In this module

IR1.1 The Forensic Workstation

90-120 minutes · Module 1 · Free

Operational Objective

The Contamination Problem: if you run forensic analysis on the same machine the attacker compromised, your analysis artifacts contaminate the evidence. Every file you open modifies the $MFT. Every tool you install changes the registry. Every query you run creates Prefetch entries. The forensic workstation must be a separate, clean environment dedicated to analysis — never used for daily work, never exposed to compromised evidence without isolation controls.

Deliverable: A fully configured forensic workstation — physical or virtual — with a standardized folder structure, verified tool installations, and isolation controls that prevent evidence contamination.

⏱ Estimated completion: 20 minutes

The Forensic Workstation

Your investigation starts here — before any tool touches evidence

The first mistake most new responders make is running forensic tools on their daily-use workstation. The defense attorney asks: "How do you know the malware you found came from the suspect's computer and not from your own machine?" If you cannot answer that question with certainty, the evidence is compromised. A dedicated forensic workstation — isolated from production, configured specifically for analysis — eliminates that risk before it arises.

Evidence integrity is the foundation of every investigation. A finding that cannot withstand scrutiny — because the analyst's own activity contaminated the timeline, because tools were installed on the evidence drive, because the chain of custody was broken by copying files to a shared workstation — is a finding that fails in court, fails in the IR report, and fails to support the containment decision it was meant to justify.

# Multi-case workspace: each case gets its own root directory
# The folder structure from the course standard:

# Case 1: AiTM phishing investigation
# C:\IR\Cases\INC-NE-2026-0315-001\
#   Evidence\    ← raw KAPE output, memory dumps, Velociraptor downloads
#   Output\      ← parsed EZTools results, Volatility 3 analysis
#   Timeline\    ← unified investigation timeline
#   IOCs\        ← indicators extracted during investigation
#   Report\      ← IR report drafts and final deliverable
#   Notes\       ← investigator notes, hypothesis log

# Case 2: Insider threat investigation (concurrent)
# C:\IR\Cases\INC-NE-2026-0312-003\
#   Evidence\
#   Output\
#   Timeline\
#   IOCs\
#   Report\
#   Notes\

# NEVER share files between case directories
# NEVER open evidence from one case while another case's
# Timeline Explorer session is active (cross-contamination risk)
# If using a VM: consider separate VM snapshots per case

# Create the standard forensic workstation folder structure
# Run in PowerShell as Administrator

# Root forensic directory
New-Item -ItemType Directory -Path "C:\IR" -Force

# Tools directory — all forensic tools installed here
New-Item -ItemType Directory -Path "C:\IR\Tools" -Force
New-Item -ItemType Directory -Path "C:\IR\Tools\KAPE" -Force
New-Item -ItemType Directory -Path "C:\IR\Tools\EZTools" -Force
New-Item -ItemType Directory -Path "C:\IR\Tools\Velociraptor" -Force
New-Item -ItemType Directory -Path "C:\IR\Tools\Volatility3" -Force
New-Item -ItemType Directory -Path "C:\IR\Tools\Scripts" -Force

# Cases directory — one folder per investigation
New-Item -ItemType Directory -Path "C:\IR\Cases" -Force

# Evidence directory — collected evidence stored here
New-Item -ItemType Directory -Path "C:\IR\Evidence" -Force

# Output directory — parsed results and reports
New-Item -ItemType Directory -Path "C:\IR\Output" -Force

# Templates directory — IR report templates, checklists
New-Item -ItemType Directory -Path "C:\IR\Templates" -Force

Write-Host "Forensic workstation folder structure created." -ForegroundColor Green
Write-Host "Tools:     C:\IR\Tools\" -ForegroundColor Cyan
Write-Host "Cases:     C:\IR\Cases\" -ForegroundColor Cyan
Write-Host "Evidence:  C:\IR\Evidence\" -ForegroundColor Cyan
Write-Host "Output:    C:\IR\Output\" -ForegroundColor Cyan
Write-Host "Templates: C:\IR\Templates\" -ForegroundColor Cyan

# Validate the forensic workstation environment
# Run in PowerShell as Administrator

Write-Host "=== Forensic Workstation Validation ===" -ForegroundColor Cyan

# Check OS version
$os = Get-CimInstance Win32_OperatingSystem
Write-Host "OS: $($os.Caption) $($os.Version)" -ForegroundColor White

# Check RAM
$ram = [math]::Round($os.TotalVisibleMemorySize / 1MB, 1)
if ($ram -ge 32) {
    Write-Host "RAM: ${ram} GB — Recommended" -ForegroundColor Green
} elseif ($ram -ge 16) {
    Write-Host "RAM: ${ram} GB — Minimum (Volatility 3 may be slow on large dumps)" -ForegroundColor Yellow
} else {
    Write-Host "RAM: ${ram} GB — BELOW MINIMUM. Upgrade to 16+ GB." -ForegroundColor Red
}

# Check free disk space
$disk = Get-CimInstance Win32_LogicalDisk -Filter "DeviceID='C:'"
$freeGB = [math]::Round($disk.FreeSpace / 1GB, 1)
if ($freeGB -ge 200) {
    Write-Host "Free disk: ${freeGB} GB — Recommended" -ForegroundColor Green
} elseif ($freeGB -ge 100) {
    Write-Host "Free disk: ${freeGB} GB — Minimum" -ForegroundColor Yellow
} else {
    Write-Host "Free disk: ${freeGB} GB — LOW. Free space before proceeding." -ForegroundColor Red
}

# Check PowerShell version
Write-Host "PowerShell: $($PSVersionTable.PSVersion)" -ForegroundColor White

# Check .NET version (required for EZTools)
$dotnet = Get-ChildItem "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" -ErrorAction SilentlyContinue
if ($dotnet) {
    $release = $dotnet.GetValue("Release")
    Write-Host ".NET Framework: Release $release — OK" -ForegroundColor Green
} else {
    Write-Host ".NET Framework 4.x: NOT FOUND — required for EZTools" -ForegroundColor Red
}

# Check Python (required for Volatility 3)
try {
    $pyVer = python --version 2>&1
    Write-Host "Python: $pyVer" -ForegroundColor Green
} catch {
    Write-Host "Python: NOT FOUND — install Python 3.10+ for Volatility 3" -ForegroundColor Yellow
}

# Check folder structure
$paths = @("C:\IR\Tools", "C:\IR\Cases", "C:\IR\Evidence", "C:\IR\Output", "C:\IR\Templates")
foreach ($p in $paths) {
    if (Test-Path $p) {
        Write-Host "Directory: $p — EXISTS" -ForegroundColor Green
    } else {
        Write-Host "Directory: $p — MISSING (run folder creation script)" -ForegroundColor Red
    }
}

Write-Host "`n=== Validation Complete ===" -ForegroundColor Cyan

# Create a case folder for a new investigation
# Use this template at the start of every case

function New-IRCase {
    param(
        [Parameter(Mandatory)][string]$CaseID,
        [string]$Description = "New investigation"
    )
    $casePath = "C:\IR\Cases\$CaseID"
    $dirs = @("Evidence", "Output", "Notes", "Report", "Timeline", "IOCs")
    foreach ($dir in $dirs) {
        New-Item -ItemType Directory -Path "$casePath\$dir" -Force | Out-Null
    }
    # Create case log
    $log = @"
Case ID: $CaseID
Created: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss UTC' -AsUTC)
Analyst: $env:USERNAME
Description: $Description
Status: Open

--- EVIDENCE LOG ---
[Record every evidence item received, its source, hash, and custody transfer]

--- INVESTIGATION NOTES ---
[Chronological notes as the investigation progresses]
"@
    $log | Out-File "$casePath\case_log.txt"
    Write-Host "Case created: $casePath" -ForegroundColor Green
}

# Usage: New-IRCase -CaseID "INC-NE-2026-0315-001" -Description "AiTM phishing - jmorrison"

# Exclude the forensic tools directory from Windows Defender scanning
# Run as Administrator
Add-MpPreference -ExclusionPath "C:\IR\Tools"
Add-MpPreference -ExclusionPath "C:\IR\Evidence"
Add-MpPreference -ExclusionPath "C:\IR\Output"

# Verify exclusions
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath

# Add forensic tools to the system PATH
# Run as Administrator
$currentPath = [Environment]::GetEnvironmentVariable("Path", "Machine")
$newPaths = @(
    "C:\IR\Tools\KAPE",
    "C:\IR\Tools\EZTools",
    "C:\IR\Tools\Volatility3\venv\Scripts",
    "C:\IR\Tools\Velociraptor",
    "C:\IR\Tools\Scripts"
)
foreach ($p in $newPaths) {
    if ($currentPath -notlike "*$p*") {
        $currentPath = "$currentPath;$p"
    }
}
[Environment]::SetEnvironmentVariable("Path", $currentPath, "Machine")

# Restart PowerShell for the PATH change to take effect
# After restart, verify:
# kape.exe --help
# PECmd.exe --help
# vol --help

# Set the forensic workstation to UTC
# Run as Administrator
Set-TimeZone -Id "UTC"

# Verify
Get-TimeZone
# Expected: (UTC) Coordinated Universal Time

# Complete prerequisite verification script
# Run after OS installation, before tool installation

Write-Host "=== Forensic Workstation Prerequisites ===" -ForegroundColor Cyan

# 1. .NET Framework 4.6.2+ (required for EZTools legacy builds)
$dotnet = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" -ErrorAction SilentlyContinue
$release = if ($dotnet) { $dotnet.Release } else { 0 }
$dotnetOk = $release -ge 394802  # 4.6.2
Write-Host ".NET Framework 4.6.2+: $(if ($dotnetOk) { 'OK (Release ' + $release + ')' } else { 'MISSING — install from Microsoft' })" -ForegroundColor $(if ($dotnetOk) { 'Green' } else { 'Red' })

# 2. .NET 6+ Runtime (required for newer EZTools builds)
$dotnet6 = dotnet --list-runtimes 2>&1
$has6 = $dotnet6 -match "Microsoft.NETCore.App 6\.|Microsoft.NETCore.App 7\.|Microsoft.NETCore.App 8\.|Microsoft.NETCore.App 9\."
Write-Host ".NET 6+ Runtime: $(if ($has6) { 'OK' } else { 'MISSING — install .NET Desktop Runtime from dotnet.microsoft.com' })" -ForegroundColor $(if ($has6) { 'Green' } else { 'Red' })

# 3. Python 3.10+ (required for Volatility 3)
try {
    $pyVer = python --version 2>&1
    $pyOk = $pyVer -match "3\.(1[0-9]|[2-9][0-9])"
    Write-Host "Python: $pyVer $(if ($pyOk) { '— OK' } else { '— upgrade to 3.10+' })" -ForegroundColor $(if ($pyOk) { 'Green' } else { 'Yellow' })
} catch {
    Write-Host "Python: NOT FOUND — install from python.org (check Add to PATH)" -ForegroundColor Red
}

# 4. Git (for KAPE sync and Volatility source install)
try {
    $gitVer = git --version 2>&1
    Write-Host "Git: $gitVer — OK" -ForegroundColor Green
} catch {
    Write-Host "Git: NOT FOUND — install from git-scm.com (optional but recommended)" -ForegroundColor Yellow
}

# 5. PowerShell 5.1+ (included with Windows 10/11)
Write-Host "PowerShell: $($PSVersionTable.PSVersion) — OK" -ForegroundColor Green

# 6. Disk space
$disk = Get-CimInstance Win32_LogicalDisk -Filter "DeviceID='C:'"
$freeGB = [math]::Round($disk.FreeSpace / 1GB, 1)
$diskOk = $freeGB -ge 100
Write-Host "Free disk: ${freeGB} GB $(if ($diskOk) { '— OK' } else { '— LOW, need 100+ GB' })" -ForegroundColor $(if ($diskOk) { 'Green' } else { 'Red' })

# 7. RAM
$ram = [math]::Round((Get-CimInstance Win32_ComputerSystem).TotalPhysicalMemory / 1GB, 1)
$ramOk = $ram -ge 16
Write-Host "RAM: ${ram} GB $(if ($ramOk) { '— OK' } else { '— need 16+ GB for Volatility 3' })" -ForegroundColor $(if ($ramOk) { 'Green' } else { 'Red' })

Write-Host "`n=== Resolve any RED items before proceeding to IR1.2 ===" -ForegroundColor Cyan

Expand for Deeper Context

The forensic workstation solves this by separating the analysis environment from the evidence. Evidence is collected from the compromised system (using KAPE, Velociraptor, or disk imaging). The collected evidence is transferred to the forensic workstation. Analysis happens on the workstation. The compromised system is never used for analysis. The workstation is never used for daily work. The two environments are isolated.

This is not optional. Every investigation in this course follows this discipline. The Phase 4 scenarios assume a clean forensic workstation is available. The tool commands assume the standard folder structure described below. The evidence integrity expectations in IR2 (Chain of Custody) require a documented analysis environment.

Figure IR1.1: The forensic workstation isolation model. Evidence flows from the compromised system to the workstation for analysis. The two environments are never the same machine.

---

Hardware and software requirements

Minimum requirements: Windows 11 Pro (64-bit), 16 GB RAM, 256 GB SSD with 100 GB free storage, administrator access. This handles KAPE collections, EZTools parsing, event log analysis, and KQL queries. It will struggle with large memory dumps (Volatility 3 on a 16 GB RAM dump needs significant free memory) and super timelines from enterprise-scale collections. Windows 10 reached end-of-support in October 2025 — if your only option is a Windows 10 workstation, understand you will not receive security updates to the analysis machine itself, which matters when the machine handles evidence from compromised systems.

Recommended requirements: Windows 11 Pro or Windows Server 2022/2025, 32 GB RAM, 1 TB SSD (NVMe preferred for speed during large file parsing), dedicated GPU not required. This handles everything in the course including Volatility 3 memory analysis, large KAPE collections from multiple endpoints, and Timeline Explorer with millions of rows. If your organization handles more than one concurrent investigation, 64 GB RAM and 2 TB SSD provides headroom for multiple case datasets open simultaneously.

Why NVMe matters for forensics. EZTools parsers read through large binary files sequentially — EvtxECmd parsing 200 event log files, MFTECmd processing a 2 million row $MFT, Timeline Explorer loading a 500,000 row CSV. NVMe SSDs provide 3-5x the sequential read speed of SATA SSDs and 20x the speed of spinning disks. The difference between a 3-minute parse and a 15-minute parse is meaningful when you are conducting a time-sensitive investigation. Never use a spinning disk for forensic analysis.

Virtual machine option: If you cannot dedicate a physical machine, a VM works. Use VMware Workstation Pro (free for all users — commercial, educational, and personal — since Broadcom's November 2024 change), Hyper-V (included with Windows Pro), or VirtualBox. Allocate at least 16 GB RAM and 200 GB disk to the VM. Snapshot the VM after tool installation — this gives you a clean restore point if the analysis environment becomes contaminated during a particularly messy investigation. The snapshot-restore capability is actually an advantage over physical machines: between investigations, restore to the clean snapshot to ensure no artifacts from the previous case contaminate the next one.

Operating system: Windows is required because EZTools and KAPE are Windows-native. SANS published a guide in 2025 for running EZTools natively on Linux using .NET 6+ builds, but the primary tooling and the majority of community support targets Windows. If your daily driver is macOS or Linux, run the forensic workstation as a Windows VM. The cloud investigation tools (KQL, Purview) are browser-based and work from any OS, but the endpoint forensic tools require Windows.

---

What happens when you skip isolation

The consequences of running analysis on the compromised system are not theoretical — they actively damage the investigation. Every action the investigator takes on the compromised system creates new artifacts that intermingle with the attacker's artifacts, making it difficult or impossible to distinguish investigator activity from attacker activity in the forensic timeline.

Specifically: installing KAPE on the compromised system creates new Prefetch entries (KAPE.EXE-.pf), new $MFT entries (the KAPE files themselves), new AmCache entries (KAPE execution record), and potentially new registry entries. Running EZTools parsers creates additional Prefetch entries for each parser (PECMD.EXE-.pf, EVTXECMD.EXE-*.pf), additional $MFT entries, and additional process creation event log entries (Event ID 4688). Opening Timeline Explorer on the compromised system creates even more artifacts. By the time the investigator finishes "analyzing" the compromised system, they have created dozens of new forensic artifacts that a defense attorney could use to challenge the integrity of the evidence: "How do you know this execution was the attacker and not your own analysis tools?"

The forensic workstation eliminates this contamination entirely. Evidence is collected from the compromised system (using KAPE, Velociraptor, or imaging). The collected evidence is transferred to the forensic workstation. All analysis happens on the workstation. The compromised system's original artifacts remain uncontaminated by investigation activity.

---

Multi-case workspace management

When conducting multiple investigations simultaneously (which is common in organizations experiencing sustained attack campaigns or handling both internal investigations and external incidents), the forensic workstation must maintain strict separation between cases. Evidence from Case A must never contaminate Case B.

---

Folder structure

Every tool command in this course assumes the following folder structure. Creating it now prevents path confusion for the rest of the course.

C:\IR\Tools holds every tool installation. Subdirectories keep tools separated and updatable independently.

C:\IR\Cases holds investigation case folders. Each investigation gets a folder named by case ID: C:\IR\Cases\INC-NE-2026-0315-001\. Within each case folder: Evidence\, Output\, Notes\, Report\. This structure is established in IR2 (Evidence Acquisition) and used throughout Phase 4 scenarios.

C:\IR\Evidence is the staging area for evidence received from compromised systems before it is moved into a case folder. Evidence arrives here via KAPE output, Velociraptor collection download, or manual transfer from a USB drive.

C:\IR\Output holds parsed results from EZTools, Volatility 3, and KQL export. Timestamped subfolders prevent output from different analysis passes from overwriting each other.

C:\IR\Templates holds the IR report templates, evidence custody forms, containment checklists, and executive summary formats produced in IR17. Pre-populate this with the templates from the course as you progress through the modules.

---

Environment validation

Before installing any tools, validate the workstation environment.

Run this script and resolve any red items before proceeding to tool installation. The most common issues are: insufficient RAM (upgrade to 16+ GB or accept slower Volatility 3 performance), missing Python (install from python.org — required for Volatility 3), and insufficient disk space (KAPE collections and memory dumps can be 10-50 GB each).

---

Case folder structure

Each investigation gets a dedicated folder within C:\IR\Cases. Creating a consistent structure from the first investigation prevents evidence mixing and supports chain of custody documentation.

The case folder structure aligns with IR2 (Evidence Acquisition and Chain of Custody). The Evidence subfolder holds raw collected artifacts (KAPE output, Velociraptor downloads, memory dumps). The Output subfolder holds parsed results from EZTools and Volatility 3. The Timeline subfolder holds the unified investigation timeline. The IOCs subfolder holds indicators extracted during the investigation. The Report subfolder holds the IR report drafts and final deliverable.

---

Windows Defender exclusions

Windows Defender (Microsoft Defender Antivirus) may flag forensic tools as potentially unwanted applications (PUA) or trigger behavioral detection on tool activities. KAPE accessing raw disk artifacts, Volatility 3 analyzing memory, and EZTools parsing security-sensitive files can all generate false positive detections. Exclude the tools directory from real-time scanning.

This exclusion applies only to the forensic workstation — never to production systems. The exclusion prevents Defender from quarantining forensic tools or deleting evidence files during analysis. If your organization's security policy requires all exclusions to be documented and approved, document these exclusions as part of the IR workstation configuration and obtain approval from your security team.

---

PATH configuration

Add the tools directories to the system PATH so you can run EZTools and KAPE from any directory without specifying the full path. This saves time during investigations when you are switching between directories frequently.

With the PATH configured, you can run PECmd.exe -d ... --csv ... from any directory instead of navigating to C:\IR\Tools\EZTools\ first. During a timed investigation where every minute matters, this eliminates friction.

---

Time zone configuration

Forensic timestamps are most reliable when the analysis workstation operates in UTC. Evidence from KAPE, EZTools, and Volatility 3 uses UTC timestamps. Entra ID sign-in logs use UTC. Event logs store timestamps in UTC (though Windows Event Viewer displays them in local time). If your forensic workstation uses a local time zone, you must mentally convert every timestamp — a process that introduces errors, especially during extended investigations across multiple time zones.

Set the forensic workstation to UTC. This eliminates conversion errors and ensures that timestamps in your analysis output match the timestamps in your evidence sources.

If you cannot set the entire workstation to UTC (because it is also used for other purposes), at minimum configure Timeline Explorer and your analysis tools to display timestamps in UTC. Timeline Explorer's date column formatting can be set to UTC display. KQL queries in Defender XDR and Sentinel return UTC by default.

---

Enterprise workstation image

For IR teams with multiple analysts, create a standard forensic workstation image that can be deployed to any machine. The image includes the OS, all forensic tools, PATH configuration, Defender exclusions, folder structure, and case template. New analysts receive a clone of the standard image — they are investigation-ready from day one without individual tool installation.

If using VMs, the standard image is a VM template. Clone it for each new investigation to ensure a clean environment. If using physical machines, use Windows Deployment Services (WDS) or a custom installation USB to replicate the standard configuration. The investment in creating the standard image pays off within the first two investigations — the setup time saved across the team compounds with every incident.

---

Network isolation considerations

The forensic workstation needs network access for cloud investigation (KQL, Purview, Sentinel) but should be isolated from the compromised network segment during active investigations. If the attacker has compromised the network infrastructure (DNS poisoning, ARP spoofing, lateral movement via SMB), connecting the forensic workstation to the same network creates risk.

For production IR environments, the workstation should be on a separate network segment (VLAN) with access to the internet (for cloud investigation portals) but not to the internal production network where the compromise occurred. Evidence is transferred to the workstation via USB, out-of-band file transfer, or through Velociraptor (which communicates over TLS to the Velociraptor server, not directly to the compromised endpoint).

---

Software prerequisites checklist

Before installing the forensic tools in IR1.2-IR1.7, verify that all prerequisite software is installed on the workstation.

---

Evidence handling discipline

The forensic workstation is not just a machine with tools installed — it is a controlled environment where evidence integrity is maintained through discipline. These practices apply to every investigation from the first module exercise to the last Phase 4 scenario.

Never modify evidence files. When you receive a KAPE collection or memory dump, copy it to the case Evidence folder and work exclusively from parsed output in the Output folder. If you need to examine a specific file from the evidence, open it in read-only mode. If a tool requires write access (some registry viewers modify the hive on load), work from a copy, never the original.

Hash everything. When evidence arrives on the workstation, hash it immediately (SHA256) and record the hash in the case log. After analysis is complete, re-hash and confirm the values match. If they do not match, the evidence may have been modified during analysis — document what happened and whether it affects the investigation conclusions. IR2 covers hashing in detail as part of chain of custody.

Document your analysis steps. Every significant action on the workstation — which tool you ran, which evidence file you analyzed, what parameters you used, what output you produced — should be recorded in the case notes. This documentation supports the defensibility of the investigation: if challenged ("How do you know the attacker created that file at 14:36?"), you can point to the specific tool command, the specific evidence file, and the specific output row that supports the finding.

One case at a time. If possible, avoid analyzing multiple unrelated cases on the same workstation simultaneously. Cross-case contamination — a file from Case A accidentally included in Case B's evidence folder — undermines both investigations. If you must work multiple cases, the per-case folder structure (C:\IR\Cases\INC-xxx\) provides logical separation, but physical separation (separate VMs, separate workstations) is stronger.

---

VM snapshot strategy for investigation lifecycle

For teams using virtual machine forensic workstations, the snapshot capability provides a powerful investigation lifecycle management tool.

Baseline snapshot ("IR Baseline"). Taken after completing all tool installations (IR1.2-IR1.7) and configuration (PATH, UTC, Defender exclusions). This snapshot represents a clean, fully operational forensic workstation with no case data. Restore to this snapshot to prepare for a new investigation with zero contamination from previous cases.

Pre-analysis snapshot ("Case-xxx Pre-Analysis"). Taken after evidence has been copied to the case folder but before any analysis tools have been run. If the analysis introduces unexpected changes (a tool modifies evidence, a script produces unintended side effects), restore to this snapshot and restart the analysis.

Post-analysis snapshot ("Case-xxx Complete"). Taken after the investigation is complete and the IR report has been delivered. This preserves the complete analysis environment — tools, evidence, parsed output, case notes — in case the investigation is reopened or the findings are challenged. Retain this snapshot according to your organization's evidence retention policy.

Compliance Myth

"A virtual machine is not suitable for forensic analysis."

Production reality: The concern about VMs in forensics relates to evidence acquisition — running a forensic tool inside a VM on the compromised host could allow a hypervisor-aware rootkit to hide evidence. That concern does not apply to the analysis workstation. The forensic workstation is where you analyze evidence that was already collected from the compromised system. Whether your analysis environment is physical or virtual does not affect the integrity of the evidence — the evidence was collected before it reached the workstation. A VM with a clean snapshot is actually an advantage: you can restore to a known-good state between investigations, preventing cross-case contamination.

Build it: Set up your forensic workstation

Dedicate a machine (physical or VM) for forensic analysis

Dedicate a machine (physical or VM) for forensic analysis. Run the folder creation script. Run the validation script. Resolve any red items. If using a VM, take a snapshot after completing the full tool installation in subsections IR1.2-IR1.5 — label it "IR Baseline" so you can restore to a clean, tool-ready state at any time. This workstation is your investigation platform for the rest of the course and every future investigation.

Beyond this investigation

The techniques taught in this subsection apply beyond the specific scenario presented here. The same evidence sources, tools, and analytical methods are used across ransomware, BEC, insider threat, and APT investigations — the context changes but the methodology is consistent.

Decision point

You discover evidence that the attacker has been in the environment for 90 days. The CISO asks: 'Why did our SOC not detect this sooner?' How do you answer constructively?

Answer with facts, not defensiveness. 'The attacker used [specific techniques] that our current detection rules do not cover. The investigation identified [N] detection gaps — [list the specific ATT&CK techniques that were not detected]. The IR-to-DE handoff includes these gaps as detection engineering sprint items. Estimated time to close: [N weeks].' This answer is honest (we missed it), specific (here is what we missed and why), and forward-looking (here is how we fix it). The PIR action items transform the detection failure into a measurable improvement program.

← Previous Next →