search menu icon-carat-right cmu-wordmark

Advanced Forensic Response and Analysis

The CERT Advanced Forensic Response and Analysis course is designed for computer forensic professionals who are looking to build on a solid knowledge base in incident response and forensic analysis. The course builds on core forensic topics to provide a process for conducting more complete incident response and forensic analysis investigations. The goal of the course is to advance collection and processing skills of the students by outlining a structured process or flow to an incident response and intrusion investigation. Students will learn the pros and cons of common evidence collection measures and forensic analysis steps, methods for organizing analysis to identify relevant evidentiary data, and common areas containing items of evidentiary value to further their investigations.


The course is an advanced forensic training course designed for forensic analysts in the public or private sector looking to build on their current forensic knowledge. Students should be active computer forensic professionals with an understanding of core forensic and information technology principles. Students who currently conduct incident response and/or intrusion investigations should find the course helpful to extend their knowledge base. Students who currently conduct other types of computer forensic investigations will find it opens the door to new collection and analysis techniques. The course is designed to be fast-paced. Students should have more than a basic understanding of common forensic principles, including evidence collection and analysis, and should actively conduct computer forensic investigations as part of their current position.


At the completion of this course students will have the ability to better perform the following tasks:

  • Prepare for an intrusion investigation, including performing reconnaissance and developing a known toolset
  • Best practices for responding to an incident and methods to collect the most relevant data to their investigations.
  • Methods for performing analysis of victim and perpetrator systems. Students will be able to identify malicious applications, correlate system events with file activity, perform runtime analysis of malicious applications and identify resident artifacts subsequent to the intrusion.


  • Incident Preparation
  • Incident Response
  • Evidence Collection from Live Systems
  • Malicious Software Identification
  • Malicious Software Runtime Analysis
  • Timeline Generation and Analysis
  • Analysis of Windows System Artifacts


Participants will receive a course notebook and a downloadable copy of course material.


This is an advanced course. Students should have a solid understanding of Windows operating systems and windows artifacts, such as prefetch files, restore points, registry files and event logs. Students should also have a good understanding of Linux operating systems, including how to run applications from the terminal. Students should be familiar with developing a known or trusted toolset and evidence collection. Students should also be familiar with malicious software files. Knowledge of VMWare and virtual machine environments is required. Previous usage of forensic software applications such an EnCase, FTK and/or Sleuthkit is required.

Course Fees [USD]

  • U.S. Industry: $2,700.00
  • U.S. Govt/Academic: $2,200.00
  • International: $3,800.00


This three-day course meets at the following times:

Days 1-3: 8:30 a.m.-5:00 p.m.

This course may be offered by special arrangement at customer sites. For details, please email or telephone at +1 412-268-1817.

Course Questions?

Phone: 412-268-7388
FAX: 412-268-7401

Training courses provided by the SEI are not academic courses for academic credit toward a degree. Any certificates provided are evidence of the completion of the courses and are not official academic credentials. For more information about SEI training courses, see Registration Terms and Conditions and Confidentiality of Course Records.