The IR Toolkit — Setting Up Your Arsenal

0.1 What this module is

IR0 gave you the mental model — what incidents look like, how investigators think, the framework vocabulary, the toolkit categories. IR1 makes it operational. By the end of this module, every tool in the course toolkit is installed, configured, and validated on your forensic workstation. Your M365 developer tenant is ready for Phase 3 cloud work. You have a jump bag that can go with you to the next incident.

Tools have to be ready before the alert fires, not after. The responder who spends the first forty-five minutes of an active incident installing KAPE or troubleshooting Python for Volatility is the responder who loses the volatile evidence window. The work takes ninety minutes to two hours depending on how much is new to you. Once done, the setup remains operational for the rest of the course and for every investigation afterward.

0.2 What you will learn

Eleven sections covering every tool in the course toolkit.

Section 1.1 — The forensic workstation. The hardware, operating system, isolation model, and folder structure that everything else depends on. Why your daily-use laptop is not an investigation platform.

Section 1.2 — KAPE. Targeted triage collection from Windows endpoints in under five minutes. Two-phase architecture (Targets collect, Modules process), locked-file handling, the !SANS_Triage target, and validation against your own workstation.

Section 1.3 — Eric Zimmerman Tools. The parsing suite that turns raw binary artifacts into structured investigation data. PECmd, EvtxECmd, MFTECmd, Registry Explorer, RECmd, Timeline Explorer — installed, integrated with KAPE's Modules\bin\ directory, and validated with a test parse.

Section 1.4 — Velociraptor. Remote endpoint collection and fleet-wide hunting. Server deployment, client agent, standalone collector mode, and VQL query basics.

Section 1.5 — Volatility 3. Memory forensics framework. Python installation, symbol tables, plugin validation against a test memory image. The tool that finds what disk-based forensics cannot see.

Section 1.6 — Cloud investigation tools. M365 developer tenant setup, Azure free subscription, Sentinel workspace with data connectors, KQL access in Defender XDR Advanced Hunting. Everything Phase 3 needs.

Section 1.7 — PowerShell for IR. PowerShell 7 installation, Microsoft Graph PowerShell modules, ExchangeOnlineManagement module, and the native response scripts the course uses throughout.

Section 1.8 — The jump bag. Physical and digital readiness: USB with portable tools, documentation pack, contact list, chain of custody forms. What you grab when the phone rings at 02:00.

Section 1.9 — Native Windows tools. Built-in Windows capabilities the course uses alongside the specialized toolkit: Event Viewer, Task Scheduler inspection, network commands, and the Sysinternals suite.

Section 1.10 — Scanning and detection tools. YARA, Loki, ClamAV, and the indicators-of-compromise scanners that complement the forensic toolkit.

Section 1.11 — Commercial alternatives. Magnet AXIOM Cyber, Binalyze AIR, and Defender Live Response. What they add over the free toolkit (workflow convenience, not capability) and when the investment is justified.

0.3 How to get the best from this module

The sections are sequenced so each builds on the previous. You can skip sections for tools you already have installed, but run every validation step regardless. A tool you think is working and a tool you have proved is working are different things.

Each section follows the same shape: what the tool is and why it's in the toolkit, step-by-step installation with exact commands and expected output, and a validation procedure that confirms the tool is operational. If validation fails, the section names the three or four most common causes.

Estimated time: 90-120 minutes for all eleven sections. Individual sections range from 10-30 minutes.

0.4 Module structure

• Section 1.1 — The forensic workstation
• Section 1.2 — KAPE — collection at speed
• Section 1.3 — Eric Zimmerman Tools — the parsing arsenal
• Section 1.4 — Velociraptor — remote response
• Section 1.5 — Volatility 3 — memory forensics
• Section 1.6 — Cloud investigation tools
• Section 1.7 — PowerShell for IR
• Section 1.8 — The jump bag
• Section 1.9 — Native Windows tools
• Section 1.10 — Scanning and detection tools
• Section 1.11 — Commercial alternatives
• Summary — Workstation readiness check
• Check My Knowledge — Scenario-based assessment

Prerequisites

A completed IR0. The forensic workstation section (1.1) assumes familiarity with Windows administration — creating user accounts, managing folders, running commands as Administrator. The cloud tools section (1.6) assumes you can navigate the Azure portal and the M365 admin centers. If either is unfamiliar, allow extra time.

Go to Section 1.1 — The Forensic Workstation to begin.