Tactical Digital Forensics (TDF)

Please call for additional course dates.

A Proficiency-Based Course that Explores Digital Forensics and Malware Analysis


  • Investigate real malware, including TDL4, Spybot, and Metasploit backdoors
  • Memory forensics: learn how to find malware that bypasses antivirus solution
  • Discover how reading network traffic assists with finding artifacts and identifying malicious behavior


TDF is a course that will teach you about the inner workings of Windows 7, as it relates to live forensics and malware analysis.

Have you ever wondered how computer forensic experts know if a process that was run was malware? Do you want the skills to investigate a system to see if it was infected? TDF is a course designed to provide in-depth digital forensic knowledge of the Microsoft Windows operating systems. This proficiency-based course takes a hands-on approach by allowing students to work with live malware samples to discover and analyze malicious network traffic, malicious artifacts in volatile memory (RAM), and infected File Systems. The course also focuses on other techniques that will allow the student to gain a holistic understanding of what really happens on a system during a malware infection (Timeline analysis, Analysis of supplemental artifacts, File System Journal Analysis). TDF is ideal for Windows System Administrators who need to come up to speed on how to better identify system malware, Penetration testers, CNO and CNE analysts who would like to know what type of artifacts are left by their activities, and CND analysts who would like to improve their skill set.

Malware Delivery Chain






Students will actively run real malware in a sandboxed environment. All rootkits and malware are analyzed in a realistic network with routing and servers set up to perform the malware delivery chain, just as in real world situations. Student receive hands-on experience with Redkit, TDL4, Spybot, and other kits. Students will become proficient cyber defenders using the skills learned in TDF.
Download Course Sheet


Vouchers are a way to pre-pay for a course and let your employees sign up to take the course at a later date.

Purchase Voucher


You begin the first day working with a malicious threat. You will exploit a target and see what it looks like from the attacker’s point of view.


You will learn how to use the Sysinternals Suite, native tools (netstat, tasklist, etc.), and some introductory Powershell scripting to automate process analysis. Using these tools, you will locate running malware and discover persistence vectors.


During file system analysis you will look for forensic artifacts and perform a timeline analysis to see the chain of events. You will use log2timeline, mount hard drives and use forensic tools on them. You will also learn how to pull a copy of the hard drive using open source tools.


You will see what an exploit kit (like Redkit) looks like on the network, explore packet analysis with an introduction to Wireshark and extract files from a .pcap and identify indications of malicious activity and network scans.


You will perform analysis on other artifacts using various techniques to identify malware, or to prove file usage/file knowledge. Some of the artifacts that will be analyzed are as follows:
• Prefetch files
• Volume Shadow Copy Service
• Interesting Registry Keys
• Shellbags


You will learn about Crash Dump Analysis, Windows Memory Manager and the Windows boot process. You’ll also learn how DLL injection works.


You will run multiple malware executables and learn how they work. You’ll also learn how to make a signature for malware executables as an Indicator of Compromise (IOC) and check other systems on the network for IOCs.


Finally, you’ll complete a scenario driven final assessment where you will respond to an intrusion detection incident. You’ll use forensic techniques learned in class to fully enumerate the attack/method(s) the attacker used to gain access to the target system, associated implants, tools, files, timeline, and attack server organization.

At Parrot Labs Cyber Mission Training, we make it easy. You show up, we provide the tools. Our classroom facility is conveniently located near the BWI airport, and just down the street from a hotel where you can stay if you’re from out of town.


Each student is provided with a high-end workstation consisting of an i7 quad-core with 16Gb RAM. You will also have two monitors that provide the visual space necessary to comfortably perform a network attack, watch a packet capture, take online notes, and perform research.

The classroom has two HD projectors with two screens. This allows students to view demos on one screen while viewing instructional slides on the other.


TDF (Single Seat)


  • Course Length: 10 Days
  • Course Book: Included

Sign up

TDF (Group Discount for 10 or More Students)


  • Course Length: 10 days
  • Course Book: Included

Sign up

Additional group and government discounts available, just email us.

The attackers want to pay the rent. They don’t want to write a worm that destroys your hardware. They want to assimilate your computers and use them to make money.”

— Mike Danseglio

What new things should I be able to do after taking TDF?

The ultimate goal is for you to become a proficient malware hunter and defender for your organization. You will know what looks suspicious, and have the tools to help you investigate and identify malware at a forensic level.

What makes this course unique?


We have a large, realistic network for each student.

Each student performs all of their exercises in a sandboxed network. This means that students all have the same IP addresses, but different computers, so if your fellow student crashes their web server, which happens often, your copy of that web server is fine.

Each individual network has four routers, domain controllers, a functioning root DNS server, DMZs to find and scan, and internal networks that are live and active.