TryHackMe

Digital Forensics and Incident Response - SOC Level 1 (Legacy)

Overview

The definitive 2025-2026 TryHackMe DFIR mastery path that every Tier-3 analyst swears by. From $MFT timelines to Volatility plugins that caught Conti in 2024 – 100% real-world artifacts, zero theory fluff. Keywords for SEO: DFIR TryHackMe, Digital Forensics 2025, Windows Forensics, Linux Forensics, Volatility Tutorial, Velociraptor DFIR, KAPE Forensics, Autopsy Walkthrough, Redline Memory Analysis, TheHive Case Management, Memory Forensics Lab, Disgruntled TryHackMe, Unattended Incident, Secret Recipe Registry, Critical Memory Dump.

Table of Contents

• DFIR: An Introduction
• Windows Forensics 1
• Windows Forensics 2
• Linux Forensics
• Autopsy
• Redline
• KAPE
• Volatility
• Velociraptor
• TheHive Project
• Intro to Malware Analysis
• Unattended
• Disgruntled
• Critical
• Secret Recipe

---

DFIR: An Introduction Why DFIR is still the highest-paid skill in 2025. Exact incident response workflow used by CrowdStrike, Mandiant & Palo Alto Unit 42. Room Link: https://tryhackme.com/room/introductoryroomdfirmodule Github: https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/DFIR%20An%20Introduction Medium: https://rahulcyberx.medium.com/dfir-an-introduction-complete-tryhackme-walkthrough-3e13107cecc5	Windows Forensics 1 Registry forensics masterclass – Shimcache, Amcache, BAM, UserAssist timelines that reveal attacker activity even after reboot. Room Link: https://tryhackme.com/room/windowsforensics1 Github (Part 1): https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/Windows%20Forensics%201%20Part%201 Github (Part 2): https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/Windows%20Forensics%201%20Part%202 Medium: https://rahulcyberx.medium.com/windows-forensics-1-complete-tryhackme-walkthrough-fea95d679f5c
Windows Forensics 2 $MFT, USN Journal, Prefetch, SRUM, Jump Lists & LNK files. Parse every artifact attackers can’t delete. Room Link: https://tryhackme.com/room/windowsforensics2 Github: https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/Windows%20Forensics%202 Medium: https://rahulcyberx.medium.com/windows-forensics-2-complete-tryhackme-walkthrough-f7ef1f12e869	Linux Forensics Bash history, .sudo_as_admin_successful, auth.log, /var/log/* timelines that caught 2025 APT41 intrusions. Room Link: https://tryhackme.com/room/linuxforensics Github: https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/Linux%20Forensics Medium: https://rahulcyberx.medium.com/linux-forensics-complete-tryhackme-walkthrough-7bc7caebb6bb
Autopsy Full employee data-leak investigation. Ingest E01 image → recover deleted Slack exports → export court-ready report in 15 minutes. Room Link: https://tryhackme.com/room/btautopsye0 Github: https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/Autopsy Medium: https://rahulcyberx.medium.com/autopsy-complete-tryhackme-walkthrough-62f60ec0efed	Redline Memory forensics with Redline – find injected Mimikatz in 3 clicks, extract credentials, rebuild process tree. Room Link: https://tryhackme.com/room/btredlinejoxr3d Github: https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/Redline Medium: https://rahulcyberx.medium.com/redline-complete-tryhackme-walkthrough-1041405f3a3f
KAPE Kroll Artifact Parser & Extractor 2025 – the fastest triage tool on earth. 0 to 40GB collected in 90 seconds flat. Room Link: https://tryhackme.com/room/kape Github (Part 1): https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/KAPE%20Task1-6 Github (Part 2): https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/KAPE%20Task7 Medium: https://rahulcyberx.medium.com/kape-complete-tryhackme-walkthrough-894ef4286465	Volatility 30+ Volatility 3 plugins that detect Cobalt Strike, Meterpreter, and ransomware hollowing. Includes 2025 community profile pack. Room Link: https://tryhackme.com/room/volatility Github (Part 1): https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/Volatility%20Task1-9 Github (Part 2): https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/Volatility%20Task10 Medium: https://rahulcyberx.medium.com/volatility-complete-tryhackme-walkthrough-ac67b04e03c3
Velociraptor Deploy the open-source beast that replaced Carbon Black at 300+ MSSPs. Live memory + disk + YARA hunting at scale. Room Link: https://tryhackme.com/room/velociraptorhp Github (Part 1): https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/Velociraptor%20Task1-7 Github (Part 2): https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/Velociraptor%20Task8 Medium: https://rahulcyberx.medium.com/velociraptor-complete-tryhackme-walkthrough-6e921302eb4b	TheHive Project Create cases, tasks, observables, MISP sync – exactly how Airbus SOC documents million-dollar incidents. Room Link: https://tryhackme.com/room/thehiveproject Github (Part 1): https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/TheHive%20Project%20Task1-4 Github (Part 2): https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/TheHive%20Project%20Task5 Medium: https://rahulcyberx.medium.com/thehive-project-complete-tryhackme-walkthrough-ca816e766e6f
Intro to Malware Analysis Static + dynamic first steps every analyst takes before sending to malware RE team. Room Link: https://tryhackme.com/room/intromalwareanalysis Github: https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/Intro%20to%20Malware%20Analysis Medium: https://rahulcyberx.medium.com/intro-to-malware-analysis-complete-tryhackme-walkthrough-d1c7c58fec87	Unattended Windows incident every junior analyst fails first try. Find the PowerShell empire beacon hidden in WMI. Room Link: https://tryhackme.com/room/unattended Github: https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/.Unattended%20(Windows%20Forensics%20%2B%20Autopsy) Medium: https://rahulcyberx.medium.com/unattended-complete-tryhackme-walkthrough-02a710218dfe
Disgruntled Linux exfil investigation – recover deleted .tar.gz from ext4 journal in under 200 seconds. Room Link: https://tryhackme.com/room/disgruntled Github: https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/.Disgruntled%20(Linux%20Forensics) Medium: https://rahulcyberx.medium.com/disgruntled-complete-tryhackme-walkthrough-8f35e1dda100	Critical Memory dump challenge that broke 87K students. Find the hidden credential dumper + C2 domain. Room Link: https://tryhackme.com/room/critical Github: https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/.Critical%20(Memory%20Forensics%20%2B%20Volatility) Medium: https://rahulcyberx.medium.com/critical-complete-tryhackme-walkthrough-15d463b15f9a
Secret Recipe Registry-only investigation. Reconstruct 6 months of attacker activity using only HKLM + HKCU hives. Room Link: https://tryhackme.com/room/registry4n6 Github: https://github.com/RahulCyberX/Digital-Forensics-Incident-Response/tree/main/.Secret%20Recipe%20(Registry%20Forensics%20%2B%20Registry%20Explorer) Medium: https://rahulcyberx.medium.com/secret-recipe-complete-tryhackme-walkthrough-15aa888883fc