Sign In
Flagship Course

Forensic Methodology for Security Engineers, IR Practitioners, and Incident Responders in Windows and M365 Environments

Aligned to NIST SP 800-61 Rev 3CSF 2.0MITRE ATT&CK

Practical Incident Response: Windows & Microsoft 365

Investigate incidents across Windows and Microsoft 365 — from alert to containment report.

Trace an attacker through sign-in logs, endpoint telemetry, email evidence, and cloud audit trails using a consistent five-step methodology. Investigate AiTM phishing, BEC, ransomware, insider threat, and multi-vector attacks end-to-end. Write the KQL queries that find the evidence, make the containment decisions that stop the damage, and produce the investigation report that your CISO and legal counsel can act on.

Start Free — No Account Needed See Full Curriculum + Pricing
Content last updated: May 2026

Text-based · Persistent labs on your own hardware · 2 free modules available now · 40 CPE credits · Content last updated: May 2026

What you'll deploy
4 complete investigation scenarios (BEC, ransomware, insider, APT)
Five-step reasoning chain: Hypothesis → Evidence → Extract → Interpret → Next Step
Court-ready IR documentation templates and evidence handling procedures
KAPE + Velociraptor + Timeline Explorer forensic collection pipeline
Cross-domain investigation methodology spanning M365, Windows, and network
Post-incident review framework with detection improvement recommendations
INCIDENT RESPONSE — INVESTIGATION TIMELINE T+0:00 Alert: AiTM phishing — credential harvested via proxy page Source: Defender for Office 365 → EmailEvents table → KQL T+0:04 Session token replayed — attacker authenticates as victim Source: Entra ID SigninLogs → Conditional Access evaluation → KQL T+0:12 Inbox rule created — forwarding financial emails externally Source: Purview Audit → Exchange PowerShell → Mailbox audit log T+0:38 Malicious attachment downloaded — payload executes on endpoint Source: Prefetch + AmCache (EZTools) → DeviceProcessEvents (KQL) T+2:15 Lateral movement — PsExec to domain controller via stolen creds Source: Event Log 7045 (EvtxECmd) → Volatility 3 → NTFS $MFT timeline 20 modules 12 tools 4 scenarios 36-40 hours
View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Investigate AiTM phishing, BEC, ransomware, and insider threat incidents end-to-end
Write KQL queries that extract forensic evidence from Sentinel and Defender XDR
Make containment decisions that stop active attacks without destroying evidence
Reconstruct attacker timelines across cloud and endpoint telemetry
Produce investigation reports for CISO, legal counsel, and regulatory bodies

The Investigation Methodology

Every technique in this course follows the same five-step reasoning chain: what to look for, where to find it, how to extract it, how to interpret it, and what to do next. The methodology is grounded in NIST SP 800-61 Revision 3 and CSF 2.0 — from Windows registry forensics to M365 cloud investigation to memory analysis, one framework, applied everywhere.

Who this course is for

SOC analysts investigating incidents in Windows and M365. You handle alerts and need structured investigation methodology — not just individual techniques, but a complete framework for tracing attackers from initial access through lateral movement to data exfiltration.

IR practitioners building DFIR capability. You respond to incidents and need production-grade forensic skills — evidence acquisition, artifact analysis, memory forensics, and investigation reporting that withstands legal scrutiny.

Detection engineers converting findings to rules. Every investigation scenario ends with detection rule deployment — turning investigation findings into KQL analytics rules that prevent recurrence.

Anyone with a genuine interest in incident response. Whether you're transitioning from IT administration, networking, development, or another security discipline — if the subject matter interests you and you're willing to put in the work, this course is for you. Backgrounds vary. Motivation is what matters.

The toolkit — free tools at professional depth

The core toolkit: KAPE for triage collection, EZTools (20 parsers) for artifact analysis, Volatility 3 for memory forensics, Velociraptor for remote collection, KQL for cloud investigation, and PowerShell for containment and automation. Enterprise alternatives noted where relevant. Every technique is taught with free tools first.

What this produces

Investigation playbooks, evidence collection procedures, timeline templates, and a complete response framework — built across four realistic scenarios (AiTM, BEC, ransomware, insider threat). The operational IR capability that produces court-defensible investigation reports — the gap between "I can read a Defender alert" and "I can lead the investigation, write the report, and defend the findings to leadership or regulators."

What you will be able to do

1. Investigate AiTM credential phishing campaigns end-to-end — from initial sign-in anomaly through token replay, mailbox compromise, and lateral phishing.

2. Perform Windows endpoint forensics — registry analysis, filesystem artifacts, event log analysis, memory forensics with Volatility 3, and lateral movement detection.

3. Investigate M365 cloud incidents — identity compromise, Exchange Online forensics, SharePoint/OneDrive exfiltration, and Entra ID persistence.

4. Investigate ransomware, BEC, insider threat, and APT scenarios using structured methodology with evidence-based findings and MITRE ATT&CK mapping.

5. Deploy detection rules as KQL analytics rules in Sentinel — tested, entity-mapped, and compliance-linked.

6. Write IR reports for executive, technical, legal, and regulatory audiences.

7. Build IR readiness with toolkits, playbooks, hardening checklists, and tabletop exercises.

Course at a glance

Modules: 20 (IR0–IR19) across 5 phases

Estimated duration: 36–40 hours (self-paced)

Format: Written content — annotated KQL queries, SVG diagrams, worked artifacts, knowledge checks

Free content: IR0–IR1 (2 modules) — no account required

Paid content: IR2–IR19 (18 modules) — Premium or Team subscription

Deployable artifacts: Detection rules, investigation playbooks, IR report templates, hardening checklists

Typical pace: ~5-10 weeks at 5 hrs/week

Hands-on labs: 9 interactive + 40 structured (browse all →)

MITRE ATT&CK coverage: 122 techniques mapped

Built by Ridgeline Cyber

Ridgeline Cyber Defence builds security operations training grounded in practical and operational experience. The team behind this course runs CSOC operations across on-prem, Splunk, and Microsoft 365 security stacks, Cisco and Palo Alto networks, and managed SOC partnerships.

Experience spans detection engineering, incident response, and DFIR investigation across on-prem, M365, and Linux environments — including leading cyber incident response engagements, deploying security controls and managing Governance, Risk and Compliance operations.

The investigation scenarios in this course are grounded in that operational work. The techniques, decision points, and mistakes are drawn from real investigations, sanitized and adapted for training.

What this course does NOT cover

Deliberate scope boundaries. If any of these is your primary need, the sibling course is the better fit.

Technical requirements

M365 Developer Tenant (free): From developer.microsoft.com — 25 user licenses, E5 environment, sample data packs. Setup instructions in IR0.

Windows forensic workstation: Windows 10/11 VM with KAPE, EZTools, Volatility 3. Setup instructions in IR1.

No commercial tools required. Free tools throughout. Enterprise alternatives (AXIOM Cyber, X-Ways) noted where relevant.

How to get the most from this course

Recommended pace: 1–2 modules per week, 50–70 hours total over 10–14 weeks alongside a full-time role.

Phase 1–2 are sequential. They build the forensic foundation. Phase 3 (cloud) and Phase 4 (scenarios) can be prioritized based on your immediate needs.

Build your toolkit in IR1. The toolkit setup module is the investment that makes every subsequent module hands-on rather than theoretical.

Support and community

Questions about course content: training@ridgelinecyber.com

Billing and account management: Self-service via your account page or training@ridgelinecyber.com

LinkedIn: Follow Ridgeline Cyber for operational security content and course updates

X: @RidgelineCyber

Course Syllabus

Five phases. IR0–IR1 are free — no account required.

Free Phase 1 — Foundations

IR0
Course Introduction — Why this course exists. The cloud-endpoint boundary problem. The IR lifecycle under NIST SP 800-61 Revision 3 and CSF 2.0. The investigation mindset and five-step reasoning chain. Course structure and module map. Toolkit at a glance. What comes after this course. Prerequisites and home lab setup.
 IR1
The IR Toolkit — Setting Up Your Arsenal — Forensic workstation setup. KAPE triage collection and two-pass architecture. EZTools (20 parsers). Velociraptor remote collection and enterprise hunting. Volatility 3 memory forensics. Cloud investigation tools (KQL, Purview, Sentinel). PowerShell IR and containment. Jump bag. Native Windows IR. Scanning tools (THOR, Hayabusa, RegRipper, Sysinternals). Magnet AXIOM Cyber.

Phase 2 — Windows Endpoint Forensics

IR2
Evidence Acquisition and Chain of Custody — Forensic soundness principles (four pillars). Triage collection with KAPE (target selection, validation, remote methods). Full disk imaging (FTK Imager, write blocking, verification). Remote collection with Velociraptor. Memory acquisition (WinPMem, VM memory, order of operations). M365 evidence preservation (litigation hold, Purview audit, eDiscovery). Chain of custody documentation. Evidence storage and integrity. Legal considerations (UK GDPR, CMA, RIPA).
 IR3
Windows Artifact Analysis — Execution and Persistence — Evidence of execution: Prefetch, AmCache, ShimCache, BAM/DAM, UserAssist, Jump Lists. Persistence mechanisms: Run/RunOnce, scheduled tasks, services, WMI subscriptions, COM hijacks. Analysis with EZTools. KAPE automated parsing. Timeline creation with MFTECmd and Timeline Explorer.
 IR4
Windows Artifact Analysis — Filesystem and Registry — NTFS artifacts: $MFT, $UsnJrnl, $LogFile, $I30, Zone.Identifier ADS. Registry forensics: SAM, SYSTEM, SOFTWARE, NTUSER.DAT, UsrClass.dat. Analysis with MFTECmd, Registry Explorer, RECmd, ShellBags Explorer. Deleted file recovery and timestomping detection.
 IR5
Windows Event Log Analysis — Critical event IDs: 4624/4625 logon, 4688 process creation, 4720 account creation, 7045 service install, 1102 log cleared, Sysmon. PowerShell logging: ScriptBlock, Module, Transcription. RDP, Task Scheduler, WMI logs. EvtxECmd analysis. Log gap detection and anti-forensics.
 IR6
Memory Forensics with Volatility 3 — Memory acquisition: WinPMem, hibernation file, crash dump. Volatility 3 analysis: PsList, PsTree, NetScan, DllList, Handles, CmdLine, Malfind. Process injection, hollowing, and rootkit detection. Worked investigation: identifying a Cobalt Strike beacon in memory.
 IR7
Lateral Movement and Credential Theft Analysis — Pass-the-hash, pass-the-ticket, overpass-the-hash. RDP forensics (bitmap cache, event logs). PsExec and SMB artifacts. WMI lateral movement. LSASS access detection, DCSync, Kerberoasting, AS-REP roasting. Combined Windows artifact and KQL analysis.

Phase 3 — M365 Cloud Investigation

IR8
M365 Identity Compromise Investigation — Entra ID sign-in log analysis: risky sign-ins, impossible travel, token replay, MFA bypass. Conditional access evaluation. Audit logs: app consent, role assignment, CA policy changes. AiTM and OAuth consent phishing investigation. Worked scenario: BEC from initial phish to financial fraud.
 IR9
Exchange Online and Email Forensics — Mailbox audit logging: MailItemsAccessed, Send, MoveToDeletedItems. Purview audit for identifying exactly which emails were read. Inbox rule and mail forwarding forensics. Transport rule manipulation. eDiscovery content search. Worked scenario: invoice interception and payment redirection.
 IR10
SharePoint, OneDrive, and Teams Investigation — File access and exfiltration detection across all M365 file repositories. Four audit data sources mapped. Insider threat investigation (INC-NE-2026-0315): baseline comparison, scope anomaly detection, three exfiltration methods. Anonymous sharing link investigation and revocation. Teams message recovery via Purview Content Search. Sensitivity label and DLP gap analysis. OneDrive endpoint correlation. Data exposure assessment with regulatory notification decision tree.
 IR11
Entra ID and Azure AD Investigation — Identity persistence investigation: the mechanisms that survive password resets, session revocation, and endpoint reimaging. Entra ID audit log deep dive. Directory enumeration detection. Privilege escalation chain analysis. Service principal credential abuse (the most commonly missed persistence). Malicious app registration investigation. Conditional access policy weakening. Federation trust attacks (Golden SAML). Token theft: PRT, refresh token, FOCI exploitation.
 IR12
Defender XDR as an IR Platform — Using the unified portal for complete investigations. Incident queue triage with entity graph and priority classification. Cross-table Advanced Hunting queries tracing attacks across email, identity, endpoint, and cloud apps. Live Response for remote evidence collection and memory capture. AIR analysis and attack disruption verification. Custom detection rules from investigation queries. Sentinel integration for long-term retention and compliance. Nine-step IR workflow.

Phase 4 — Investigation Scenarios

IR13
Ransomware Investigation — Complete ransomware incident investigation from discovery to IR report. Initial access reconstruction. Pre-encryption timeline (5-day dwell time). Encryption timeline from MFT, USN, event logs. Variant identification and threat intelligence. Double extortion data exfiltration assessment. Blast radius determination. Recovery assessment with backup verification. Identity persistence check (IR11 applied to ransomware recovery).
 IR14
Business Email Compromise Investigation — Complete BEC lifecycle investigation from account compromise to financial fraud recovery. Account compromise detection (password spray, push fatigue, AiTM, token theft). Mailbox reconnaissance reconstruction. Inbox rule and forwarding forensics. Invoice manipulation detection. Internal phishing from compromised accounts. Financial transaction tracing and bank recall. BEC scope and data exposure assessment. Evidence preservation for law enforcement. Seven-step BEC containment. Legal, insurance, and communication coordination.
 IR15
Insider Threat Investigation — Complete person-centric investigation across all evidence sources. HR/Legal authorization and investigation governance. User behavior timeline construction. USB and removable media forensics. Email exfiltration to personal addresses. Cloud exfiltration: SharePoint, OneDrive sync, anonymous sharing links, and personal cloud sync client detection (Dropbox, Google Drive, iCloud, MEGA). Print and screenshot detection. Cross-source correlation proving systematic intent. Evidence preservation for employment tribunal. Coordinated access revocation. Post-investigation: HR decision, legal action, ongoing monitoring.
 IR16
Advanced Persistent Threat Investigation — Supply chain compromise detection and IOC hunting. LOLBin reconnaissance and lateral movement. Multi-stage memory-only implant analysis (Volatility 3). Advanced persistence: WMI subscriptions, DLL side-loading, COM hijacking. BRICKSTORM-class edge-appliance backdoors — the persistence pattern traditional endpoint forensics cannot see. C2 communication: DNS beaconing, tunneling, jitter analysis. Long-dwell timeline reconstruction including 400-day dwell patterns exceeding Sentinel retention. Data staging and low-volume exfiltration. ATT&CK-driven investigation with gap analysis. Simultaneous APT containment.

Phase 5 — Reporting, Operations, and Capstone

IR17
IR Reporting — From Evidence to Executive Summary — Evidence-to-finding methodology. Technical IR report template (10 sections). Executive summary for leadership (four-question framework). Attacker activity timeline construction, including AI-assisted drafting with verification discipline. Regulatory notification support across GDPR, DFARS, SEC 8-K, CISA, and the EU NIS2 Directive. Lessons learned and post-incident review. Report sanitization for external sharing. Report quality and peer review.
 IR18
Building IR Readiness — IR plan development with authority matrix. Evidence collection playbook: pre-built KAPE, Live Response scripts, KQL query packs. Tabletop exercise design and execution, aligned to CISA CTEP. IR retainer evaluation and cyber insurance coordination. Detection engineering from IR findings (closed loop). Purple team integration. Six-metric IR program framework: MTTD, MTTR, containment time, recurrence rate, eradication verification rate, detection engineering velocity.
 IR19
Capstone — The Complete Investigation — Full end-to-end investigation exercising every skill from IR0-IR18. Multi-vector attack: AiTM credential phishing + attacker-registered device CA bypass + malicious document + Cobalt Strike + lateral movement + BEC positioning + SharePoint data theft + Entra ID service principal persistence. Five phases: triage, endpoint, cloud, containment, reporting. All deliverables produced. The investigation that proves you can work independently.

What you get that you will not find elsewhere

This is not a tool walkthrough. Tool walkthroughs show you which buttons to click. This course teaches investigative reasoning — what to look for, where to find it, how to extract it, how to interpret it, and what to do next. The five-step methodology applies whether you use KAPE, Velociraptor, or a manual collection.

This is not certification preparation. Certification courses teach you to pass an exam. This course teaches you to investigate incidents across a hybrid Windows and M365 environment — from the phishing email through lateral movement to the investigation report your CISO acts on.

Four complete investigation scenarios. Not simplified labs. Ransomware (72-hour dwell time, 12 hosts), BEC (account compromise to payment fraud), insider threat (6-week data exfiltration with legal hold), and APT (400-day dwell with edge-appliance persistence). Each scenario exercises the full methodology from alert to report.

Every investigation technique is taught with free tools. KAPE, EZ Tools, Volatility 3, Velociraptor, KQL, PowerShell. Enterprise alternatives noted where relevant, but no commercial license required to complete the course.

Where this course fits

Incident Triage teaches the first 60 minutes — alert to handoff. Practical IR takes over from the handoff and teaches the complete investigation methodology from evidence acquisition through reporting.

Detection Engineering builds the rules that generate the alerts. This course investigates what those alerts mean and produces the findings that drive detection improvements.

Endpoint Security builds the forensic readiness that this course depends on — Sysmon, audit policies, PowerShell logging. Without forensic readiness, there is nothing to investigate.

Recommended learning path: Triage → IR → DE → TH. A learner can start at any course.

The outcome

You start responding to alerts. You finish investigating incidents.

End-to-end investigation capability — trace an attacker from initial phishing email through lateral movement to data exfiltration across Windows and M365.

Forensic evidence extraction — KAPE triage, EZ Tools parsing, Volatility 3 memory analysis, KQL cloud investigation. Free tools at professional depth.

Investigation reporting — technical findings, executive summary, regulatory notification support, lessons learned. The reports that get acted on.

A complete IR toolkit — playbooks, detection rules, report templates, hardening checklists. Production-ready and adaptable to your environment.

Required: 1+ years in a SOC, IT security, or systems administration role. You should be comfortable navigating Windows event logs, running PowerShell commands, and understanding what an incident investigation involves. If you've triaged alerts in Defender XDR or Sentinel, you're ready.

Recommended: Access to an M365 developer tenant for cloud investigation modules (IR08-IR12). KQL fundamentals — the Mastering KQL course covers this, or K0-K3 minimum. A forensic workstation with KAPE, EZ Tools, and Volatility 3 installed — the Lab Setup Guide covers the build, or use FLARE-VM.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may use scripts, queries, detection rules, templates, and frameworks from this course in your professional work. You may not redistribute course content, share account credentials, or republish course materials.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental.

No legal advice: Compliance and regulatory content in this course is educational, not legal advice. Consult qualified legal counsel for obligations in your jurisdiction.

Lab Pack — Hands-On Investigation Practice

This course includes a production-grade lab pack that generates 41 realistic attack artifacts on your own VM — compiled PE binaries, macro-enabled Office documents, obfuscated PowerShell stagers, persistence mechanisms, credential access artifacts, staged exfiltration data, and suspicious processes for memory capture. You investigate them using the same tools and methodology taught in the course. Your lab, your tools, your investigation.

What's included: Attack artifact generator (41 files, 10 persistence mechanisms, 4 suspicious processes), 6 HTML walkthrough guides covering the full DFIR workflow, 40 structured labs with graduated difficulty (37 core + 3 bonus for FLARE-VM/REMnux), self-grading verification scripts, and a cleanup script for resetting.

Lab environment (free): VMware Workstation Pro + Windows 11 Eval VM (or FLARE-VM for 140+ pre-installed forensic tools). Optional: Windows Server 2022 (AD), M365 developer tenant, REMnux for Office document analysis with oletools. See the Lab Setup Guide for the complete build.

DFIR workflow covered: Memory capture (WinPMem), volatile evidence collection, event log export (wevtutil), registry hive export, KAPE triage collection, phishing document preservation, chain of custody documentation, Prefetch/Amcache/ShimCache analysis (PECmd, AmcacheParser, RECmd), event log parsing (EvtxECmd), PowerShell ScriptBlock decoding, memory forensics (Volatility 3), and investigation report writing.

Attack scenario: CHAIN-HARVEST — phishing email → macro-enabled Excel → VBScript dropper → compiled C# implant → 10 persistence mechanisms (scheduled tasks, services, registry run keys, WMI subscription, startup shortcut, IFEO debugger) → credential harvesting → data staging (employee PII, network config, AD enumeration, SSH keys, browser passwords) → encrypted exfiltration archive.

Practical IR Lab Pack v5
40 labs · 41 artifacts · 10 persistence mechanisms · 6 HTML walkthroughs
Download Lab Pack (.zip)

Version and changelog

Current version: 6.0  |  Last updated: April 2026

April 2026 — v6.0: Complete methodology and threat-landscape rebuild. Course realigned to NIST SP 800-61 Revision 3 and CSF 2.0 (Revision 2 withdrawn April 2025). Threat-landscape framing updated against M-Trends 2026: IR16 adds BRICKSTORM-class edge-appliance persistence and 400-day dwell timeline reconstruction; IR15 adds personal cloud sync client detection (Dropbox, Google Drive, iCloud, MEGA); IR17 adds AI-assisted drafting with verification discipline and NIS2 Directive regulatory coverage; IR18 upgraded to the six-metric IR program framework with CISA CTEP-aligned tabletop exercises and cyber insurance coordination; IR19 Capstone extends the attack chain with attacker-registered device CA bypass. The Six-Step Investigation Method retired across all 18 modules in favor of a consistent five-step reasoning chain. Content-discipline sweep: 154 content subs received you-already-know and next-sub navigation blocks; 135 sub descriptions regenerated from objective-deliverables.

April 2026 — v5.0: Lab pack rebuilt from scratch. 41 production-grade artifacts (compiled PE, macro-enabled Office docs, obfuscated PowerShell, 10 persistence mechanisms). 40 labs with HTML walkthroughs. FLARE-VM and REMnux as first-class lab options. Generator prompts for output directory, creates files only (no machine scanning).

2026 — v1.0: Complete course. All 20 modules (IR0–IR19) active across 5 phases. Investigation scenarios: AiTM phishing, ransomware, BEC, insider threat, APT, multi-vector capstone.

This course is actively maintained. Content is updated as the security landscape evolves.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
3scenarios
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.