Sign In
In this section

Module Summary

90-120 minutes · Module 1 · Free

Module Summary

Module IR1 deployed and validated every tool in the IR toolkit. Your forensic workstation is operational and ready for investigation.

The forensic workstation (Section 1.1). A dedicated, isolated analysis environment with standardized folder structure. Physical or virtual — both valid. Never the same machine as the compromised system.

KAPE (Section 1.2). Triage collection in 2-5 minutes instead of 45-90 for a full disk image. Two-phase architecture: targets collect, modules process through EZTools parsers. The !SANS_Triage target covers approximately 90% of artifacts needed for a standard investigation.

Eric Zimmerman Tools (Section 1.3). Twenty specialized parsers organized by investigation question. PECmd for execution evidence, EvtxECmd for event logs with 700+ maps, MFTECmd for filesystem timeline, Timeline Explorer for unified chronological analysis.

Velociraptor (Section 1.4). Remote evidence collection and fleet-wide hunting. Standalone collector, single server, or cloud deployment. VQL queries run across all connected endpoints simultaneously.

Volatility 3 (Section 1.5). Memory forensics — the evidence source for fileless attacks, process injection, and credential theft. PsList, NetScan, Malfind, and dozens of plugins.

Cloud investigation tools (Section 1.6). KQL Advanced Hunting in Defender XDR. Purview Audit for deep M365 activity trails. Sentinel for cross-source correlation. M365 developer tenant configured.

PowerShell (Section 1.7). The universal tool — collection, containment, and automation. Microsoft Graph and Exchange Online modules for identity investigation and response.

The jump bag (Section 1.8). Pre-staged USB with all tools, automated collection scripts, go/no-go checklist, contact sheet, and chain of custody forms.

Native Windows IR (Section 1.9). Built-in OS commands — the fallback when no tools can be deployed.

Scanning tools (Section 1.10). THOR Lite, Hayabusa, RegRipper, and Sysinternals. Detection and assessment layer over the KAPE/EZTools pipeline.

Commercial alternatives (Section 1.11). Magnet AXIOM Cyber, Binalyze AIR, and when the investment is justified. The free toolkit is fully sufficient.

What you built in the free modules

Across IR0 and IR1, you built the foundation the rest of the course stands on.

The mental model. You walked through a real incident that crosses four environments in ninety minutes. You learned the five-step reasoning chain that experienced investigators use. You know the NIST framework vocabulary. You investigated an AiTM session theft with a KQL query and watched 48,291 sign-in events narrow to 2 compromised sessions.

The toolkit. Every tool the course uses is installed, configured, and validated. KAPE collects. EZTools parse. Velociraptor reaches remote endpoints. Volatility 3 finds what disk forensics cannot see. KQL queries the cloud evidence. PowerShell automates the response.

The readiness. Your jump bag is staged. Your case folder structure is established. Your evidence handling discipline is documented.

What you have not done yet is investigate. The tools are ready. The mental model is in place. IR2 is where you use them.

What happens next

The investigation starts in IR2

Phase 2 — Windows Endpoint Forensics (IR2-IR7). Evidence acquisition with chain of custody. Prefetch, Amcache, and ShimCache for execution analysis. $MFT and $UsnJrnl for filesystem timeline. Registry for persistence. Event logs for the chronological record. Memory forensics for what disk cannot see. You investigate the Northgate Engineering incident from IR0.1 — the same attack, now with the tools to trace every step the attacker took.

Phase 3 — M365 Cloud Investigation (IR8-IR12). Sign-in log analysis for credential compromise. Unified Audit Log for mailbox access and inbox rule manipulation. Defender XDR for cross-environment correlation. The cloud side of the NE incident — the AiTM token replay, the BEC email, the inbox forwarding rule — investigated with the full KQL toolkit.

Phase 4 — Complete Investigation Scenarios (IR13-IR16). Four full-scale incidents from start to finish. Ransomware. Business email compromise. Insider threat. Advanced persistent threat. Each one crosses endpoints and cloud. Each one produces a complete investigation — findings, timeline, containment actions, IR report.

Phase 5 — Reporting, Readiness, Capstone (IR17-IR19). IR report writing for executives and technical audiences. Post-incident review and program improvement. The capstone investigation that brings everything together.

Premium subscription. Cancel anytime. Every tool in the course is free.

💬

How was this module?

Your feedback helps us improve the course. One click is enough — comments are optional.

Thank you — your feedback has been received.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
← Previous Next →