Digital Forensics & Analysis (DFA)

Upcoming Courses

July 9 – 20, 2018

Cost (single seat): $10,000
Course Length: 10 Days

Additional group and government discounts available.
Contact Parrot Labs for more information.

 Download Course Catalog

What will you get out of DFA?

The ultimate goal is for you to become a proficient cyber-mission malware hunter and defender for your organization. By the end of the course, you’ll know what looks suspicious, and have the tools to help you investigate and identify malware at a forensic level.

What makes this course unique?

You’ll perform your exercises and scenarios in a sandboxed network, allowing you to practice and learn at your own pace without affecting other students.

Why should you enroll in DFA?


    • Investigate real malware, including TDL4, Spybot, and Metasploit backdoors
    • Memory forensics: learn how to find malware that bypasses antivirus solution
    • Discover how reading network traffic assists with finding artifacts and identifying malicious behavior 


DFA is a course that will teach you about the inner workings of Windows 7, as it relates to live forensics and malware analysis.

Have you ever wondered how computer forensic experts know if a process that was run was malware? Do you want the skills to investigate a system to see if it was infected? DFA is a course designed to provide in-depth digital forensic knowledge of the Microsoft Windows operating systems. This proficiency-based course takes a hands-on approach by allowing students to work with live malware samples to discover and analyze malicious network traffic, malicious artifacts in volatile memory (RAM), and infected File Systems. The course also focuses on other techniques that will allow the student to gain a holistic understanding of what really happens on a system during a malware infection (Timeline analysis, Analysis of supplemental artifacts, File System Journal Analysis). DFA is ideal for Windows System Administrators who need to come up to speed on how to better identify system malware, Penetration testers, CNO and CNE analysts who would like to know what type of artifacts are left by their activities, and CND analysts who would like to improve their skill set.

Malware Delivery Chain


Students will actively run real malware in a sandboxed environment. All rootkits and malware are analyzed in a realistic network with routing and servers set up to perform the malware delivery chain. Students will become proficient cyber defenders using the skills learned in  hands-on experience with Redkit, TDL4, Spybot, and other kits.




You begin the first day analyzing a malicious threat. It’s here that you will begin exploiting a target and experiencing it from an attacker’s point of view.


You will then learn how to use the Sysinternals Suite, native tools (netstat, tasklist, etc.), and some introductory Powershell scripting in order to automate process analysis. Using these skills, you will locate running malware and discover persistence vectors.


During file system analysis you will look for forensic artifacts and perform a timeline analysis to see the chain of events using log2timeline,  mounting hard drives and using forensic tools on your findings. You will also learn how to create a copy of the hard drive using open source tools.


Later, you’ll see what an exploit kit (like Redkit) looks like on the network, explore packet analysis with an introduction to Wireshark. Using Wireshark, you’ll see traffic generated by an exploit kit like Redkit and explore packet analysis.


Using various techniques, you will identify malware. Some of the artifacts that will be analyzed are as follows:
• Prefetch files

• Volume Shadow Copy Service
• Interesting Registry Keys
• Shellbags


As you progress, you’ll learn more about targeted areas of the Windows Operating System and how to defend them, including Crash Dump Analysis, Windows Memory Manager, the Windows boot process and DLL injection.


In becoming a more proficient cyber-mission defender, you will run malware executables and learn how they work. You will then create signatures for malware executables as Indicators of Compromise (IOC) and check other systems on the network for these IOCs.


Finally, you’ll complete a scenario driven final assessment where you will respond to an intrusion detection incident. Using the forensic techniques learned in class, you will fully enumerate the attack/method(s) the attacker used to gain access to the target system, associated implants, tools, files, timeline, and attack server organization.