The Toolkit and What Comes Next

Estimated time: 40 minutes.

Figure IR0.4 — The six tool categories. Each category covers evidence that the other five cannot reach. Free tools carry the course; enterprise alternatives are noted where they add workflow convenience but never gate capability.

The six categories, one sentence each

The map above in text form. You will install the specific tools in IR1; right now you need to recognize the shape of the toolkit.

Collection is the category that gets evidence off the target system without introducing itself as a forensic artifact. KAPE does targeted triage collection — pulling Prefetch, event logs, registry hives, browser history, $MFT, and a few dozen other artifacts into a structured folder in two to five minutes rather than the forty-five to ninety of a full disk image. Velociraptor covers the remote case — deploying a client agent to an endpoint you cannot physically touch, or hunting a persistence mechanism across five hundred endpoints simultaneously with a custom VQL query.

Endpoint analysis is the category that turns the collected artifacts into findings. Eric Zimmerman Tools is a suite of parsers, one per artifact type — PECmd for Prefetch, AmcacheParser for the Amcache, MFTECmd for $MFT and $UsnJrnl, EvtxECmd for event logs, Registry Explorer and RECmd for registry hives, LECmd and JLECmd for LNK and Jump List files, Timeline Explorer to combine the outputs into a single chronological view. Every Windows forensic artifact the course covers is parsed by an EZTools component. Free.

Memory forensics is the category that handles evidence that never touches disk. Volatility 3 analyzes RAM dumps to identify running processes, network connections, injected code regions, loaded DLLs, and credential material held in memory. WinPMem is the Windows acquisition tool — it captures a memory image from a running system in a few minutes. Memory is where reflective loaders, in-memory beacons, and credential theft tooling live; none of that is visible in disk-based artifacts alone.

Cloud investigation is the category that covers the evidence model for Microsoft 365 and Entra ID. KQL is the query language — it runs in the Defender XDR portal (Advanced Hunting) and in Microsoft Sentinel. Purview audit covers mailbox and data-plane audit events. Microsoft Graph PowerShell replaces the deprecated AzureAD and MSOnline modules for identity operations that need to run from a script rather than a portal.

Correlation is the category that links the cloud and endpoint sides of a cross-plane incident. Microsoft Sentinel runs as a SIEM built on KQL. Defender XDR is Microsoft's native correlation layer that ties Defender for Endpoint, Defender for Office 365, and Defender for Cloud Apps signals into a single incident view. For organizations with non-Microsoft SIEMs (Splunk, Elastic), the patterns taught here apply; the query syntax will be different.

Native response is the category that covers everything PowerShell can do that the other tools cannot — live-response actions, containment commands, evidence preservation scripts, bulk identity operations, and the glue that connects the other five categories. Microsoft Graph PowerShell is the modern module. This course uses PowerShell throughout, not as a separate tooling topic, but as the language in which responder automation is expressed.

The six categories are not arbitrary. They correspond to the four environments from IR0.1 plus the cross-cutting activities that link them — collection moves data out, analysis turns data into findings, correlation ties findings together, native response is what you do once you have the picture. If one category were missing from your toolkit you would be blind to whatever evidence type that category handles. Every category is covered by free tools that are used by professional DFIR consultancies and government CERT teams. Paid alternatives exist; none of them are required for the investigation work.

Why every tool is free

A note on the tooling economy, because this is the most common question from learners coming from a vendor-heavy SOC.

The free tool ecosystem for incident response is exceptional. KAPE, EZTools, Velociraptor, Volatility, WinPMem, and PowerShell are all production-grade. KAPE is free for internal corporate use on your own systems (a paid commercial license applies to third-party IR consultancies doing client work, but not to you investigating your own employer's systems). EZTools is free. Velociraptor is open source. Volatility 3 is open source. WinPMem is open source. Microsoft Graph PowerShell is free from the PowerShell Gallery. You will not spend anything on tooling to complete this course or to work production incidents.

Paid alternatives add workflow convenience. Magnet AXIOM Cyber has a polished GUI and case management features. Binalyze AIR has automated triage collection workflows. Defender XDR Live Response gives you a browser-based shell. Splunk has a more capable SIEM than Sentinel for some use cases. None of them add forensic capability that the free tools cannot match — they save the responder time in routine workflows. If your organization pays for one of them, use it. If your organization does not, the free toolkit does everything the course teaches.

The one exception where paid tooling matters is for third-party IR engagements, where the KAPE commercial license requirement applies and where client-facing work often needs case management features that the free tools lack. That is an enterprise-IR-consultancy concern, not a corporate-responder one.

Where IR sits in the broader pipeline

IR is the middle of a longer capability. Everything upstream feeds into what reaches you; everything downstream determines whether your findings matter beyond this incident.

Upstream of IR, someone had to write the detection rule that fired the alert, configure the audit logging that captured the evidence, and harden the environment so the attacker had to work harder. Downstream of IR, someone takes your findings and turns them into new detections, new controls, new policy language, and board-level reporting. A responder who operates only in the middle of that pipeline produces investigations that are technically sound but operationally short-lived. The same incident recurs six months later because nothing upstream changed.

You do not need to be capable in every adjacent discipline. You do need to know they exist and which one to invest in next depending on where your role is heading.

Detection engineering is the single highest-leverage adjacent skill for most IR practitioners. Every investigation produces findings — attacker techniques that your current detection stack did not catch. Without detection engineering, those findings sit in an IR report and get forgotten. With detection engineering, the finding becomes a new Sentinel analytics rule, a new Defender for Endpoint custom detection, or a new correlation in your SIEM. The next attacker using the same technique gets caught in hours rather than weeks. The skills are KQL query writing at production quality, MITRE ATT&CK mapping, false-positive tuning, threshold selection, and rule health monitoring. This is almost always the right next step for a mid-level SOC analyst with IR responsibilities, because it compounds — every rule you build reduces the rate of future incidents, and the rules keep working long after the investigation is filed.

Threat hunting is the second adjacent discipline. Where detection rules wait for conditions they are configured to match, hunting searches for attacker patterns that no rule is currently written to catch. Hunters produce the investigations no-one else would have started. The skills overlap with detection engineering — KQL again, hypothesis-driven structure, knowing the threat landscape well enough to pick productive hunt territories — but the output is different. Rules catch what you have anticipated; hunting catches what you have not. If your environment already has strong detection engineering in place, hunting is the next-best investment.

Deeper memory forensics is a specialism worth pursuing if your work regularly involves advanced adversaries. This course teaches enough memory forensics in IR6 to handle the majority of Windows memory investigations — Volatility 3, process analysis, credential extraction, injected code detection, a complete worked Cobalt Strike analysis. It does not cover nation-state rootkits, kernel-level persistence, firmware implants, or sophisticated anti-forensics. If your environment sees those threats regularly, the next layer of memory forensics training exists and is worth the investment. If it does not, the course's memory module is sufficient and your investment-per-hour is higher in detection engineering.

Network forensics is a full discipline this course does not teach. Packet captures, Zeek logs, Suricata alerts, NetFlow analysis, TLS metadata, DNS analytics — all of it sits outside the Microsoft-stack focus of this course, and all of it matters when endpoint evidence is gone, logs have been cleared, and cloud audit has expired. If your organization has usable network telemetry, network forensics is a high-value adjacent skill. If it does not, the investment returns less than detection engineering does.

IR program leadership is a different skill set entirely. Technical investigation skill is necessary to run an IR function. It is not sufficient. Leading the function means designing the playbooks, building the on-call rotation, selecting the retainer partner, negotiating with legal and communications, reporting to the CISO, running the tabletops, defending the budget, and explaining IR capability to the board. IR18 (Building IR Readiness) gives you the scaffolding. Real leadership capability develops through a combination of deliberate study — incident command structures, post-incident reports from peer organizations — and operational experience running real incidents. If you are on a senior-responder or IR-lead track, this is the direction.

Decision Point

The situation. You have six hours per week available for skill development alongside your day job. You finish this course in ten weeks. Your current role is a mid-level SOC analyst with IR responsibilities at an organization of eight hundred staff. You investigate two or three real incidents per month. Most of your investigations produce findings — attacker techniques your detection rules did not catch — that no-one on the team follows up on afterward. You have three offers for where to spend your next study cycle. (A) Deep memory forensics for APT-grade work. (B) Detection engineering to close your own findings. (C) Threat hunting to build a proactive capability.

The choice. Pick one and justify it against your current environment's characteristics — the number of investigations per month, their typical sophistication, and what currently happens to the findings.

The correct call. (B) — detection engineering. The specific symptom you described is that your findings go unused. Detection engineering is the discipline that closes that loop. Every finding you convert into a production rule reduces the rate of future incidents of the same type. The skill compounds over time — a rule you write today catches attackers next year — and it directly improves the work you are already doing. Option (A) is high-value but unlikely to be exercised often at two or three incidents per month, most of which will not be APT-grade. Option (C) is valuable but presupposes detection-engineering maturity that does not yet exist in your environment — hunting on top of weak detection engineering produces duplicated work the rules should have caught. For your current role, (B) produces the highest operational return per hour. Revisit the choice every six months.

The operational lesson. The right next skill depends on what your environment produces and what currently happens to the product. A skill that compounds against your own regular output is worth more than a skill that sits waiting for a rare scenario. Detection engineering compounds. Deep memory forensics waits. Hunting presupposes detection engineering. For most mid-level SOC analysts with IR duties, the answer is detection engineering — and it stays the answer for eighteen to thirty-six months, until the detection backlog is caught up and the other adjacent skills start paying off.