DoD DCWF - Cyber Defense Forensics Analyst

MCSI Certification

MCDFA - Certified Cyber Defense Forensics Analyst

The Cyber Defense Forensics Analyst course is designed to equip participants with the skills needed to perform digital forensics across a diverse range of technology sources.

This course introduces the fundamentals of digital forensics, focusing on the analysis of digital evidence and the investigation of computer security incidents. Participants will acquire practical skills to extract and analyze data, crucial for enhancing security measures and safeguarding digital environments.

Practical application of knowledge is a cornerstone of this course. Through various case studies, participants will experience the full spectrum of a forensic investigation, from initiation to conclusion. Additionally, the course emphasizes the importance of documenting findings clearly and comprehensively. This practice ensures that participants can communicate effectively with multiple stakeholders, including legal teams, security personnel, and executive management.

Upon course completion, participants will become proficient forensic analysts, fully equipped to enhance their organizations' security posture.

Intermediate Level MCSI Certification Advanced
ic-certificate Certification
ic-clock 600+ hours
ic-money $995
No Expiry, No Renewals

Course Overview

The Cyber Defense Forensics Analyst course is designed to equip participants with the skills needed to perform digital forensics across a diverse range of technology sources. This course introduces the fundamentals of digital forensics, focusing on the analysis of digital evidence and the investigation of computer security incidents. Participants will acquire practical skills to extract and analyze data, crucial for enhancing security measures and safeguarding digital environments.

The course starts with foundational concepts of digital forensics, establishing a base for more specialized skills and knowledge. Participants will learn to perform detailed forensic investigations on Windows computers, mastering techniques to recover artifacts from various digital sources. This module emphasizes hands-on practice in retrieving and analyzing data to understand the nuances of digital forensics.

As the course progresses, participants will delve into advanced techniques such as processing memory dumps and analyzing network traffic captures. The curriculum also includes basic malware analysis to aid in determining the extent of system compromises. Each of these skills builds on the last, forming a comprehensive understanding of the tools and methodologies used in modern forensics.

The course integrates all learned skills, enabling effective analysis and correlation of evidence from diverse sources. This empowers participants to tackle complex security challenges in today's digital landscape. They will become proficient forensic analysts, fully equipped to enhance their organizations' security posture.

Upon completion of the MCDFA Certified Cyber Defense Forensics Analyst course, participants will be equipped with a diverse skill set enabling them to:

  • Verify digital evidence integrity using forensic testing techniques.
  • Analyze forensic images with specialized tools for investigative purposes.
  • Conduct custom analyses of forensic images to meet specific investigation needs.
  • Detect hidden or suspicious files on forensic images.
  • Evaluate executable files (e.g., MSI, Java, Python, EXE) for security threats.
  • Extract forensic artifacts from Windows systems, including event logs and volume shadow copies.
  • Perform memory analysis using industry-standard tools to extract critical operational data.

Knowledge, Skills and Abilities You Will Acquire

MCSI is one of the most respected and trusted names in cyber security education and training. Our certifications teach critical skills, knowledge and abilities needed to advance a career in cyber security. Our courses are comprehensive and up-to-date, and our instructors are experienced professionals who are dedicated to helping students learn. MCSI provides the real-world skills and knowledge you need to protect any organization from cyber threats.

  • Lab Setup and Virtualization
  • Malware Analysis

    Malware analysis involves examining malicious software to understand its functionality, behavior, and impact on systems. It is important for cybersecurity professionals to conduct malware analysis to identify and mitigate potential threats, protect systems from infection, and improve incident response capabilities.

    Understanding malware allows for proactive measures such as developing effective detection signatures, updating security defenses, and devising appropriate mitigation strategies to defend against evolving threats.

    Analyzing and Extracting Malicious Shortcut Files

    This involves examining shortcut files for hidden malware payloads, which is crucial for identifying and neutralizing threats targeting system vulnerabilities.

    Analyzing and Extracting Malicious PDF Files

    Analyzing malicious PDF files helps identify embedded malware and potential exploit techniques, enabling effective mitigation and response strategies.

    Analyzing and Extracting Malicious Word Files

    Examining malicious Word files allows for the detection of embedded malware or macros, essential for understanding attack vectors and developing effective countermeasures.

    Decompiling Java, AutoIt, MSI Files

    Decompiling these types of files aids in understanding their inner workings and identifying malicious behaviors, which is essential for malware analysis and threat intelligence.

    Using Resource Hacker to Decompose Malware

    Resource Hacker is a tool used to dissect Windows executable files, which can reveal hidden or obfuscated malicious code, aiding in malware analysis.

    Monitoring Malware with Process Monitor

    This involves using Process Monitor to observe malware behavior on systems, providing insights into its activities and helping to detect and respond to threats.

    Using API Monitor on Malware

    API monitoring helps analyze how malware interacts with system functions and external resources, enabling detection and mitigation of malicious activities.

    Reverse Engineering Malicious Macros

    This process involves dissecting malicious macros to understand their functionality and potential impact, which is crucial for identifying and mitigating macro-based attacks.

  • Windows Forensics

    Windows forensics is crucial for investigating security incidents and identifying malicious activities on Windows-based systems. It enables analysts to collect and analyze digital evidence from Windows devices, aiding in incident response, threat detection, and mitigation efforts.

    Capturing an Image from USB Drives

    Capturing an image from USB drives is important for cyber defense forensic analysts as it allows them to collect and preserve data from removable storage devices for forensic analysis, aiding in investigations and incident response.

    Recovering Concealed Data

    Recovering concealed data is essential in forensic investigations as it helps analysts uncover hidden information and artifacts that may be critical for understanding the scope and impact of security incidents.

    Analyzing Windows Prefetch Files

    Analyzing Windows Prefetch files is important for cyber defense forensic analysts to understand program execution patterns and identify suspicious or unauthorized activity on Windows systems.

    Analyzing Windows Hibernation Files

    Analyzing Windows hibernation files is critical for extracting memory snapshots and volatile data, providing insights into system activities and potentially uncovering evidence of malicious behavior.

    Recovering Windows Shadow Copies

    Recovering Windows shadow copies is important for restoring previous versions of files and recovering data that may have been deleted or modified, aiding in digital forensics investigations.

    Using AmCacheParser

    Using AmCacheParser is essential for cyber defense forensic analysts to parse and analyze application compatibility cache data, helping to identify artifacts related to executed programs and user activity on Windows systems.

    Analyzing SCRUM Dumps on Windows

    Analyzing SCRUM dumps on Windows is important for examining memory dumps and extracting valuable information about processes, network connections, and file system activities, aiding in incident response and malware analysis.

  • Behavioural Analysis

    Behavioral analysis is essential for cyber defense forensic analysts as it involves studying patterns of behavior within systems and networks to detect abnormal or suspicious activities indicative of security threats. This approach helps identify potential threats that traditional signature-based methods may miss, enabling proactive threat detection and response.

    Analysing malware with sysmon

    Analysing malware with Sysmon involves using Sysinternals Sysmon to monitor and log system activity, providing valuable insights into the behavior of malware and potential indicators of compromise.


    Sandboxes are isolated environments used to execute suspicious files and URLs safely, enabling the analysis of malware behavior without compromising the host system.

    Dynamically analysing malware connections

    Dynamically analyzing malware connections involves monitoring network traffic generated by malware in real-time to identify communication patterns, potential command-and-control servers, and data exfiltration attempts.

  • Memory Forensics

    Memory forensics is crucial for cyber defense forensic analysts because it enables the extraction of volatile data from active systems, providing insights into running processes, network connections, and system artifacts that may not be available through traditional disk-based forensics.

    Analyzing memory dumps can reveal important evidence of malware execution, persistence mechanisms, and attacker activities, aiding in incident response and threat mitigation efforts.

    Volatility Framework

    The Volatility Framework is a powerful tool used for memory forensics, allowing cyber defense forensic analysts to extract and analyze critical data from compromised machines' RAM. It aids in identifying malware, analyzing running processes, and uncovering artifacts crucial for incident response and threat hunting.

    Perform forensic analysis on compromised machines

    Performing forensic analysis on compromised machines involves extracting and examining evidence from systems that have been subject to security breaches. This process is essential for identifying the extent of compromise, understanding attacker tactics, and strengthening future defenses.

    Dump the RAM of a Windows machine

    Dumping the RAM of a Windows machine allows analysts to capture the volatile memory state, providing insights into active processes, network connections, and system artifacts. This data is critical for detecting malware, understanding attacker activities, and conducting thorough incident response investigations.

    Dumping the RAM of a Linux machine

    Dumping the RAM of a Linux machine enables analysts to capture volatile data from Linux systems, aiding in memory forensics investigations. This process helps identify malicious activities, uncover rootkits, and gather critical evidence for forensic analysis.

    Extracting malware from dumps

    Extracting malware from memory dumps allows analysts to isolate and analyze malicious code that resides in system memory. This activity is essential for understanding malware behavior, identifying indicators of compromise (IOCs), and strengthening defenses against similar threats.

DoD Cyber Workforce Framework KSATs

This course teaches the specific Knowledge, Skills, Abilities, and Tasks (KSATs) aligned with the DoD Cyber Workforce Framework (DCWF) as outlined in DoD 8140. By focusing on these critical competencies, the course ensures that you develop the essential capabilities required for various cybersecurity roles within the Department of Defense. This alignment not only guarantees that the training is relevant and comprehensive but also that it prepares you to meet the specific operational needs and standards of the DoD cyber workforce.

  • knowledge
    ID Description
    22 Knowledge of computer networking concepts and protocols, and network security methodologies.
    24A Knowledge of basic concepts and practices of processing digital forensic data.
    108 Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
    302 Knowledge of investigative implications of hardware, Operating Systems, and network technologies.
    1086 Knowledge of data carving tools and techniques (e.g., Foremost).
    1089 Knowledge of reverse engineering concepts.
    1092 Knowledge of anti-forensics tactics, techniques, and procedures.
    1096 Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro).
    1158 Knowledge of cybersecurity principles.
    1159 Knowledge of cyber threats and vulnerabilities.
    6810 Knowledge of binary analysis.
    6900 Knowledge of specific operational impacts of cybersecurity lapses.
    6935 Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).
    6938 Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.
    25 Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]).
    29 Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools.
    61 Knowledge of incident response and handling methodologies.
    90 Knowledge of operating systems.
    105 Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
    113 Knowledge of server and client operating systems.
    114 Knowledge of server diagnostic tools and fault identification techniques.
    139 Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.
    264 Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).
    287 Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).
    290 Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody).
    294 Knowledge of hacking methodologies in Windows or Unix/Linux environment.
    310 Knowledge of legal governance related to admissibility (e.g., Federal Rules of Evidence).
    316 Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
    340 Knowledge of types and collection of persistent data.
    345 Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.
    346 Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files.
    888 Knowledge of types of digital forensics data and how to recognize them.
    889 Knowledge of deployable forensics.
    923 Knowledge of security event correlation tools.
    1033 Knowledge of basic system administration, network, and operating system hardening techniques.
    1036 Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.
    1072 Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
    1093 Knowledge of common forensics tool configuration and support applications (e.g., VMWare, WIRESHARK).
    1094 Knowledge of debugging procedures and tools.
    1095 Knowledge of how different file types can be used for anomalous behavior.
    1097 Knowledge of virtual machine aware malware, debugger aware malware, and packing.
    3513 Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems.
    6210 Knowledge of cloud service models and possible limitations for an incident response.
    6820 Knowledge of network architecture concepts including topology, protocols, and components.
  • skills
    ID Description
    217 Skill in preserving evidence integrity according to standard operating procedures or national standards.
    350 Skill in analyzing memory dumps to extract information.
    381 Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK).
    890 Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems).
    1087 Skill in deep analysis of captured malicious code (e.g., malware forensics).
    1088 Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump).
    1098 Skill in analyzing anomalous code as malicious or benign.
    1099 Skill in analyzing volatile data.
    1100 Skill in identifying obfuscation techniques.
    1101 Skill in interpreting results of debugger to ascertain tactics, techniques, and procedures.
    6850 Skill in analyzing malware.
    6860 Skill in conducting bit-level analysis.
    6870 Skill in processing digital evidence, to include protecting and making legally sound copies of evidence.
    193 Skill in developing, testing, and implementing network infrastructure contingency and recovery plans.
    214A Skill in performing packet-level analysis.
    360 Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics).
    364 Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).
    369 Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
    374 Skill in setting up a forensic workstation.
    386 Skill in using virtual machines.
    389 Skill in physically disassembling PCs.
    1091 Skill in one way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]).
  • abilities
    ID Description
    6890 Ability to conduct forensic analyses in and for both Windows and Unix/Linux environments.
    908 Ability to decrypt digital data collections.
  • tasks
    ID Description
    438A Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise.
    447 Conduct analysis of log files, evidence, and other information in order to determine best methods for identifying the perpetrator(s) of a network intrusion.
    463 Confirm what is known about an intrusion and discover new information, if possible, after identifying intrusion via dynamic analysis.
    541 Provide technical summary of findings in accordance with established reporting procedures.
    613 Examine recovered data for information of relevance to the issue at hand.
    752 Perform file signature analysis.
    1082 Perform file system forensic analysis.
    480 Create a forensically sound duplicate of the evidence (i.e., forensic image) that ensures the original evidence is not unintentionally modified, to use for data recovery and analysis processes. This includes, but is not limited to, hard drives, floppy diskettes, CD, PDA, mobile phones, GPS, and all tape formats.
    482 Decrypt seized data using technical means.
    573 Ensure chain of custody is followed for all digital media acquired in accordance with the Federal Rules of Evidence.
    636 Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration.
    749 Perform dynamic analysis to boot an “image” of a drive (without necessarily having the original drive) to see the intrusion as the user may have seen it, in a native environment.
    753 Perform hash comparison against established database.
    758 Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView).
    759 Perform timeline analysis.
    762 Perform real-time cyber defense incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs).
    768 Perform static media analysis.
    771 Perform tier 1, 2, and 3 malware analysis.
    786 Prepare digital media for imaging by ensuring data integrity (e.g., write blockers in accordance with standard operating procedures).
    817 Provide technical assistance on digital evidence matters to appropriate personnel.
    825 Recognize and accurately report forensic artifacts indicative of a particular operating system.
    839A Review forensic images and other data sources (e.g., volatile data) for recovery of potentially relevant information.
    868A Use data carving techniques (e.g., FTK-Foremost) to extract data for further analysis.
    870 Capture and analyze network traffic associated with malicious activities using network monitoring tools.
    871 Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence.
    882A Write and publish cyber defense recommendations, reports, and white papers on incident findings to appropriate constituencies.
    944 Conduct cursory binary analysis.
    1031 Serve as technical expert and liaison to law enforcement personnel and explain incident details as required.
    1081 Perform virus scanning on digital media.
    1083 Perform static analysis to mount an “image” of a drive (without necessarily having the original drive).
    1084 Perform static malware analysis.
    1085 Utilize deployable forensics tool kit to support operations as necessary.
    2179 Coordinate with intelligence analysts to correlate threat assessment data.
    5690 Process image with appropriate tools depending on analyst’s goals.
    5700 Perform Windows registry analysis.
    5720 Perform file and registry monitoring on the running system after identifying intrusion via dynamic analysis.
    5730 Enter media information into tracking database (e.g. Product Tracker Tool) for digital media that has been acquired.
    5740 Correlate incident data and perform cyber defense reporting.
    5760 Maintain deployable cyber defense toolkit (e.g. specialized cyber defense software/hardware) to support IRT mission.

Career Outcomes

Our Cyber Defense Forensics Analyst course equips you with the skills needed to investigate and analyze cybersecurity incidents. Through hands-on training, you'll learn to collect and preserve digital evidence, perform malware analysis, and use advanced forensic tools and techniques. Gain expertise in ensuring data integrity and providing technical support during investigations. By the end of the course, you'll be prepared to effectively respond to cyber incidents and support the mitigation of network vulnerabilities.

Certification Detail

MCSI certifications are highly respected and sought-after credentials in the industry. Earning an MCSI certification is a testament to your knowledge and skillset, and demonstrates your commitment to excellence. The content is cutting-edge, uniquely-designed, and hands-on. Our exercises teach in-demand skills that are immediately applicable in the field.

The certifications are valid indefinitely and do not require any renewal fees. The training is accessible without any time limits.


Training Modules

This course provides you with multiple training modules, each of which is designed to teach you practical skills that can help you solve important cyber problems. Each module offers exercises that will help you build your skills and capabilities.

  • MCDFA-001: Lab setup - 4 exercises
  • MCDFA-101: File Analysis - 5 exercises
  • MCDFA-102: Disk and Filesystem Forensics - 3 exercises
  • MCDFA-103: Executable Analysis - 8 exercises
  • MCDFA-201: Windows Forensics - 8 exercises
  • MCDFA-202: Windows 10 Forensics - 2 exercises
  • MCDFA-203: Behavioral Analysis - 5 exercises
  • MCDFA-301: Memory Forensics - 9 exercises
  • MCDFA-302: Malware Analysis - 11 exercises
  • MCDFA-303: Memory Forensics Challenges - 3 exercises
  • MCDFA-304: Network Forensics Challenges - 6 exercises
  • MCDFA-401: Documentation - 5 exercises


Cyber professionals must be ready for everything. The typical security training strategy, which focuses on individual skills and tools, is insufficient. You must be able to operate as part of a team, see the big picture, and respond swiftly and effectively to unforeseen circumstances. That's why, as part of our training, we use replays of whole cyber missions. Our scenarios help you prepare for the demands of the job and give you confidence in your ability to work professionally.

  • MCDFA-SC-01: Business Email Compromise Investigation - 10 exercises
  • MCDFA-SC-02: Ransomware Investigation - 7 exercises
  • MCDFA-SC-03: Android Mobile Forensics Investigation - 10 exercises

Enroll now with lifetime access for $995


MCSI Industry Certifications are important for you to earn because they signify that you have the skills required to work in a cybersecurity. Certificates of Completion are also important to earn because they signify that you have completed an exercise. Earning Certificates of Completion and Industry Certifications demonstrates that you are willing to put in the extra work to be successful.




Obtain CPE points by solving exercises


Achieve multiple certifications


Receive help from instructors online

This certification is aligned with the DoD Cyber Workforce Framework (DoD 8140), ensuring you receive training that meets the standards and competencies required for cybersecurity roles within the Department of Defense. This alignment guarantees that you gain relevant, up-to-date skills and knowledge tailored to the specific needs of the DoD cyber workforce, effectively preparing you to support and secure defense operations.

Certificate Level Curriculum Completion Requirement Scenarios Completion Requirement
MCSI Cyber Defense Forensics Analyst (Basic) Level 1 50% 0%
MCSI Cyber Defense Forensics Analyst (Intermediate) Level 2 75% 50%
MCSI Cyber Defense Forensics Analyst (Advanced) Level 3 95% 100%

Sample Exercises

Below are three (3) exercises from the 100+ exercises available in MCDFA - Certified Cyber Defence Forensics Analyst:

Parse A Malicious .Lnk File Using LECmd


Use Sysmon For Rapid Malware Analysis


Dump The RAM Of A Windows Machine


Our Instructors

Student exercises are reviewed and graded by multiple instructors. This one-of-a-kind approach allows you to get highly personalized input from a number of successful professionals.

MCSI's teachers bring real-world experience and knowledge to the classroom, ensuring that students have the skills they need to excel in the field of information security. Due to their extensive experience in penetration testing, vulnerability assessment, reverse engineering, incident response, digital forensics, and exploit development, students will understand the most up-to-date defensive and offensive cybersecurity strategies and procedures.

Our instructors are passionate about information security and are always looking to further their own knowledge. Students who attend an MCSI course can be confident that they are learning from some of the best in the business. They can adapt their teaching approaches to match the demands of any student, regardless of their degree of expertise.

The MCSI team strives to provide the most comprehensive and up-to-date cybersecurity training available. Whether you are a seasoned security professional or new to the field, MCSI has a course that will meet your needs.

Receive personalized feedback from cybersecurity experts:

  • Overcome challenges and hurdles preventing you from advancing your skills
  • Receive guidance on how to focus your training efforts and avoid wasting time
  • Learn how to meet the industry's quality standards and produce high-quality work
  • When you're stuck, go to a support forum or ask inquiries to the instructors right on the platform

Help and Support

24/7 Discord Community

If you're looking for additional support during your studies, consider joining our Discord server. Our community of fellow students and instructors is always available to provide help and answer any questions you may have.

Personalized Support

Your submissions will be reviewed by MCSI instructors, who will provide you with personalized feedback. This input is critical since it can assist you in identifying the areas where you need to enhance your skills. The instructor's feedback will also tell you how well you did an exercise and what you can do to improve your performance even further.

Click here to see an example of personalized feedback.

Our personalized support will take your skills to the next level. Read what a student says about it:

Quick Questions

If you have any questions or need clarification on any of the exercises, MCSI offers a Quick Questions section on each exercise where you can ask for help. This is a great resource to use if you need assistance. This feature is only available for paid courses.

Actively Maintained Course

This course is actively maintained to ensure that it is current and error-free. We want to ensure that you have the best possible experience while taking this course, which includes having access to accurate and current information. This course is also tested for flaws on a regular basis, so you can be sure you're getting a high-quality product.

This course is constantly updated with the support of trustworthy industry peers to ensure that students are acquiring the most up-to-date information and skills. This dedication to staying ahead of the curve is what distinguishes this course as one of the greatest in the market.


Training Laptop Requirement

This course can be completed on a standard training laptop. To ensure you have the necessary hardware to complete the course, your machine should meet the following specifications:

  • 64-bit Intel i5/i7 2.0+ GHz processor or equivalent
  • 8GB of RAM
  • Ability to run at least (1) virtual machine using Virtual Box, or an equivalent virtualization software
  • Windows 10 or later, macOS 10 or later, or Linux
  • Local administrator privileges
Do you support older operating systems?

Yes. Many of the exercises can be completed on older OS versions. A few of our students are successfully using older equipment to learn cyber security.

Proficiency in the English language

You must have the ability to comfortably read and understand IT documentation written in English. Ideally, they have an IELTS score of 6.5 with no band less than 6 (or equivalent).

Note: You can register for this course without having undertaken an English test.

Lab Environment

This course teaches you how to setup and configure your own cybersecurity lab.

There are numerous advantages to creating your own cybersecurity lab rather than paying for one. The cost savings are perhaps the most evident benefit. When compared to the expense of licensing a pre-built lab, creating your own lab can save you thousands of dollars. You also have the option of customizing the lab environment to meet your specific requirements. You can, for example, select the hardware and software that will be used in your lab.

Another advantage of setting up your own cybersecurity lab is that it allows you to learn new skills. Building a lab from the ground up necessitates knowledge of networking, system administration, and other technical subjects. This experience is invaluable in your career as a cybersecurity professional.

We frequently see students who can complete a task in a pre-built lab but cannot complete the same task at work. This is because these labs are meant to lessen work complexity, thereby creating an illusion of personal capabilities. It's also worth noting that you'll be expected to set up your own lab to test tools and techniques in the workplace. Employers may give you the resources to set up virtual computers and networks, but it will be up to you to manage the lab environment and maintain your tools.

Finally, you should know that pre-built labs are not commonly licensed by top cybersecurity professionals. They've realized that setting up a lab is simple, efficient, adaptable, cost-effective, and that it sparks creativity. It also nullifies risk of performing unauthorized actions against systems provisioned by a third-party.

Aptitude Test (Optional)

This is an advanced course. It includes exercises for novices but assumes that they have competent IT skills and a strong understanding of cybersecurity concepts.

Aptitude Test:

If you're not sure if you'll be able to fully enjoy this course, then contact us via email to organize a free aptitude test. This test will determine whether you meet the course's basic baseline criteria. If you've never studied with us before, it will also introduce you to the MCSI Method™.

Why MCSI's Cyber Defense Forensics Analyst Certification is World Class

why MCSI

Comprehensive Digital Forensics Training

The MCDFA certification ensures participants complete a rigorous training program, demonstrating expertise in digital forensics, incident response, and cyber defense strategies, preparing them for diverse cyber security challenges.

why MCSI

Specialized Focus on Forensic Techniques

MCDFA-certified analysts possess deep knowledge of digital evidence analysis, memory forensics, and network traffic analysis, enabling them to conduct comprehensive investigations into cyber incidents.

why MCSI

Proficiency in Scripting and Automation

The MCDFA certification emphasizes scripting skills in languages like PowerShell and Python for automating forensic processes, improving efficiency in incident response, and enhancing cyber defense operations.

Enrollment and Fees


Terms and Conditions

  • No discounts
  • No refunds
  • No transfers
  • No renewal fees
  • No hidden fees
  • No time limits
  • Exercises must be completed on MCSI's Online Learning Platform
  • You'll also be charged GST if you live in Australia

Cooling-Off Policy

Received a full refund if you changed your mind about a purchase within 24 hours. No questions asked. Read the full details here.

Don't Buy This Course

Don't buy this course if you think learning cyber security is simple, that it will only take a few hours, that remembering a few concepts from videos and books would be enough, or, that you should be provided with walkthroughs and solutions to practical problems instead of thinking critically for yourself.

Our competitors are misleading you by claiming that their video courses and open-book theoretical certificates will teach you everything you need to know about cyber security. We recommend that you stay away from our courses until you've realized that cybersecurity requires hundreds of hours of training against difficult challenges under the watchful eye of experts encouraging you to improve your weaknesses. Only then will you understand the value of this course and the benefits that the MCSI Method™ can bring to your career. We only want satisfied customers.

When purchasing a course, you acknowledge that you understand and agree with our 100% practical MCSI Method™: no solutions, no walkthroughs, and you're expected to use critical thinking and research to solve the exercises. If you're not sure how this work, try our free version before buying.

How does MCSI Compare?

If you are looking for a certification that will give you an edge in the job market, look no further than MCSI certifications. Thanks to our innovative approach, cybersecurity training is more affordable and effective than traditional methods.

Our pricing is more affordable than our competitors because we have reinvented how cyber training is done online. Our innovative Online Learning Platform is highly effective at teaching cyber security. The platform provides a more engaging and interactive learning experience than traditional methods, which helps students learn and retain skills better. Try the free version and see for yourself.

Enroll now with lifetime access for $995

Bloom's Taxonomy

Bloom's Taxonomy is a system for categorizing distinct stages of intellectual growth. It is used in education to assist students comprehend and learn material more effectively. MCSI teaches students how to apply, analyze, evaluate, and create at the highest levels of the taxonomy. The majority of our competitors are simply concerned with getting you to remember concepts.

The intellectual developments outlined in Bloom's Taxonomy are directly tied to your capacity to advance in your cyber security career. Employers look for people who can solve challenges that are worth paying for. With us, you'll learn practical skills that are in demand and applicable to a wide range of cyber occupations.

Industry Recognized Skills

MCSI credentials are well-respected around the world, and organisations searching for people with real cyber security abilities seek them out. Obtaining an MCSI certification verifies your understanding of critical cyber security topics as well as your ability to provide real-world results.

The ability of MCSI's training programme to give students with real-world, hands-on experience is unrivalled. Students must conduct their own research and develop their own answers in order to complete our practical exercises, which are meant to give them the skills they need to be successful in the field.

With MCSI, you will build a comprehensive cybersecurity portfolio of your skills as you complete exercises. This portfolio is a powerful tool for displaying your cybersecurity knowledge and abilities. A portfolio, as opposed to typical resumes and paper-based credentials, presents a more thorough summary of your skills and accomplishments.

Students Feedback

Here's what students say about the MCSI Method™ and our Online Learning Platform:

Student Testimonials

Frequently Asked Questions

What is the MCSI Method™?

Common Questions

  • Are solutions included in certifications and bundles?
    • No. Our method of teaching cyber security consists of challenging you with real-world problem statements that you're expected to research and solve by doing your own research. This is how you'll be expected to work in the field. When you fail an exercise, we provide you with constructive feedback to improve and try again.
  • Do bundles, training content, or certificates ever expire? Am I expected to buy again in the future?
    • Upon purchase, bundles and certificates are permanently unlocked with no recurring or ongoing fees.
  • Do I need to buy the training and the certification separately?
    • No. The price provided covers both. You only pay once.
  • Do you offer any special offers and discounts?
    • We understand that many of our customers may be looking for discounts, and we would love to be able to offer them. However, we do not provide discounts because we believe that our prices are fair and reasonable. We work hard to keep our prices low, and we feel that discounts would be unfair to our other customers. We hope you understand.
  • If I can't solve the exercise where do I go for help?
  • Who reviews and marks exercises?
    • Trained cyber security instructors that work for Mossé Cyber Security Institute.
    • MCSI instructors are highly qualified and experienced professionals who are able to teach a variety of topics related to information security. They have the ability to tailor their teaching methods to meet the needs of each student, regardless of their experience level. In addition, they are always up-to-date on the latest trends and developments in information security, which enables them to provide students with the most relevant and current information.
  • We can't pay via credit card. Can you raise an invoice for wire payment instead?
    • Yes. Send us the list of bundles and certifications you want to purchase at [email protected]
  • Can I access a trial/demo the certification programmes prior to enrolling?
    • We provide a free curriculum with 100+ hours practical exercises you can try.
    • The Free Curriculum teaches Security Tools, Penetration Testing, Red Teaming, Threat Hunting, Cyber Defence, GRC and Windows Internals.
    • Try the Free Curriculum
  • Do you provide Continuing Professional Education (CPE) credits?
    • Yes. Every single exercise offers CPE credits. The number of credits earned depends on the difficulty of the exercise completed. Below are the CPE Credits achieve for an exercise in each difficulty:
    • Novice exercises = 1 CPE credits
    • Advanced Beginner exercises = 2 CPE credits
    • Competent exercises = 5 CPE credits
  • Do I need to complete an exam to receive MCSI Certification?
    • No. MCSI Certifications are completed by solving practical cybersecurity exercises.
  • Do I need to purchase cybersecurity tools or subscriptions?
    • No. Only free or trial versions are used in our exercises. You do not require making any purchases.

More Kind Words from Students

Enroll now with lifetime access for $995


We'll respond within 24 hours

Visit our Frequently Asked Questions (FAQ) page for answers to the most common questions we receive.

Ready to learn hands-on cyber security skills online?

Try 100 hours for free