Inside the Practical Incident Response Course: The Six-Step Method for Windows and M365 Investigation
The investigation method that makes this course different
Every investigation technique in this course follows the same six-step pattern: what to look for, where to find it, how to extract it, how to interpret it, what it proves, and what to do next.
This is not a marketing tagline. It is the structural pattern of every content subsection across all 20 modules. When the course teaches you to analyze a Prefetch file, it follows the six steps: what to look for (execution timestamp and run count for a suspicious binary), where to find it (C:\Windows\Prefetch\UPDATE.EXE-{hash}.pf), how to extract it (PECmd from EZTools with specific command-line parameters), how to interpret it (what the timestamps mean, what the run count indicates, what the referenced files reveal about the process’s behavior), what it proves (the binary executed at this time — but not who executed it or whether it was malicious), and what to do next (correlate with Event ID 4624 to identify the active user session and with Amcache to obtain the binary’s SHA-1 hash).
The method is tool-independent. A learner who internalizes this pattern can investigate any incident with any toolset. The tools change — KAPE may be replaced by a new collection tool, Volatility may release version 4, KQL may gain new operators. The method does not change.
The unified investigation: endpoint and cloud as one workflow
Most IR courses teach either Windows forensics or cloud investigation. This course teaches the investigation — singular — because modern attacks do not respect the boundary between endpoints and cloud services.
An AiTM phishing attack starts in Exchange Online (the phishing email), moves to the browser (the credential harvesting page), captures a session token that is replayed in Entra ID (cloud identity compromise), accesses the mailbox via OWA or Graph API (cloud data access), downloads a payload to the endpoint (endpoint compromise), establishes persistence on the endpoint (scheduled task, service, or registry Run key), and may move laterally to other endpoints or access SharePoint and OneDrive for data exfiltration. Following this attack requires evidence from: Defender for Office 365 (email delivery), Entra ID sign-in logs (authentication), Purview audit (mailbox access), Defender for Endpoint (process execution), Windows event logs (persistence), $MFT (filesystem changes), and potentially memory analysis (in-memory implant).
No single tool covers this entire chain. No single evidence source tells the complete story. The investigation requires the analyst to move between endpoint forensics and cloud investigation — and to know which evidence source answers which question at each stage. This course teaches that movement.
The 20-module structure
Phase 1 — Foundations (IR0-IR2, FREE). The IR lifecycle, the complete toolkit (KAPE, EZTools, Velociraptor, Volatility 3, THOR, Hayabusa, RegRipper, Sysinternals, PowerShell, KQL), and the evidence acquisition methodology (forensic soundness, chain of custody, legal considerations). These three modules total over 95,000 words — a complete free discovery funnel that demonstrates the course’s depth. IR1 alone (The IR Toolkit) is 48,000 words covering 11 tools at operational depth.
Phase 2 — Windows Endpoint Forensics (IR3-IR7). Execution and persistence artifacts (Prefetch, Amcache, ShimCache, scheduled tasks, services, registry). Filesystem and registry deep dive ($MFT, $UsnJrnl, NTFS timestamps, registry forensics). Event log analysis (critical event IDs, PowerShell logging, Sysmon, log gap detection). Memory forensics with Volatility 3. Lateral movement and credential theft analysis.
Phase 3 — M365 Cloud Investigation (IR8-IR12). Identity compromise (Entra ID sign-in logs, conditional access, AiTM detection). Exchange Online forensics (MailItemsAccessed, inbox rules, mail forwarding). SharePoint, OneDrive, and Teams investigation. Entra ID deep dive (service principal abuse, federation manipulation, token theft). Defender XDR as an IR platform (Advanced Hunting, Live Response, AIR, custom detection rules).
Phase 4 — Investigation Scenarios (IR13-IR16). Four complete worked investigations: ransomware (full kill chain from phishing to encryption), BEC (credential theft to financial fraud), insider threat (systematic data exfiltration over 30 days), and APT (nation-state style intrusion with living-off-the-land techniques). Each scenario uses the full toolkit and follows the complete attack chain from initial access to IR report.
Phase 5 — Reporting, Operations, and Capstone (IR17-IR19). IR reporting (technical reports, executive summaries, regulatory notifications). IR readiness (IR plan development, tabletop exercises, detection engineering from IR findings). The capstone (IR19) is a comprehensive investigation that exercises every skill from IR0-IR18 — the learner receives a realistic multi-vector incident briefing and must investigate, contain, and report without being told which attack elements are present.
The toolkit: free and open-source first
The course’s toolkit policy is deliberate: every technique is taught with at least one free, open-source tool. KAPE for collection (free). EZTools for parsing (free). Velociraptor for remote investigation (open-source). Volatility 3 for memory forensics (open-source). THOR Lite for compromise assessment (free for non-commercial). Hayabusa for event log threat hunting (open-source). KQL in Defender XDR (included with M365 licensing). PowerShell (built into Windows).
Commercial alternatives are noted where relevant — Magnet AXIOM Cyber, EnCase, FTK, Binalyze AIR — but no commercial tool is required. An analyst with the free toolkit and this course’s methodology can investigate any M365 environment incident with the same forensic rigor as an analyst with a $50,000 commercial suite.
Current build status
Phase 1 (IR0-IR2) is complete and free to read — 95,639 words across 3 modules. Phases 2-5 are in active development. The course is projected to reach 380,000-400,000 words across 20 modules when complete.