This is a comprehensive hands-on digital forensics course where you will conduct a real-world style investigation of a data exfiltration incident at Cloudcore Inc. You'll work through 5 progressive labs using professional forensic tools in a containerized environment to analyse evidence, recover deleted files, perform memory analysis, and produce professional incident response reports.
Case: CLOUDCORE-2009-INS-001 - Data Exfiltration Investigation
Environment: Docker-based forensic workstation
Tools: Sleuth Kit, Volatility, Autopsy GUI, Plaso, YARA, and more
Duration: 5 progressive labs (one per week, ~8-10 hours each)
| Lab | Title | Skills | Key Tools |
|---|---|---|---|
| 1 | USB_Imaging | Evidence handling, initial triage, deleted file recovery | Sleuth Kit, foremost, exiftool |
| 2 | Memory_Forensics | Volatile memory analysis, process investigation | Volatility 2 (Windows XP) |
| 3 | Email_Logs | Email artifact analysis, log examination | Python analysis, grep/awk |
| 4 | Network_Analysis | Network traffic analysis, C2 detection, exfiltration | Wireshark, tshark, PCAP analysis |
| 5 | Final_Report | Synthesis, timeline construction, professional reporting | All tools + reporting skills |
forensics-docker-lab/
βββ README.md β You are here (course overview)
βββ docs/
β βββ README.md β Student documentation index (START HERE)
β βββ scenario.md β Complete case background and context
β βββ setup.md β Installation and Docker setup guide
β βββ storyline.md β Investigation timeline and narrative
β βββ glossary.md β Forensics terminology
β βββ troubleshooting.md β Common issues and solutions
β βββ instructor/ β Instructor materials (on instructor branch)
β
βββ cases/ β YOUR WORKSPACE (5 lab folders)
β βββ USB_Imaging/ β Lab 1: Imaging, integrity & initial triage
β βββ Memory_Forensics/ β Lab 2: Memory analysis with Volatility
β βββ Email_Logs/ β Lab 3: Email artifact analysis
β βββ Network_Analysis/ β Lab 4: Network traffic and C2 detection
β βββ Final_Report/ β Lab 5: Synthesis and final reporting
β βββ Autopsy_GUI/ β Optional: Graphical forensic examination
β
βββ evidence/ β READ-ONLY evidence files
β βββ usb.img / usb.E01 β USB device forensic image (~800MB)
β βββ memory.raw β Windows XP memory dump (~511MB)
β βββ network.cap β Network traffic capture (~100MB)
β
βββ templates/ β Student report templates
β βββ README.md β Template documentation
β βββ lab_report_template.md β Individual lab report template
β βββ final_report_template.md β Final synthesis report template
β βββ chain_of_custody.csv β CoC log template
β βββ analysis_log.csv β Analysis tracking template
β
βββ guides/ β Interactive guides (HTML)
β βββ chain-custody-guide.html β Chain of custody reference
β βββ forensic-image-primer.html β E01 format overview
β
βββ rules/ β YARA malware detection rules
β βββ README.md β How to use YARA rules
β
βββ scripts/
β βββ forensics-workstation β Immersive login script (bash)
β βββ forensics-workstation.ps1 β Immersive login script (PowerShell)
β βββ coc-log β Chain of custody logging utility
β βββ verify_setup.sh β Setup verification (bash)
β βββ verify_setup.ps1 β Setup verification (PowerShell)
β βββ legacy/ β Old scripts (for reference)
β βββ instructor/ β Instructor-only tools (on instructor branch)
β
βββ images/
β βββ dfir-cli/ β Main forensic workstation container
β βββ volatility2/ β Windows XP memory analysis (vol2)
β
βββ docker-compose.yml β Container orchestration
βββ LICENSE
First time setup (choose one):
Option A: Using Make (recommended - simplest)
cd forensics-docker-lab
make setup
make verify
make startOption B: Direct scripts
cd forensics-docker-lab
docker compose build
./start.sh # or start.bat on WindowsEvery other time:
make start # or ./start.sh / start.batInstall Docker Desktop:
- Windows/Mac: Download from https://www.docker.com/products/docker-desktop
- Linux (Ubuntu/Debian):
sudo apt update sudo apt install docker.io docker-compose sudo usermod -aG docker $USER # Log out and back in for group changes to take effect
Verify Installation:
docker --version
docker compose versionSystem Requirements:
- 4GB RAM minimum (8GB+ recommended for Autopsy GUI)
- 15GB free disk space (for all evidence files)
- Internet connection (first build only)
cd /path/to/forensics-docker-lab
make setupOr manually:
docker compose build
docker compose run --rm dfir echo "Environment ready!"make verifyOr manually:
- Windows:
scripts\verify_setup.bat - macOS/Linux:
./scripts/verify_setup.sh
All checks should pass (β in green).
make startOr directly:
- Mac/Linux:
./start.sh(or./scripts/forensics-workstation) - Windows:
start.bat(orscripts\forensics-workstation.bat)
You'll be prompted for your analyst name, then you're inside:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β DIGITAL FORENSICS & INCIDENT RESPONSE LABORATORY β
β β
β Cloudcore 2009 Data Exfiltration Investigation β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
alice@forensics-lab:/cases$
Now run forensic commands directly (no docker compose prefix!):
# Example: List evidence files
ls -la /evidence/
# Example: Verify USB image integrity
sha256sum /evidence/usb.E01
# Example: Start Lab 1 analysis
mkdir -p USB_Imaging/output
cd USB_Imaging
fls -r /evidence/usb.img > output/fls.txt
# When done
exit- Read the Course Overview (this page - 10 min)
- Review
docs/README.md- Student documentation index (10 min) - Read
docs/scenario.md- Complete case background (20 min) - Build Docker environment - Step 2 above (5 min)
- Verify setup - Step 3 above (5 min)
- Enter workstation - Step 4 above (1 min)
- Read the lab README - e.g.,
cases/USB_Imaging/README.md - Review the walkthrough - e.g.,
cases/USB_Imaging/WALKTHROUGH.md - Enter the workstation -
make start(or./start.sh/start.bat) - Run analysis commands - Follow lab walkthrough commands
- Fill the report - Copy
templates/lab_report_template.mdto your lab folder - Log your actions - Use
coc-logfor chain of custody
- Stuck on a lab? β See that lab's
WALKTHROUGH.md - Want to understand the case? β See
docs/scenario.md - Need timeline context? β See
docs/storyline.md - Terminology confused? β See
docs/glossary.md - Setup issues? β See
docs/troubleshooting.md
Instead of typing docker compose run --rm dfir every time, use:
make start # Recommended: simplest option
# or
./start.sh # Direct on Linux/Mac
start.bat # Direct on Windows
./scripts/forensics-workstation # Full path (equivalent to start.sh)Benefits:
- π― Feels like connecting to a real DFIR workstation
- π Your analyst name is logged in chain of custody
- β‘ Less typing = faster workflow
- π’ Matches real-world incident response practice
The coc-log utility automatically timestamps and hashes all commands:
coc-log "fls -r /evidence/usb.img" "Initial filesystem analysis"Results are logged to cases/analysis_log.csv with:
- Timestamp (UTC)
- Analyst name
- Command executed
- Exit code
- Output hash (SHA256)
- File size
- Your notes
All evidence files are included:
- usb.img / usb.E01 - USB device forensic image (800MB)
- memory.raw - Windows XP memory dump (511MB)
- network.cap - Network traffic capture (100MB)
Read-only to prevent accidental modification. All analysis happens in writable ./cases/ folders.
- Windows: PowerShell scripts with Docker Desktop + WSL 2
- macOS: Intel and Apple Silicon (M1/M2/M3) support
- Linux: Ubuntu, Debian, Fedora, etc.
Terminal: Use Windows Terminal with Command Prompt or PowerShell (both work)
Docker Desktop Setup:
- Enable WSL 2 backend (default)
- Allocate 4GB+ RAM in Docker Desktop settings
- Ensure Docker Desktop is running
Commands:
# Use batch scripts for Windows:
scripts\verify_setup.bat
scripts\forensics-workstation.bat
# Docker commands work the same:
docker compose build
docker compose run --rm dfirCommon Issues:
- "Command not found": Restart Docker Desktop
- "Access denied": Run Command Prompt as Administrator
- Batch file won't run: Ensure you're in the correct directory
- PowerShell execution policy: Use batch files instead (no PowerShell required)
Terminal: Use built-in Terminal or iTerm2
Apple Silicon (M1/M2/M3):
- Docker uses Rosetta 2 (automatic translation)
- Performance is excellent
- First build may take 5-7 minutes
Commands:
./scripts/verify_setup.sh
./scripts/forensics-workstationDocker Group Setup (one-time):
sudo usermod -aG docker $USER
# Log out and back in
groups | grep docker # verifyCommands:
./scripts/verify_setup.sh
./scripts/forensics-workstationMac/Linux/WSL:
# Enter the immersive workstation (RECOMMENDED)
./scripts/forensics-workstation
# Or use Docker directly (for advanced users)
docker compose run --rm -it dfir bashWindows:
# Enter the immersive workstation (RECOMMENDED)
scripts\forensics-workstation.bat
# Or use Docker directly (for advanced users)
docker compose run --rm -it dfir bash# Lab 1: Analyse the USB image
mkdir -p USB_Imaging/output
fls -r /evidence/usb.img > USB_Imaging/output/fls.txt
# Lab 2: Memory analysis (run on host, not inside workstation)
docker compose exec vol2 vol.py -f /evidence/memory.raw imageinfo
# Lab 5: Network analysis (run on host, not inside workstation)
tshark -r evidence/network.cap -Y "irc"
# Always exit when done
exitLog commands for evidence handling:
# Inside workstation
coc-log "fls -r /evidence/usb.img" "Lab 1 filesystem listing"
# This creates: cases/analysis_log.csv with timestamp, hash, analyst nameSee complete reference: docs/COMMANDS.md
READ-ONLY - Never modify:
usb.img/usb.E01- USB device imagememory.raw- Memory dumpnetwork.cap- Network capture
Mounted inside container as /evidence
WRITABLE - Save all your work:
- Mounted inside container as
/cases - Everything you create in
/cases/appears in./cases/on your host - One folder per lab (USB_Imaging, Memory_Forensics, etc.)
Example structure:
./cases/
βββ USB_Imaging/
β βββ README.md β Lab 1 instructions
β βββ WALKTHROUGH.md β Step-by-step guide
β βββ output/ β Your analysis outputs
β βββ recovered/ β Recovered files
β βββ report.md β Your report (copy from templates/WORKBOOK.md)
βββ Memory_Forensics/
β βββ README.md
β βββ WALKTHROUGH.md
β βββ vol_output/
β βββ report.md
βββ [etc for other labs...]
Fix:
- Ensure Docker Desktop is running (Windows/Mac)
- Restart terminal after installing Docker
- Linux:
sudo systemctl start docker
Fix:
- Windows/Mac: Start Docker Desktop application
- Linux:
sudo systemctl start docker
This is expected! Evidence is read-only.
- β
Correct:
fls -r /evidence/usb.img > /cases/output.txt - β Wrong:
fls -r /evidence/usb.img > /evidence/output.txt
Fix:
docker compose down -v
docker compose build --no-cacheFix: Edit docker-compose.yml and change 8080:8080 to 8081:8080
- Lab Session: Ask instructor or TAs
- Office Hours: See course syllabus for times
- LMS Forum: Post technical questions
- Documentation: Review
docs/COMMANDS.md,docs/SCENARIO.md, lab WALKTHROUGH.md
See docs/TROUBLESHOOTING.md for more detailed troubleshooting.
By completing all 5 labs, you will:
- β Understand proper digital evidence handling (chain of custody, hashing, integrity verification)
- β Master industry-standard forensic tools (Sleuth Kit, Volatility, Autopsy, Wireshark)
- β Analyse multiple evidence types (disk images, memory dumps, network captures, logs)
- β Perform deleted file recovery and carving
- β Conduct memory forensics on legacy Windows systems
- β Identify and analyse command & control communications
- β Construct timelines and correlate events across multiple data sources
- β Write professional incident response reports
- β Understand real-world incident response workflow
- β Critically reflect on AI tool usage in forensic investigations
- β Read this README (you're doing it!)
- β Read
docs/README.mdfor documentation index - β Read
docs/SCENARIO.mdfor case background - β Build Docker environment (Quick Start above)
- β Read
cases/USB_Imaging/README.md - β Follow
cases/USB_Imaging/WALKTHROUGH.md - β Use
docs/COMMANDS.mdfor command reference - β Complete Lab 1 analysis and report
- Week 2: Memory_Forensics (Volatility)
- Week 3: Email_Logs (log analysis)
- Week 4: Network_Analysis (PCAP analysis)
- Week 5: Final_Report (synthesis + reporting)
For Students (main branch):
docs/README.md- Documentation indexdocs/scenario.md- Case backgrounddocs/setup.md- Installation guidedocs/storyline.md- Investigation timeline- Lab folders:
cases/USB_Imaging/,cases/Memory_Forensics/, etc.
For Instructors (instructor branch):
git checkout instructordocs/instructor/README.md- Instructor materials overviewcases/*/instructor/INSTRUCTOR_NOTES.md- Teaching tips for each labcases/*/instructor/answer_key.md- Expected findingscases/*/instructor/rubric.csv- Grading rubrics
- This is an individual assessment - collaborate on concepts, not code
- AI tools are permitted but must be documented in your reflection
- Never copy-paste AI outputs without understanding
- Verify all commands before executing them
- Your work should be reproducible - document every step
- Never modify evidence files - work on copies only
Technical Issues:
- Check
docs/troubleshooting.md - Review error messages carefully
- Search error online (with "docker" + tool name)
- Post on LMS forum with: OS, error message, what you were trying, what you've tried
Forensic Concepts:
- Review
docs/scenario.mdanddocs/storyline.md - Attend lab session and office hours
- Check tool documentation (Sleuth Kit, Volatility, etc.)
- Ask on LMS forum
Lab-Specific Help:
- Review that lab's
README.md - Follow the lab's
WALKTHROUGH.md - Ask instructor during lab session
- Never modify evidence files - work on copies only
- Document everything - reproducibility is key
- Report objectively - present facts, not accusations
- Test your submission - ensure all files are included
- Start early - don't wait until the last day
- Ask questions - better to ask than guess
- Sleuth Kit (fls, icat, tsk_recover, fsstat, istat): https://sleuthkit.org/sleuthkit/docs.php
- Volatility 2: For Windows XP and older memory analysis - https://volatility-labs.blogspot.com/
- Volatility 3: Modern memory forensics framework - https://volatility3.readthedocs.io/
- tshark: Command-line network packet analyzer - https://www.wireshark.org/docs/man-pages/tshark.html
- YARA: Malware pattern matching and detection - https://virustotal.github.io/yara/
- Autopsy: GUI forensic analysis platform - https://www.sleuthkit.org/autopsy/
- Wireshark: Network protocol analyzer (GUI complement to tshark) - https://www.wireshark.org/docs/
- YARA Rules Repository: Community malware detection rules - https://github.com/Yara-Rules/rules
Good luck with your investigation! Remember: professionalism, documentation, and objectivity are the hallmarks of excellent forensic work.