Sign In
Flagship Course

Forensic Methodology for Security Engineers, IR Practitioners, and Incident Responders in Windows and M365 Environments

Aligned to NIST SP 800-61 Rev 3CSF 2.0MITRE ATT&CK

Incident Response: Windows and Microsoft 365

Investigate incidents across Windows and Microsoft 365 — from alert to containment report.

Trace an attacker through sign-in logs, endpoint telemetry, email evidence, and cloud audit trails using a consistent five-step methodology. Investigate AiTM phishing, BEC, ransomware, insider threat, and multi-vector attacks end-to-end. Write the KQL queries that find the evidence, make the containment decisions that stop the damage, and produce the investigation report that your CISO and legal counsel can act on.

Start Free — No Account Needed See Pricing
What you'll deploy
4 complete investigation scenarios: BEC, ransomware, insider threat, APT
Five-step reasoning chain applied across cloud and endpoint evidence
KAPE + Velociraptor + Volatility 3 forensic collection pipeline
Court-ready IR documentation templates and evidence handling procedures
INCIDENT RESPONSE — INVESTIGATION TIMELINE T+0:00 Alert: AiTM phishing — credential harvested via proxy page Source: Defender for Office 365 → EmailEvents table → KQL T+0:04 Session token replayed — attacker authenticates as victim Source: Entra ID SigninLogs → Conditional Access evaluation → KQL T+0:12 Inbox rule created — forwarding financial emails externally Source: Purview Audit → Exchange PowerShell → Mailbox audit log T+0:38 Malicious attachment downloaded — payload executes on endpoint Source: Prefetch + AmCache (EZTools) → DeviceProcessEvents (KQL) T+2:15 Lateral movement — PsExec to domain controller via stolen creds Source: Event Log 7045 (EvtxECmd) → Volatility 3 → NTFS $MFT timeline 20 modules 12 tools 4 scenarios 36–40 hours
View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Investigate AiTM phishing, BEC, ransomware, and insider threat incidents end-to-end
Write KQL queries that extract forensic evidence from Sentinel and Defender XDR
Make containment decisions that stop active attacks without destroying evidence
Reconstruct attacker timelines across cloud and endpoint telemetry
Produce investigation reports for CISO, legal counsel, and regulatory bodies
Premium tier | 20 modules across 5 phases | 36–40 hours at your own pace | 40 CPE credits | 2 free modules — no account needed | Updated May 2026
Course Agenda View all 22 modules

Free Phase 1 — Foundations

IR0
Course Introduction
 IR1
The IR Toolkit — Setting Up Your Arsenal

Phase 2 — Windows Endpoint Forensics

IR2
Evidence Acquisition and Chain of Custody
 IR3
Windows Artifact Analysis — Execution and Persistence
 IR4
Windows Artifact Analysis — Filesystem and Registry
 IR5
Windows Event Log Analysis
 IR6
Memory Forensics with Volatility 3
 IR7
IR7: Lateral Movement and Credential Theft Analysis

Phase 3 — M365 Cloud Investigation

IR8
IR8: M365 Identity Compromise Investigation
 IR9
IR9: Exchange Online and Email Forensics
 IR10
IR10 SharePoint, OneDrive, and Teams Investigation
 IR11
IR11 Entra ID Investigation
 IR12
IR12 Defender XDR as an IR Platform

Phase 4 — Investigation Scenarios

IR13
IR13 Ransomware Investigation
 IR14
IR14 Business Email Compromise Investigation
 IR15
IR15 Insider Threat Investigation
 IR16
IR16 Advanced Persistent Threat Investigation

Phase 5 — Reporting, Readiness & Capstone

IR17
IR17 IR Reporting — From Evidence to Executive Summary
 IR18
IR18 Building IR Readiness
 IR19
IR19 Capstone — The Complete Investigation

Resources

References & Further Reading
Practical Incident Response — Operational Reference

Who this course is for

“I triage alerts but I’ve never investigated an incident end-to-end.” You classify and escalate. The senior analyst does the investigation. You want to be the one who traces the attacker from the phishing email through the token replay, across the endpoint, into lateral movement, and produces the report that says exactly what happened. This course builds that capability.

“We had a ransomware incident and the investigation was chaos.” Nobody knew which evidence to collect first. Volatile data was lost when endpoints were rebooted. The investigation took three weeks instead of three days because there was no methodology. This course gives you the five-step reasoning chain and the tool pipeline that makes investigations systematic.

“I can run KAPE and Volatility but I don’t know what to do with the output.” Tool proficiency isn’t investigation proficiency. You collect a KAPE triage package and get 200 files. This course teaches you which artifacts answer which questions, how to correlate Prefetch with Event Logs with MFT timestamps, and how to build the timeline that tells the story.

“The attack crossed from M365 into on-prem and I lost the trail.” The attacker phished a credential in Exchange Online, replayed the token to access SharePoint, downloaded a payload to an endpoint, and moved laterally to the domain controller. You need to follow that trail across cloud audit logs, sign-in telemetry, and endpoint forensics. This course teaches that cross-domain correlation.

“My investigation report said ‘malware was found and removed’ and legal sent it back.” Legal counsel needs scope, impact, evidence chain, and remediation verification. Your CISO needs a timeline they can present to the board. This course builds the IR report that answers every question — what happened, how far it spread, what was taken, and how you know the attacker is out.

“I know IR from another platform and need the M365 investigation stack.” The forensic methodology transfers. The data sources don’t. SigninLogs, AuditLogs, DeviceProcessEvents, IdentityLogonEvents, CloudAppEvents — different tables, different schemas, different correlation points. This course gets you productive investigating in the Microsoft stack.

Whatever your background — if the subject interests you and you’re willing to put in the work, this course is for you.

Before and after this course

Before

A BEC alert fires. You check the sign-in logs, see the suspicious IP, and reset the password. Investigation complete — except you didn’t check for inbox rules forwarding financial emails, OAuth app persistence, or whether the attacker accessed SharePoint. The real damage happens after your “containment.”

You run KAPE and get a directory of collected files. You know Prefetch exists, Event Logs exist, registry hives exist — but you don’t know which artifact answers “what executed at 2:14 AM” and which answers “how did they persist across reboot.”

The attacker moved from cloud to endpoint. Your cloud investigation found the phishing email and the token replay. Your endpoint investigation found the malware. Nobody connected the two into a single timeline showing how they got from email to domain controller.

Your investigation report is a bullet list of findings. Legal counsel asks for the evidence chain. Your CISO asks for the timeline. The board asks for the business impact. You have none of these.

After

BEC alert fires. You trace the full chain: phishing email, token replay, inbox forwarding rule, SharePoint access, OAuth app consent. You contain all five persistence and access vectors before the attacker can use any of them. The investigation scope is complete because the methodology is complete.

KAPE collects. EZ Tools parses. You know Prefetch tells you what ran, AmCache tells you first execution, ShimCache tells you what the system knew about, and Event Log 7045 tells you what installed as a service. Each artifact answers a specific question and you pick the right one.

The unified timeline connects cloud and endpoint: phishing email at T+0, token replay at T+4 minutes, payload download at T+38 minutes, PsExec to the DC at T+2 hours 15 minutes. One timeline, one investigation, one report. The cross-domain correlation is the investigation.

Your IR report has the timeline, the evidence chain with hash verification, the scope assessment, the containment verification, the remediation recommendations, and the detection improvements. Legal, the CISO, and the board each get the document that answers their questions.

How the course works

Five phases build from methodology and tooling through forensic analysis to full investigation scenarios:

Phase 1
Foundations

NIST SP 800-61 Rev 3 framework, five-step reasoning chain, toolkit setup (KAPE, Velociraptor, Volatility 3, EZ Tools), evidence acquisition procedures.

Phase 2
Endpoint Forensics

Execution artifacts, persistence mechanisms, filesystem and registry analysis, event log forensics, memory forensics with Volatility 3, lateral movement evidence.

Phase 3
Cloud Investigation

M365 identity compromise, Exchange Online forensics, SharePoint and OneDrive evidence, Entra ID investigation, Defender XDR platform analysis.

Phase 4
Scenarios

Ransomware, BEC & financial fraud, insider threat with cloud sync exfil, APT with edge-appliance persistence. Full end-to-end investigations.

Phase 5
IR Program

IR reporting for legal and leadership, building organizational readiness, tabletop exercises, and the multi-vector capstone investigation.

What the content looks like

This is a real investigation timeline from the BEC scenario. After tracing the attacker from phishing email through token replay to financial fraud, you reconstruct the cross-domain timeline that shows exactly what happened:

Timeline — From Module 14: BEC Investigation
2026-03-14 09:14:22 UTC  [Cloud]     EmailEvents: phishing email delivered to t.ashworth@ne.com
2026-03-14 09:16:47 UTC  [Cloud]     SigninLogs: successful sign-in from 198.51.100.47 (proxy IP)
                                     AuthenticationRequirement: singleFactorAuthentication
                                     ConditionalAccessStatus: notApplied (no CA for this app)
2026-03-14 09:17:03 UTC  [Cloud]     AuditLogs: inbox rule created — "Auto-Forward-Finance"
                                     ForwardTo: external-inbox@protonmail.com
2026-03-14 09:22:15 UTC  [Cloud]     AuditLogs: OAuth app consent — "DocuSign Verify"
                                     Permissions: Mail.ReadWrite, Files.ReadWrite.All
2026-03-14 09:31:44 UTC  [Cloud]     CloudAppEvents: 47 emails read via Graph API
                                     Subject filter: "invoice" OR "payment" OR "wire"
2026-03-14 10:05:12 UTC  [Cloud]     EmailEvents: fraudulent wire instruction sent from
                                     t.ashworth@ne.com to accounts-payable@ne.com
                                     Subject: "Updated Wire Instructions — Vendor Payment"

51 minutes from phishing email to fraudulent wire instruction. Every timestamp sourced from a specific log table. Every attacker action mapped to the evidence that proves it happened. The timeline is the investigation deliverable that legal, leadership, and law enforcement all need. Every module teaches at this level — the evidence, the query, the interpretation, and the documentation.

Lab Pack — Hands-On Investigation Practice

Production-grade lab pack that generates 41 realistic attack artifacts on your own VM — compiled PE binaries, macro-enabled Office documents, obfuscated PowerShell stagers, persistence mechanisms, credential access artifacts, staged exfiltration data, and suspicious processes for memory capture.

What’s included: Attack artifact generator (41 files, 10 persistence mechanisms, 4 suspicious processes), 6 HTML walkthrough guides covering the full DFIR workflow, 40 structured labs with graduated difficulty (37 core + 3 bonus for FLARE-VM/REMnux), self-grading verification scripts, and a cleanup script for resetting.

Lab environment (free): VMware Workstation Pro + Windows 11 Eval VM (or FLARE-VM for 140+ pre-installed forensic tools). Optional: Windows Server 2022 (AD), M365 developer tenant, REMnux for Office document analysis with oletools.

Attack scenario: CHAIN-HARVEST — phishing email → macro-enabled Excel → VBScript dropper → compiled C# implant → 10 persistence mechanisms → credential harvesting → data staging → encrypted exfiltration archive.

Practical IR Lab Pack v5
40 labs · 41 artifacts · 10 persistence mechanisms · 6 HTML walkthroughs
Download Lab Pack (.zip)

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may use scripts, queries, detection rules, templates, and frameworks from this course in your professional work. You may not redistribute course content, share account credentials, or republish course materials.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental.

No legal advice: Compliance and regulatory content in this course is educational, not legal advice. Consult qualified legal counsel for obligations in your jurisdiction.

Version and changelog

Current version: 6.0  |  Last updated: May 2026

May 2026 — v6.0: Complete methodology rebuild. Course realigned to NIST SP 800-61 Rev 3 and CSF 2.0. Threat-landscape framing updated against M-Trends 2026. Five-step reasoning chain replaces Six-Step Investigation Method across all modules.

April 2026 — v5.0: Lab pack rebuilt. 41 production-grade artifacts, 40 labs with HTML walkthroughs, FLARE-VM and REMnux as first-class lab options.

2026 — v1.0: Course launch. 20 modules (IR0–IR19) across 5 phases. Investigation scenarios: AiTM, ransomware, BEC, insider, APT, multi-vector capstone.

This course is actively maintained. Content is updated as the security landscape evolves.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
3scenarios
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.