My Experience with Coursera’s DFIR Specializations

I recently became an affiliate of Coursera and saw that they had specializations in both Computer Forensics and Cyber Incident Response. I didn’t know of anyone who completed them, so I decided to see what they were like before listing them on the Free & Affordable Training Site.

Cost: Coursera offers a 7-day free trial. I was able to complete both specializations within the 7 days, so it is possible to complete these for free. They are part of Coursera Plus which costs $59/month and includes thousands of other courses. Coursera also offers financial aid and the ability to audit courses for free. If you do audit the course, you get access to the course materials but nothing will be graded, and certificates of completion aren’t included. If you cancel the free trial before you complete everything, you are put in course audit mode and can still access the material but can’t get certificates of completion. You will still have access to any certificates earned during the free trial. Coursera also allows for the downloading of videos and transcripts.

Both the Cyber Incident Response Specialization and the Computer Forensics Specialization have three courses that need to be completed with an 80% passing score on the quiz for each course. You get a Certificate of Completion for each course in the Specialization as well as a Certificate for completing the entire Specialization. It’s also easy to add the course certificates to LinkedIn from Coursera under “Accomplishments”.

Image Not Found

The courses for each specialization are as follows:

Computer Forensics:

  • Digital Forensics Concepts
  • Windows OS Forensics
  • Windows Registry Forensics

Cyber Incident Response:

  • Cyber Incident Response
  • Stages of Incident Response
  • Technical Deep Dive with Incident Response Tools

The courses aren’t perfect due to some files and videos not being available but I still learned a lot. I will talk about that below.

More About the Computer Forensics Specialization: This is an intermediate-level specialization, although I do think the Computer Forensics Concepts course is good for beginners. In the Windows OS Forensics course, the instructor goes over different types of partitions and file systems in a hex editor. There are mentions of several VHD files to follow along with. Those files are not available, but I did learn just by watching the videos.

Tip: In the Windows Registry Forensics course, they’re wanting you to sign up for a free trial at Infosec to get the Windows 10 VMDK file for the hands-on portion. If you do not want to do that, the VMDK file that is available for download directly from the Computer Forensics Concepts course in Week 1 is similar enough to follow along with.

Topics Covered:

  • Computer Forensics Concepts
    • Computer Forensics & The Role of the Examiner
    • Forensics Methodology and Investigations
    • Preparing our Forensic Workstation
    • Laws & Ethics
    • Preservation and Consent
    • Search Warrants and Subpoenas
    • Locard’s Exchange Principle and the Scientific Method
    • Big Data
    • What to Bring to the Scene and Preparation
    • Documenting the Scene
    • Collection of Digital Evidence
    • Proper Storage and Transportation of Digital Evidence
    • Live vs Dead Box Evidence Collection & Capturing Volatile Media
    • Forensic Boot Options
    • Hash Values and File Hashing
    • Creating a Disk Image
    • Validating Your Tools
    • Keyword and Grep Searches
    • Network Basics
    • Reporting and Peer Review
  • Windows OS Forensics
    • Bits, Bytes, and Endienness
    • Converting Decimal to Binary
    • Converting Binary to Hex
    • Signed Integers
    • Physical vs Logical Drives
    • Sectors and Clusters
    • Active Disk Editor
    • MBR Partition Schema
    • GPT Partition Schema
    • Solid State Disks
    • The FAT File System
    • The NTFS File System
    • The exFAT File System
    • Registry Overview and History
    • The Live Registry
    • The Location of Registry Files Within an Image File
    • Common Forensic Artifacts Found in the Registry
  • Windows Registry Forensics
    • Introduction to the Windows Registry
    • Structure of the Windows Registry
    • Viewing the Registry with RegEdit
    • Software Needed to Examine the Registry
    • Locating and Interpreting the Registry Values
    • NTUser.dat Hive File Analysis
    • SAM Hive File
    • Software Hive File
    • System Hive File
    • USRClass.dat Hive File
    • AmCache Hive File

More About the Cyber Incident Response Specialization: I think this is a decent course for a beginner to Incident Response. It is mostly videos. It looks like there were supposed to be files to follow along with during the Technical Deep Dive with Incident Response Tools course, however, the files are not available. I was still able to learn just by watching the videos. After the final quiz, there is an add-on project using Zeek which I admittedly didn’t do although I was able to download the files for it. That project is not graded so you wouldn’t know if you got anything right or not. There is a mention of a walkthrough video for the project that isn’t listed anywhere in the course. I’m not sure if this video is was what the instructor was referring to, but was the closest I could find to the video mentioned: SolarWinds breach: Insights from the trenches | Live incident response demo.

Topics Covered:

  • Cyber Incident Response
    • The Value of Incident Response
    • The NIST Five Phases of Incident Response
    • Business Continuity and Disaster Recovery Roles
    • Building an Incident Response Playbook
    • Building an Incident Response Team
  • Stages of Incident Response
    • Incident Definitions and Severity Criteria
    • Identifying Threats and Vulnerabilities
    • Incident Response Assets Inventory and Identification
    • Identification
    • Containment
    • Investigation
    • Eradication
    • Recovery
    • Follow Up/Lessons Learned
  • Technical Deep Dive with Incident Response Tools
    • Network Forensics with Zeek
    • Network Forensics with Wireshark
    • Memory Forensics: Extracting a Memory Dump
    • Memory Forensics: Extracting Artifacts and IOCs with Volatility
    • Incident Response Scenario 1: Data Breach/Hacking Incident
    • Incident Response Scenario 2: Live Ongoing Hacking Incident
    • Incident Response Scenario 3: SolarWinds

Hands-On Alternatives: If you want to get hands-on with Zeek, INE has a free Zeek lab. If you want to get hands-on with Wireshark, I created a listing for Michael Wylie’s Wireshark for Incident Response & Threat Hunting Workshop that contains a link to the lab files. The 2020.03.31 document contains links to the lab files options.

There were also discussion forums for both specializations that are pretty much for students to talk amongst themselves. There were a lot of unanswered questions in there. If you want to be able to ask questions and get answers, there are other options. The Free & Affordable Training Site has a filter for training that has an active community or forum.

Even with the missing files and video for these specializations, overall, I still thought they were worth completing. Especially for free.

This is what you would get for completing all courses in the specializations. The certificates you get can be downloaded and/or shared:

Image Not Found
Image Not Found
Image Not Found
Image Not Found
Image Not Found
Image Not Found
Image Not Found
Image Not Found