The course objective is to provide Department of Defense and federal law enforcement cyber investigations analysts with a scenario-based course that teaches how to investigate intrusions on live large-scale, heterogeneous, enterprise networks as intrusions occur. Students learn how to conduct a timely and efficient intrusion investigation on live servers with a variety of operating systems. They collect and analyze volatile data from multiple network devices and compromised computers and set up network monitoring sensors. Students learn to assess the scope of live, dynamic network incidents and to apply investigative methodology while on-scene to identify the source, target, and methods of a network compromise.