Digital Threat Digest Insights Careers Let's talk

Digital Forensics & Incident Response Associate (CPIA)

Our CREST-Approved and NCSC-Certified Digital Forensics and Incident Response Associate training provides participants with the necessary skills required to investigate, analyse and respond to cyber security incidents.


This includes the collection of digital evidence to support the investigation of cyber security incidents by deriving useful information, which can be used to mitigate system and network vulnerabilities.

This training is suitable for those beginning a role in a CSIRT, CIRT, CERT, SOC, or operational IT staff whose responsibilities include the aforementioned duties.

Training is aligned to support individuals seeking to undertake the CREST Practitioner Intrusion Analyst (CPIA) exam.

This training can be delivered virtually, at our London or Bristol facilities, or at our clients’ premises; training is typically for group bookings only.


NCSC Assured & CREST Approved

NCSC Assured Training at Application Level with IISP Core Skills F1, F3.

CREST-Approved Training.


By the end of this course, you will be able to comfortably apply your hands-on incident response abilities to an organisation. You will be able to safely and securely acquire the relevant digital evidence necessary to best inform a forensic or Incident Response investigation, while understanding potential procedural and legal risks in your methodology.


Entry-level cyber security professionals who wish to safely consolidate and practise their hands-on skills in incident response and digital forensics abilities to fulfil defense and protection responsibilities. Examples roles might include:

  • IT professionals beginning a role in a CSIRT, CIRT, CERT, SOC
  • 2nd line operational IT staff with DFIR duties and responsibilities
  • Digital Forensic Analysts
  • Cyber-crime Analysts/Investigators
  • Cyber Security Specialists
  • Blue Team members
Learning outcomes
  • Demonstrate effective use of current tools and techniques used by industry-qualified cyber security incident response and digital forensics practitioners.
  • Prioritise various tasks associated with Incident Response.
  • Demonstrate and consolidate knowledge in detecting, investigating and responding to threats.
  • Understand processes for seizing and preserving digital evidence.
  • Gain an awareness of applicable laws, policies and procedures relating to the collection and admissibility of digital evidence.
  • Comprehend processes for collecting, packaging, transporting and storing electronic evidence while maintaining chain of custody.
  • Search for types of digital forensics data and how to recognise them in diverse media.
  • Use network traffic analysis tools, methodologies and processes.
  • Recognise and interpret malicious network activity in traffic.
  • Explore anti-forensics tactics, techniques and procedures.
  • Learn to extract, analyse and use metadata.
  • Familiarise with various forensic tool suites.
  • Collaborate with other relevant stakeholders.
  • Create clear and concise technical documentation to technical and non-technical third parties.
  • Ideally a minimum of 1st line operational IT experience but 2nd line operational IT experience is preferred.
  • Use of virtual machines.
  • Experience of Windows and Linux operating systems.
  • Some familiarity or experience using the command line with Linux and Windows.
  • Ideally CompTIA Network+ and Security+ training/qualification.
  • Knowledge of business practices within your organisation, your organisation’s risk management processes and any IT user security policies.
  • For virtual/remote training a good internet connection/sufficient bandwidth is required, with full audio and video capability.

This training can be tailored to an industry or for a defined audience, with various durations. Example topics typically include:

Introduction to Incident Response and Digital Forensics

  • Understanding the life cycle of DFIR
  • Overview of the current DFIR standards and Frameworks
  • Legal and Law perspectives of DFIR
  • Traits of an Analyst
  • Analyst Bias


  • Attack Methodologies
  • Evidence Handling and Chain of Custody
  • Introduction to Memory Forensics
  • Forensic Opportunities
  • Network Data Sources
  • Network Netflow
  • Network tcp/ip Fundamentals
  • Network IDS/IPS
  • HDD Theory
  • File System Analysis
  • Operating Systems
  • Data Storage (Physical and Logical)
  • Introduction to Cloud Based Data Storage
  • Dates, Times and Metadata
  • Introduction to Cloud Storage
  • Encryption


  • Types of Evidence Acquisition
  • Order of Volatility
  • DFIR Tools, Capability and Variation
  • Network Hardware
  • Network Software
  • Logistic, Procedural and Legal Consideration for Network Data Collections
  • Network tcpdump
  • Forensic Imaging and Hashing
  • Live Windows Commands
  • Introduction to Smart Phone Forensics


  • Introduction to Forensic Analysis Techniques
  • Analysis Scoping and Planning
  • Types of Analysis
  • Wireshark
  • Network Miner
  • Forensic Image Analysis
  • Forensic Image Mounting
  • Timeline Analysis
  • Plaso
  • Windows Overview
  • More Logs – Firewall and IIS


  • Writing Technical and Executive Reports
  • Exercise Reporting
  • Stakeholder Collaboration

  • CPIA Practice Exam Preparation
  • PGI Assessment