Documentation & Tools →
Sign In

Linux Endpoint Investigation

Master Linux Endpoint Investigation

Respond decisively when Linux systems are under attack. Learn a proven forensic methodology to investigate, contain, and eradicate threats in Linux, cloud, and container environments — turning complex incidents into structured, defensible investigations.

Preview Course See Pricing
View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Apply a structured forensic methodology to investigate incidents on Linux systems
Collect and analyse volatile and persistent evidence from Linux hosts, cloud instances, and containers
Investigate attacker activity in Docker, Kubernetes, and cloud workloads (AWS, Azure, GCP)
Reconstruct attack timelines using Linux artefacts, logs, memory, and cloud audit trails
Perform effective containment and eradication with minimal disruption to production environments
Document and report Linux-focused investigations clearly for technical and executive stakeholders
FOR402 | Premium tier | 17 modules | 36–40 hours at your own pace | 40 CPE credits | 11 free preview lessons — no account needed | Updated June 2026
Course Agenda View all 11 modules

Course overview

The Linux Endpoint Investigation course teaches a practical forensic methodology specifically for Security Engineers and IR Practitioners working in Linux, cloud, and container environments. You'll gain hands-on expertise to:

Collect and analyse volatile and persistent evidence from Linux systems
Investigate attacks in cloud workloads (AWS, Azure, GCP) and container platforms (Docker, Kubernetes)
Reconstruct attacker activity using Linux artefacts, logs, and memory
Perform containment, eradication, and recovery with minimal business disruption

By the end, you'll have the skills and structured approach to confidently lead Linux-focused incident response — reducing dwell time and strengthening defences in modern cloud-native and hybrid environments.

Who this course is for

You're a Security Engineer or Incident Response Practitioner who needs to investigate and respond to security incidents in Linux, cloud, and container environments. This course is built for you if you want to:

Move from ad-hoc Linux troubleshooting to a professional, repeatable forensic methodology
Master evidence collection and analysis across Linux servers, cloud instances, and modern container platforms
Gain confidence when responding to attacks in cloud-native and hybrid Linux environments
Bridge the gap between traditional Linux forensics and cloud/container-specific techniques

In short: if you're responsible for investigating incidents on Linux systems and want to do it effectively and professionally, this course is for you.

What you'll learn

By the end of this Linux Endpoint Investigation course you will be able to:

Execute a proven end-to-end forensic investigation methodology for Linux environments
Collect and preserve volatile data (memory, processes, network connections) and persistent artefacts
Analyse key Linux evidence sources: logs (syslog, auditd, journalctl), file system artefacts, and memory dumps
Investigate container (Docker/Kubernetes) and cloud workload attacks using cloud logs and runtime security tools
Reconstruct attacker timelines and identify persistence mechanisms in Linux environments
Perform safe containment, eradication, and recovery actions in production Linux and cloud systems

Key course takeaways

Master a repeatable forensic methodology tailored for Linux, cloud, and container incidents
Confidently collect and analyse evidence across Linux hosts, Docker, Kubernetes, and cloud platforms
Reconstruct attacks quickly and accurately to reduce dwell time
Bridge traditional Linux forensics with modern cloud-native investigation techniques
Perform effective containment and eradication with minimal business impact
Become a trusted Linux Incident Responder who can handle complex incidents in today's hybrid and cloud environments

Things you need to know

What are the prerequisites for this course?

There are no prerequisites. The course teaches Linux forensic investigation from first principles. Basic Linux command-line familiarity will help you move faster, but is not required. Every artifact, tool, and technique is explained at first use.

What are the device requirements?

A device with a modern browser. For hands-on forensic work, a Linux VM (Ubuntu or RHEL) with standard forensic tools. The course walks you through setup and provides evidence datasets for all scenarios.

How will the course benefit your career?

Linux runs the majority of cloud workloads, containers, and production servers. Most IR practitioners are stronger on Windows than Linux — this gap is a career differentiator. This course gives you the Linux forensic methodology, artifact knowledge, and container/cloud investigation skills that make you effective across the full infrastructure stack.

Cross-platform IR capability is increasingly a requirement for senior DFIR and security engineering roles.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy investigation scripts, collection tools, and analysis workflows in your production environment. You may not redistribute course content or share account credentials.

Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 2.0  |  Last updated: June 2026

June 2026 — v2.0: Course rebuilt and renamed to Linux Endpoint Investigation. Ten modules from forensic foundations through compromise scenarios to readiness and reporting.

v1.0: Course launch. Filesystem forensics, log analysis, memory forensics, container and cloud investigation.

This course is actively maintained.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
2scenarios
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.