In this module
The IR Toolkit — Setting Up Your Arsenal
IR0 gave you the mental model. IR1 makes it operational. By the end of this module your forensic workstation will be built, every tool in the course toolkit will be installed and validated, your M365 developer tenant will be ready for Phase 3 cloud work, and you will have a jump bag that can go with you to the next incident.
Why this module exists
At 02:00 on a Tuesday the investigation cannot wait for you to download tools. The responder who spends the first forty-five minutes of an active incident installing KAPE, troubleshooting Python on a laptop that has never run Volatility, or searching for where they put the Velociraptor binary is the responder who loses the volatile evidence window — memory that overwrites, network connections that close, attackers who notice detection and start clearing logs. Tools have to be ready before the alert fires, not after.
IR1 solves that problem for the rest of the course. Every tool the course references is installed here, configured against a known-good standard, and validated with a test run so you know it works before you need it. The work takes ninety minutes to two hours depending on how much of it is new to you. Once done, the setup remains operational for the rest of the course and for every investigation afterward.
What you will install
Six tool categories from IR0.4, now made real.
Collection — KAPE for targeted triage acquisition, Velociraptor for remote and fleet-wide collection.
Endpoint analysis — the full Eric Zimmerman Tools suite: PECmd, EvtxECmd, MFTECmd, Registry Explorer, RECmd, AppCompatCacheParser, AmcacheParser, LECmd, JLECmd, Timeline Explorer, and the parsers for the rest of the artifact types Phase 2 will cover.
Memory forensics — Volatility 3 for analysis, WinPMem for acquisition.
Cloud investigation — the Microsoft 365 developer tenant that gives you a working Entra ID, Exchange Online, Defender XDR, and Purview to query against; Microsoft Graph PowerShell modules for scripted identity operations; and KQL access in Advanced Hunting for the cloud queries every Phase 3 module uses.
Correlation — Sentinel deployed to a Log Analytics workspace with the free data connectors the course needs.
Native response — PowerShell 7, the Microsoft.Graph module, and the supporting Windows-native tooling (Sysinternals suite, PsExec, Process Explorer) that the live-response subs in Phase 2 and Phase 4 rely on.
How to work through the module
The subsections are sequenced so each one builds on the previous. You can skip around if you have a tool already installed, but every sub ends with a validation step — run it regardless. A tool you think is working and a tool you have proved is working are different things, and you do not want to discover the difference during an incident.
Each sub follows the same three-part shape. A short explanation of what the tool is and why it is in the toolkit. A step-by-step installation with the exact commands and the expected output at each step. A validation procedure — usually a test run against sample data — that confirms the tool is operational. If the validation fails, the sub names the three or four most common causes and how to fix each one.
At the end of the module, the summary consolidates the workstation's final state and the check-my-knowledge sub tests that the setup is actually usable. If any sub's validation failed, fix it before moving to IR2 — the Phase 2 modules assume every tool in IR1 is working.
What you will not install
A few things are deliberately out of scope.
Enterprise commercial tooling. Magnet AXIOM Cyber, Binalyze AIR, and similar commercial platforms are introduced in their own subsection so you can recognize them in the field, but installation is not covered. The free toolkit does everything the course teaches. If your organization pays for a commercial platform, use it alongside the free tools; if it does not, the free toolkit is sufficient.
Production SIEM. Sentinel is set up against a developer tenant for learning only. Production SIEM deployment is an engineering discipline in its own right and is covered in the Detection Engineering course, not here.
Endpoint detection and response platform. Defender for Endpoint is a managed service you either have or you do not; there is no setup for a student to do. The course teaches you to query its data through Defender XDR's Advanced Hunting, which the developer tenant provides.
Start here
Go to IR1.1 — The Forensic Workstation next. It covers the workstation build: hardware, operating system, isolation model, folder structure, and the base configuration everything else in IR1 depends on. Work through the subs in order. Every tool you install gets validated in the sub where you install it, and the module summary confirms the final state before you move to Phase 2.