← Academy Hub
🔍
Learning Track · 6 modules

Digital Forensics

Disk imaging, memory analysis, timeline reconstruction, chain of custody — the practitioner craft of forensic investigation.

Why this track

Disk imaging, memory analysis, timeline reconstruction, chain of custody — the practitioner craft of forensic investigation. This track walks you from fundamentals through advanced techniques across 6 practitioner modules — the same body of knowledge senior security professionals build over years, structured for self-paced progression with India-specific context throughout.

Prerequisite: See module 1 for entry context. Most modules are self-contained but follow the suggested sequence for best results.
6
Modules
4.1 h
Total time
6
Free modules
Quiz retries
Difficulty mix
Intermediate · 3 Advanced · 3

Module sequence

M1
Digital Forensics and Chain of Custody
Order of volatility, RAM and disk imaging, NTFS/Linux artefacts, cloud forensics, mobile forensics, IT Act §65B, BSA admissibility — the practitioner forensic workflow.
Advanced 85 min
M2
Disk Imaging — Forensically Sound Acquisition
Why this module exists. “We made a copy of the disk” is not the same as “we forensically imaged the disk.” The difference matters for evidence admissibility, chain of custody, and for the analyst three weeks later trying to reproduce a finding. This module is the practitioner-level disk imaging guide. What forensically sound actually means […]
Intermediate 30
M3
Memory Forensics with Volatility 3
Why this module exists. Half the modern malware ecosystem never writes a payload to disk — it lives in memory, injected into legitimate processes, and dies at reboot. Without memory forensics you are flying blind on that whole class. This module is the practitioner workflow. Acquisition — get the memory before you lose it Memory […]
Advanced 35
M4
Windows Event Log Forensics — The IR Reference
Why this module exists. The defender’s biggest leverage in any Windows IR is the event log. The attacker’s biggest leverage in the same IR is knowing which events to clear. This module gives you the canonical event IDs, the queries that surface attacker activity, and the gaps that tell you something was cleaned. The seven […]
Intermediate 30
M5
Linux Forensics — Auditd, journalctl, Containers
Why this module exists. Linux IR responders often default to “tar up /var/log and call it done.” Modern Linux estates — especially in Indian cloud-native shops — have far richer artefacts available if you know to capture them. This module is the structured walkthrough. The first-response capture — what to grab in 5 minutes If […]
Intermediate 30
M6
Forensic Timeline Reconstruction with Plaso
Why this module exists. An investigation has a hundred sources: event logs from five hosts, bash history, filesystem mtimes, audit logs, EDR alerts, NetFlow, cloud audit trail. Each has its own format and clock. The timeline is what merges them into one story. Without it, the investigation is fragments; with it, the investigation is a […]
Advanced 35

Common questions about this track

How long will this track take me? +

Most learners finish in 4-8 weeks at a sustainable 4-5 hours per week. Modules are self-paced so you can move faster or slower as life allows.

Do I need prior experience? +

Module 1 sets the entry baseline. The first module is always free; if it feels approachable, the track is for you.

Will this prepare me for industry certifications? +

Most modules align with the body of knowledge tested by senior security certifications. The Academy is not a cert-prep course but produces working knowledge that transfers to any cert exam in the same domain.

Ready to start?

Begin with Module 1. Work through at your own pace. Free modules require no signup — everything else unlocks with a free RingSafe Academy account.

Start Module 1 → View pricing tiers 🗺️ Explore Skill Map