboration platform evidence: audit logs, file version history, sharing links, access control lists, and collaboration metadataDis part focus on application and collaboration platforms, examining audit logs, file version histories, sharing links, access control lists, and collaboration metadata, and explains how to rebuild user actions and document access during investigations.
Application audit and activity logsFile version history and recoverySharing links and external accessAccess control lists and permissionsCollaboration comments and reactionsExporting workspace audit trailsLesson 5Prioritization and legal holds: determining scope for quick preservation and issuing legal hold notices to custodians and systemsDis part explains how to prioritize evidence and implement legal holds, defining scope, identifying custodians and systems, issuing hold notices, coordinating with legal and HR, and monitoring compliance to prevent spoliation or premature deletion.
Scoping custodians and data sourcesRisk-based evidence prioritizationDrafting and issuing legal holdsCoordinating with legal and HR teamsMonitoring hold compliance and releaseLesson 6Network and perimeter evidence: VPN logs, proxy and firewall logs, NetFlow, packet captures (PCAP) collection and retention best practicesDis part details network and perimeter evidence, including VPN, proxy, and firewall logs, NetFlow and IPFIX records, and packet captures, with guidance on time synchronization, storage, filtering, and strong retention strategies for investigations.
VPN authentication and session logsProxy and web gateway activity logsFirewall rule hits and deny eventsNetFlow and IPFIX flow recordsPacket capture collection strategiesNetwork log retention and rotationLesson 7Mobile and removable media: mobile device backups, MDM logs, USB device histories and Windows device installation logsDis part examines mobile devices and removable media as evidence sources, focusing on backup things, MDM telemetry, USB usage traces, and Windows device installation logs, with attention to preservation, validation, and chain of custody.
iOS and Android backup artifactsMDM inventory and compliance logsUSB connection and usage historiesWindows device installation recordsPreserving mobile and USB evidenceLesson 8Server and cloud data acquisition: API-based exports, storage snapshots, object storage metadata, cloud provider audit logs (AWS CloudTrail, Azure AD logs, Google Workspace audit)Dis part addresses server and cloud data acquisition, including API-based exports, storage snapshots, object storage metadata, and cloud provider audit logs, with emphasis on scoping, throttling, integrity validation, and cross-region evidence preservation.
Agent-based versus agentless collectionHypervisor and VM snapshot workflowsObject storage metadata and versionsAWS CloudTrail and CloudWatch logsAzure AD and Microsoft 365 auditsGoogle Workspace and GCP audit logsLesson 9Endpoint data acquisition: live response, volatile data capture, full disk imaging, filesystem snapshotsDis part covers endpoint data acquisition techniques, including live response, volatile memory capture, full disk imaging, and filesystem snapshots, with attention to tool selection, minimizing impact, and maintaining evidentiary integrity and documentation.
Live response triage proceduresRAM and volatile data collectionFull disk and partition imagingFilesystem and volume snapshotsValidating hashes and chain of custody
