In this module
IR0.4 The Toolkit and What Comes Next
You have worked with some of the tools in this course already — maybe KAPE on a triage collection, maybe KQL in Advanced Hunting, maybe PowerShell for a remote query. You know the ones you know. This subsection is not a tutorial on any of them. It is an inventory — what each tool does, which phase of the course teaches it, and why the combination covers every kind of evidence a Microsoft-stack incident produces. Then, because IR is one skill inside a larger pipeline, a look at what to build next.
Figure IR0.4 — The six tool categories. Each category covers evidence that the other five cannot reach. Free tools carry the course; enterprise alternatives are noted where they add workflow convenience but never gate capability.
The six categories, one sentence each
The map above in text form. You will install the specific tools in IR1; right now you need to recognize the shape of the toolkit.
Collection is the category that gets evidence off the target system without introducing itself as a forensic artefact. KAPE does targeted triage collection — pulling Prefetch, event logs, registry hives, browser history, $MFT, and a few dozen other artefacts into a structured folder in two to five minutes rather than the forty-five to ninety of a full disk image. Velociraptor covers the remote case — deploying a client agent to an endpoint you cannot physically touch, or hunting a persistence mechanism across five hundred endpoints simultaneously with a custom VQL query.
Endpoint analysis is the category that turns the collected artefacts into findings. Eric Zimmerman Tools is a suite of parsers, one per artefact type — PECmd for Prefetch, AmcacheParser for the Amcache, MFTECmd for $MFT and $UsnJrnl, EvtxECmd for event logs, Registry Explorer and RECmd for registry hives, LECmd and JLECmd for LNK and Jump List files, Timeline Explorer to combine the outputs into a single chronological view. Every Windows forensic artefact the course covers is parsed by an EZTools component. Free.
Memory forensics is the category that handles evidence that never touches disk. Volatility 3 analyzes RAM dumps to identify running processes, network connections, injected code regions, loaded DLLs, and credential material held in memory. WinPMem is the Windows acquisition tool — it captures a memory image from a running system in a few minutes. Memory is where reflective loaders, in-memory beacons, and credential theft tooling live; none of that is visible in disk-based artefacts alone.
Cloud investigation is the category that covers the evidence model for Microsoft 365 and Entra ID. KQL is the query language — it runs in the Defender XDR portal (Advanced Hunting) and in Microsoft Sentinel. Purview audit covers mailbox and data-plane audit events. Microsoft Graph PowerShell replaces the deprecated AzureAD and MSOnline modules for identity operations that need to run from a script rather than a portal.
Correlation is the category that links the cloud and endpoint sides of a cross-plane incident. Microsoft Sentinel runs as a SIEM built on KQL. Defender XDR is Microsoft's native correlation layer that ties Defender for Endpoint, Defender for Office 365, and Defender for Cloud Apps signals into a single incident view. For organizations with non-Microsoft SIEMs (Splunk, Elastic), the patterns taught here apply; the query syntax will be different.
Native response is the category that covers everything PowerShell can do that the other tools cannot — live-response actions, containment commands, evidence preservation scripts, bulk identity operations, and the glue that connects the other five categories. Microsoft Graph PowerShell is the modern module. This course uses PowerShell throughout, not as a separate tooling topic, but as the language in which responder automation is expressed.
The six categories are not arbitrary. They correspond to the four environments from IR0.1 plus the cross-cutting activities that link them — collection moves data out, analysis turns data into findings, correlation ties findings together, native response is what you do once you have the picture. If one category were missing from your toolkit you would be blind to whatever evidence type that category handles. Every category is covered by free tools that are used by professional DFIR consultancies and government CERT teams. Paid alternatives exist; none of them are required for the investigation work.
Why every tool is free
A note on the tooling economy, because this is the most common question from learners coming from a vendor-heavy SOC.
The free tool ecosystem for incident response is exceptional. KAPE, EZTools, Velociraptor, Volatility, WinPMem, and PowerShell are all production-grade. KAPE is free for internal corporate use on your own systems (a paid commercial license applies to third-party IR consultancies doing client work, but not to you investigating your own employer's systems). EZTools is free. Velociraptor is open source. Volatility 3 is open source. WinPMem is open source. Microsoft Graph PowerShell is free from the PowerShell Gallery. You will not spend anything on tooling to complete this course or to work production incidents.
Paid alternatives add workflow convenience. Magnet AXIOM Cyber has a polished GUI and case management features. Binalyze AIR has automated triage collection workflows. Defender XDR Live Response gives you a browser-based shell. Splunk has a more capable SIEM than Sentinel for some use cases. None of them add forensic capability that the free tools cannot match — they save the responder time in routine workflows. If your organization pays for one of them, use it. If your organization does not, the free toolkit does everything the course teaches.
The one exception where paid tooling matters is for third-party IR engagements, where the KAPE commercial license requirement applies and where client-facing work often needs case management features that the free tools lack. That is an enterprise-IR-consultancy concern, not a corporate-responder one.
Where IR sits in the broader pipeline
IR is the middle of a longer capability. Everything upstream feeds into what reaches you; everything downstream determines whether your findings matter beyond this incident.
Upstream of IR, someone had to write the detection rule that fired the alert, configure the audit logging that captured the evidence, and harden the environment so the attacker had to work harder. Downstream of IR, someone takes your findings and turns them into new detections, new controls, new policy language, and board-level reporting. A responder who operates only in the middle of that pipeline produces investigations that are technically sound but operationally short-lived. The same incident recurs six months later because nothing upstream changed.
You do not need to be capable in every adjacent discipline. You do need to know they exist and which one to invest in next depending on where your role is heading.
Detection engineering is the single highest-leverage adjacent skill for most IR practitioners. Every investigation produces findings — attacker techniques that your current detection stack did not catch. Without detection engineering, those findings sit in an IR report and get forgotten. With detection engineering, the finding becomes a new Sentinel analytics rule, a new Defender for Endpoint custom detection, or a new correlation in your SIEM. The next attacker using the same technique gets caught in hours rather than weeks. The skills are KQL query writing at production quality, MITRE ATT&CK mapping, false-positive tuning, threshold selection, and rule health monitoring. This is almost always the right next step for a mid-level SOC analyst with IR responsibilities, because it compounds — every rule you build reduces the rate of future incidents, and the rules keep working long after the investigation is filed.
Threat hunting is the second adjacent discipline. Where detection rules wait for conditions they are configured to match, hunting searches for attacker patterns that no rule is currently written to catch. Hunters produce the investigations no-one else would have started. The skills overlap with detection engineering — KQL again, hypothesis-driven structure, knowing the threat landscape well enough to pick productive hunt territories — but the output is different. Rules catch what you have anticipated; hunting catches what you have not. If your environment already has strong detection engineering in place, hunting is the next-best investment.
Deeper memory forensics is a specialism worth pursuing if your work regularly involves advanced adversaries. This course teaches enough memory forensics in IR6 to handle the majority of Windows memory investigations — Volatility 3, process analysis, credential extraction, injected code detection, a complete worked Cobalt Strike analysis. It does not cover nation-state rootkits, kernel-level persistence, firmware implants, or sophisticated anti-forensics. If your environment sees those threats regularly, the next layer of memory forensics training exists and is worth the investment. If it does not, the course's memory module is sufficient and your investment-per-hour is higher in detection engineering.
Network forensics is a full discipline this course does not teach. Packet captures, Zeek logs, Suricata alerts, NetFlow analysis, TLS metadata, DNS analytics — all of it sits outside the Microsoft-stack focus of this course, and all of it matters when endpoint evidence is gone, logs have been cleared, and cloud audit has expired. If your organization has usable network telemetry, network forensics is a high-value adjacent skill. If it does not, the investment returns less than detection engineering does.
IR program leadership is a different skill set entirely. Technical investigation skill is necessary to run an IR function. It is not sufficient. Leading the function means designing the playbooks, building the on-call rotation, selecting the retainer partner, negotiating with legal and communications, reporting to the CISO, running the tabletops, defending the budget, and explaining IR capability to the board. IR18 (Building IR Readiness) gives you the scaffolding. Real leadership capability develops through a combination of deliberate study — incident command structures, post-incident reports from peer organizations — and operational experience running real incidents. If you are on a senior-responder or IR-lead track, this is the direction.
The situation. You have six hours per week available for skill development alongside your day job. You finish this course in ten weeks. Your current role is a mid-level SOC analyst with IR responsibilities at an organization of eight hundred staff. You investigate two or three real incidents per month. Most of your investigations produce findings — attacker techniques your detection rules did not catch — that no-one on the team follows up on afterward. You have three offers for where to spend your next study cycle. (A) Deep memory forensics for APT-grade work. (B) Detection engineering to close your own findings. (C) Threat hunting to build a proactive capability.
The choice. Pick one and justify it against your current environment's characteristics — the number of investigations per month, their typical sophistication, and what currently happens to the findings.
The correct call. (B) — detection engineering. The specific symptom you described is that your findings go unused. Detection engineering is the discipline that closes that loop. Every finding you convert into a production rule reduces the rate of future incidents of the same type. The skill compounds over time — a rule you write today catches attackers next year — and it directly improves the work you are already doing. Option (A) is high-value but unlikely to be exercised often at two or three incidents per month, most of which will not be APT-grade. Option (C) is valuable but presupposes detection-engineering maturity that does not yet exist in your environment — hunting on top of weak detection engineering produces duplicated work the rules should have caught. For your current role, (B) produces the highest operational return per hour. Revisit the choice every six months.
The operational lesson. The right next skill depends on what your environment produces and what currently happens to the product. A skill that compounds against your own regular output is worth more than a skill that sits waiting for a rare scenario. Detection engineering compounds. Deep memory forensics waits. Hunting presupposes detection engineering. For most mid-level SOC analysts with IR duties, the answer is detection engineering — and it stays the answer for eighteen to thirty-six months, until the detection backlog is caught up and the other adjacent skills start paying off.
The myth. Serious IR work requires Magnet AXIOM, Binalyze AIR, or an equivalent commercial suite. The free tools are for amateurs, students, and people who cannot afford better.
The reality. KAPE, Eric Zimmerman Tools, Velociraptor, and Volatility 3 are the same tools used by professional DFIR consultancies, government CERT teams, and the investigators whose published work defines current tradecraft. Commercial suites add workflow convenience — GUI interfaces, automated timelines, case management, report templating — but the underlying forensic capability is identical to the free toolkit. A responder with free tools and strong investigation reasoning produces better investigations than a responder with a £50,000 suite and no reasoning framework. Tools extract data; investigators interpret it. Where the vendor story lands most often is in organizations with large teams and high case volumes where the case management workflow of a commercial product saves material time — and for those organizations the decision is about workflow economics, not capability. For a single responder, a small team, or a learner, the free toolkit is the answer.
Try it: check your readiness to start collecting evidence
Time yourself against the ten-minute readiness check and write down what is missing
Setup. This exercise assumes an active SOC or IR role where you could, in principle, be asked to start collecting evidence on a real endpoint within the next hour. If you are currently studying and do not have that role yet, imagine the scenario as a career prep exercise — the readiness gap you identify now is the work to close before your first real incident.
Task. Start a timer for ten minutes. In that time, verify each of the following without improvising, phoning a colleague, or downloading anything new. Is KAPE accessible — on a USB, on a network share, somewhere you can reach without admin approval? Are EZTools installed on a workstation you can actually use? Is Volatility 3 installed and working against a recent Windows build? Is a memory acquisition tool (WinPMem or equivalent) on the same storage as KAPE so you do not need two trips? Do you have administrative access to a Microsoft 365 tenant where you can execute KQL queries? Do you have Microsoft Graph PowerShell installed with the modules needed for identity operations? Can you reach all of the above from wherever you would be when the alert fires — including if you are working remotely?
Expected result. A practitioner who is ready passes the six checks in under ten minutes. Most practitioners fail at least one check the first time they run it honestly. The failures fall into predictable categories — a tool installed somewhere the responder cannot reach when it matters, a module that needs updating, a permission that was never granted. Every failure is an IR1 task.
Debugging branch. If you cannot locate KAPE in two minutes, the problem is access path — the tool exists somewhere but not where you can reach it under incident conditions. Fix by placing a copy on a specific, predictable location known to the team. If you cannot run a memory capture, the problem is usually that WinPMem was installed on a prior laptop or a build you no longer have; redownload. If you cannot execute KQL against your organization's Sentinel or Defender XDR, the problem is permissions or that your account lacks the appropriate investigation role. Fix by raising the access request through your team's normal channel — this is something to discover now, not during a live incident.
You should be able to do the following without looking back at the text.