Uncertain Times — Infosec's here to help. Learn about our COVID-19 Response Package.

Incident Response and Network Forensics Training Boot Camp

Learn how to detect and respond to security incidents! This popular boot camp builds your knowledge around network forensics and incident response with hands-on labs and expert instruction — and prepares you to become a Certified Computer Security Incident Handler (CERT-CSIH).

Train from home — save up to $1,000

Get expert, live instruction without having to travel with an Infosec Flex Pro boot camp. We’ve trained 1,000s of students online over the past 5 years, helping our clients meet their career goals wherever they are most comfortable studying.

Now through the end of the month, you can enroll in any online Infosec Flex boot camp and save up to $1,000.

Earn your CERT-CSIH, guaranteed!

Boot camp overview

Infosec’s Incident Response and Network Forensics Boot Camp covers the essential information you need to properly detect, contain and mitigate security incidents. You’ll learn the ins and outs of incident response as well as the tools used by incident responders on a daily basis. You’ll gain hands-on experience in how systems are compromised and what traces are left behind by attackers on the network, on disk and in volatile memory.

Security incidents are a way of life in the modern world, and how organizations respond to them makes a massive difference in how much damage is ultimately done. This boot camp addresses cutting-edge attack vectors as well as tried-and-true methods for compromise. You leave with the knowledge of how to prevent incidents and the skills to defend against a security incident if it does happen.

Skill up and get certified, guaranteed

Exam Pass Guarantee

If you don’t pass your exam on the first attempt, get a second attempt for free. Includes the ability to re-sit the course for free for up to one year.

100% Satisfaction Guarantee

If you’re not 100% satisfied with your training at the end of the first day, you may withdraw and enroll in a different Flex Pro or Flex Classroom course.

Knowledge Transfer Guarantee

If an employee leaves within three months of obtaining certification, Infosec will train a different employee at the same organization tuition-free for up to one year.

What's included?

93% pass rate — the best in the industry

  • Five days of training with an expert instructor
  • Infosec proprietary digital courseware (physical textbooks available to purchase)
  • CERT-CSIH digital review guide
  • CERT-CSIH exam voucher
  • 90-day access to cyber range (Flex Pro)
  • 90-day access to course replays (Flex Pro)
  • Curated videos from other top-rated instructors (Flex Pro)
  • 100% Satisfaction Guarantee
  • Exam Pass Guarantee (Flex Pro)

Limited-time offer: Continue learning after your boot camp with a complimentary 90-day subscription to Infosec Skills, which includes unlimited access to 500+ online courses, 100+ hands-on labs and projects, skill assessments, custom certification practice exams and more.

Course objectives

This boot camp focuses on teaching you the five key incident response steps:

  1. Plan – Preparing the right process, people and technology enables organizations to effectively respond to security incidents
  2. Identify – Scoping the extent of the incident and determining which networks and systems have been compromised; includes assessing the extent to which systems have been compromised
  3. Contain – Prevent the incident from further escalating using information gathered in the previous stage
  4. Eradicate – Remove intruder access to internal and external company resources
  5. Recover – Restore fully operational system capability and close out incident

Award-winning training that you can trust

Infosec Skills

Best IT Security-related Training Program

Cyber Work with Chris Sienko

Best Cybersecurity Podcast

2019 Wisconsin Innovation Award


Rising Star

Partner Award

G2 Crowd Leader

Technical Skills Development Software

Who should attend?

  • Incident response professionals
  • Network and system administrators
  • Computer security incident response team (CSIRT) members
  • Anyone interested in improving their network forensics and incident management skills


One or more years of experience in incident handling or equivalent information security experience is recommended.

Why choose Infosec

Your flexible learning experience

Infosec Flex makes expert, live instruction convenient with online and in-person formats tailored to how, when and where you learn best.

Public training boot camps held nationwide

  • Pre-study course materials
  • Live instruction
  • Digital courseware
  • Daily reinforcement materials
  • Catered lunches
  • Infosec community forum access
  • 100% Satisfaction Guarantee
  • Knowledge Transfer Guarantee

Most Popular

Immersive, live-streamed instruction

  • Pre-study course materials
  • Live instruction
  • Digital courseware
  • Daily reinforcement materials
  • Detailed performance reporting
  • Video replays
  • 90-day extended access to materials
  • Infosec community forum access
  • Exam Pass Guarantee
  • 100% Satisfaction Guarantee
  • Knowledge Transfer Guarantee

Tailored team training at your location

  • Pre-study course materials
  • Live, customized instruction at your location
  • Digital courseware
  • Daily reinforcement materials
  • Detailed team performance reporting
  • Video replays
  • 90-day extended access to materials
  • Infosec community forum access
  • Exam Pass Guarantee
  • 100% Satisfaction Guarantee
  • Knowledge Transfer Guarantee

What you'll learn

  • The incident response process
  • Building an incident response kit
  • Event/incident detection
  • Categorizing and prioritizing events
  • Sources of network evidence
  • TCP reconstruction
  • Flow analysis
  • Vulnerability analysis
  • Log analysis
  • Firewall log investigation
  • Log aggregation
  • Network artifact discovery
  • Identifying rogue processes
  • DNS forensics and artifacts
  • NTP forensics and artifacts
  • HTTP forensics and artifacts
  • HTTPS and SSL analysis
  • FTP and SSH forensics
  • Email protocol artifacts
  • Wireless network forensics
  • Defensive review
  • Secure credential changing
  • Reporting and coordinating incidents

Can’t get away for a week?

Learn incident response and network forensics on-demand.

Get the cybersecurity training you need at a pace that fits your schedule with a subscription to Infosec Skills. Includes unlimited access to hundreds of additional on-demand courses — plus cloud-hosted cyber ranges where you can practice and apply knowledge in real-world scenarios — all for just $34 a month!

  • 70+ learning paths
  • 500+ courses
  • Cloud-hosted cyber ranges and hands-on projects
  • Skill assessments and certification practice exams
  • Infosec community peer support

You're in good company.

"I’ve taken five boot camps with Infosec and all my instructors have been great."

Jeffrey Coa

Information Security Systems Officer

"Comparing Infosec to other vendors is like comparing apples to oranges. My instructor was hands-down the best I’ve had." 

James Coyle

FireEye, Inc.

"I knew Infosec could tell me what to expect on the exam and what topics to focus on most."

Julian Tang

Chief Information Officer

Our clients

Bank of America
Defense Information Systems Agency

Find your boot camp

Incident Response and Net Work Forensics Boot Camp

Day 1


  • Incident response planning fundamentals
  • Building an incident response kit
  • Incident response team components
  • IR toolkits and appropriate implementation
  • Threat Intelligence
  • Cyber Kill Chain
  • Agent-based IR


  • Indications of an incident
  • Triage
  • Critical first steps
  • Understanding chain of custody


  • Documentation
  • Written documentation and supporting media evidence
  • Identification methods
  • Isolation technical procedure best practices
  • Containment
  • Quarantine considerations for business continuity


  • Eradication testing and the QA role
  • Incremental backup compromise detection
  • Operating system rebuilds


  • Stakeholder identification in recovery process
  • Post incident heightened monitoring tasks
  • Special actions for specific incident types
  • Incident record keeping
  • Lessons learned

Constructing your live incident response toolkit

  • Trusted command shells – Windows/Linux
  • Remote shells
  • PsExec vs PowerShell

Day 2
Event/incident detection

  • Develop an incident response strategy and plan
  • Limit incident effect and repair incident damage
  • Perform real-time incident response tasks
  • Determine the risk of continuing operations
  • Spearphishing and APT attacks

Sources of network evidence

  • 3 evidence collection modalities
  • Persistence checks
  • Sensors
  • Evidence acquisition
  • Forensically sound collection of images

TCP reconstruction

  • TCP session reconstruction
  • Payload reconstruction
  • Encapsulation methods
  • tcpdump/Wireshark
  • Working with pcap files
  • Wireshark filtering
  • Identify missing data
  • Identify sources of information and artifacts
  • Packet analysis

Flow analysis

  • nfcapd and nfdump
  • nfsen
  • SiLK
  • Flow record export protocols
  • Network file carving
  • Encrypted flow analysis
  • Anomalous behavior analysis
  • Flow data points


  • Snort
  • Snort rule configuration
  • Collect incident data and intrusion artifacts

Log analysis

  • Syslog server
  • Syslog protocol format
  • Event investigation
  • Microsoft event log
  • Event viewer
  • Modeling analysis formats
  • HTTP server logs
  • Apache vs IIS
  • Header analysis and attack reconstruction

Firewall log investigation

  • Log formats
  • iptables and packet flow

Log aggregation

  • SIEM tools
  • Splunk architecture

Day 3
Triage & analysis

  • Categorizing events
  • Developing standard category definitions
  • Perform correlation analysis on event reports
  • Event affinity
  • Prioritize events
  • Determining scope, urgency, and potential impact
  • Assign events for further analysis, response, or disposition/closure.
  • Determine cause and symptoms of the incident

Network artifact discovery

  • Network forensics with Xplico

DNS forensics and artifacts

  • DNS tunneling
  • Fast flux forensics

NTP forensics and artifacts

  • Understanding NTP architecture
  • NTP analysis
  • NTP usage in timeline analysis and log monitoring
  • Protocol inspection

HTTP forensics and artifacts

  • Artifact discovery
  • Request/response architecture
  • HTTP field analysis
  • HTTP web services
  • AJAX
  • Web services

HTTPS and SSL analysis

  • Artifact from secure negotiation process
  • Other non HTTPS SSL analysis

FTP and SSH forensics

  • Capture and inspection
  • SFTP considerations

Email protocol artifacts

  • SMTP vs POP vs IMAP artifacts
  • Adaptations and extensions
  • Microsoft Protocols
  • Architecture and capture
  • Exchange considerations
  • SMB considerations
  • Cloud email forensics

Wireless network forensics

  • Wireless monitoring and capture methodologies
  • Understanding Wi-Fi common attacks
  • WEP vs WPA vs WPA2
  • Wi-Fi security compromise analysis

Perform vulnerability analysis

  • Determine the risk, threat level or business impact of a confirmed incident.

Day 4
Timeline analysis

  • Timeline reconstruction
  • Benefits of structured timeline analysis
  • Required pre-knowledge
  • Pivot point analysis
  • Contexting with incomplete data
  • Enter information into an operations log or record of daily operational activity.
  • Filesystem considerations
  • Time rules
  • Using Sleuthkit and fls
  • Program execution file knowledge
  • File opening and file deletion
  • log2timeline
  • log2timeline input and output modules
  • Using l2t_process for filtering

Volatile data sources and collection

  • System memory acquisitions from Windows systems
  • 64 bit Windows memory considerations
  • Page File analysis
  • Hibernation file analysis
  • Identify rogue processes
  • DLL analysis
  • Handle discovery and analysis
  • Code injection artifacts
  • Rootkit indicators
  • Correlation with network artifacts
  • Volatility walk-through
  • Redline analysis
  • Volatility basics
  • Volatility case study
  • Advanced malware hunting with Volatility
  • Examine Windows registry in memory
  • Investigate windows services
  • Cached files in RAM
  • Credential recovery in RAM

Day 5
Incident response

  • Defensive review and recommendations
  • Improving defenses
  • Secure credential changing process and monitoring
  • Increased monitoring period – when and how long
  • Validate the system
  • Identify relevant stakeholders that need to be contacted
  • Communications about an organizational incident
  • Appropriate communications protocols and channels
  • Coordinate, integrate and lead team responses with other internal groups
  • Provide notification service to other constituents
  • Enable constituents to protect their assets and/or detect similar incidents.
  • Report and coordinate incidents with appropriate external organizations
  • Liaison with law enforcement personnel
  • Track and document incidents from initial detection through final resolution.
  • Assign and label data according to the appropriate class or category of sensitivity
  • Collect and retain information on all events/incidents in support of future analytical efforts and situational awareness
  • Perform risk assessments on incident management systems and networks
  • Run vulnerability scanning tools on incident management systems and networks
  • CERT-CSIH Review
  • CSIH Domains
  • CSIH Practice Exam