Free, no account

Free DFIR Tools and References

Interactive tools and working references for the people doing SOC triage and incident response. Built by practitioners who still do the job. Nothing gated, nothing uploaded, use them in the browser.

Start here

The two tools worth bookmarking. Paste your own data or load a built-in sample.

Interactive tools

Searchable command and artifact references. Filter, copy, adapt.

Cheatsheets and guides

Command references and walkthroughs to keep open while you work.

Cheatsheet
KAPE & EZ Tools Cheatsheet
The full collect-parse-analyze Windows DFIR workflow: KAPE targets and modules, custom .tkape/.mkape, every EZ Tools parser with the output columns that matter and worked examples.
Read the cheatsheet →
Reference
Linux Forensic Artifacts Reference
Where the evidence lives on a compromised Linux host: filesystem timestamps, auth logs, persistence, process evidence, and anti-forensics tells, for RHEL and Ubuntu.
Read the reference →
Cheatsheet
M365 SOC Alert Triage
Triage a Microsoft 365 alert: classify it, pull the right table, decide containment, and know what survives a token revoke.
Read the cheatsheet →
Cheatsheet
M365 Threat Hunting
Hypothesis-driven hunting: the method, the advanced KQL detections don't use, and real hunts by objective for Sentinel and Defender XDR.
Read the cheatsheet →
Cheatsheet
Entra ID Security
Identity-plane attack detection and hardening: sign-in forensics, token theft, PIM, app and workload identity, with real KQL.
Read the cheatsheet →
Cheatsheet
Identity & Access Management
Access governance and design for Entra: groups and roles, conditional access, consent, service principals, privileged access, and reviews.
Read the cheatsheet →
Cheatsheet
M365 Security Architecture
The whole-tenant hardening baseline: the secure-by-design decisions across identity, CA, data, endpoint, email, Sentinel, and posture.
Read the cheatsheet →
Cheatsheet
Detection Engineering
Engineering detections as a discipline: rule anatomy, coverage, real detections by tactic, testing and tuning, and detection-as-code.
Read the cheatsheet →
Cheatsheet
Network Forensics
PCAP and traffic investigation: capture, Wireshark/tshark filters, protocol indicators, Suricata rules, and C2 beacon detection.
Read the cheatsheet →
Cheatsheet
Memory Forensics
Volatility 3 by investigation type: process injection, credential theft, fileless malware, persistence, kernel rootkits, and Linux memory.
Read the cheatsheet →
Cheatsheet
Incident Response
The IR lifecycle end to end: preparation, analysis, evidence handling, containment, eradication, playbooks, and post-incident metrics.
Read the cheatsheet →
Cheatsheet
Purple Teaming
Emulate the attack, validate the detection: the purple loop and attack-to-detection pairings across the ATT&CK kill chain.
Read the cheatsheet →
Cheatsheet
Offensive Security for Defenders
Think like the attacker, defend better: the offensive lifecycle seen from the blue side, each phase paired with what you detect.
Read the cheatsheet →
Guide
Build Your Security Operations Home Lab
Step-by-step build for a working SOC home lab: virtualization, Windows and Linux targets, logging, and a SIEM to practice against.
Read the guide →

From the tools to the method

These run the commands and flag the evidence. Windows Endpoint Investigation teaches the method behind them: correlating what they return into a defensible account of what happened, and proving it.

Explore the course