Sign In
In this module

IR1.12 Module Summary

90-120 minutes · Module 1 · Free

Module Summary

Module IR1 deployed and validated every tool in the IR toolkit. Your forensic workstation is operational and ready for investigation.

The forensic workstation (IR1.1). A dedicated, isolated analysis environment with standardized folder structure: C:\IR\Tools, C:\IR\Cases, C:\IR\Evidence, C:\IR\Output, C:\IR\Templates. Physical or virtual — both valid. Never the same machine as the compromised system. Environment validated with the workstation check script.

KAPE (IR1.2). Triage collection in 2-5 minutes instead of 45-90 for a full disk image. Two-phase architecture: targets collect artifacts (two-pass with raw disk access for locked files), modules process them through EZTools parsers. The !SANS_Triage compound target covers approximately 90% of artifacts needed for a standard investigation. Remote deployment via PowerShell remoting and PsExec. Custom target creation for environment-specific artifacts.

Eric Zimmerman Tools (IR1.3). Twenty specialized parsers organized by investigation question. PECmd for execution evidence, EvtxECmd for event logs (with 700+ maps for enrichment), MFTECmd for filesystem timeline, RECmd for registry batch processing, Timeline Explorer for unified chronological analysis. All produce CSV output. Parse-All.ps1 automates the full processing pipeline.

Velociraptor (IR1.4). Remote evidence collection and enterprise-wide hunting. Four capabilities: remote forensic collection, enterprise hunting across the fleet, live response (remote shell), and endpoint quarantine. VQL is the query language for endpoints. Single server handles 10,000-15,000 endpoints. Community artifact exchange provides pre-built collection and detection artifacts.

Volatility 3 (IR1.5). Memory forensics — the evidence source for fileless attacks, process injection, and credential theft. Five-step investigation workflow: image info → process analysis (PsList/PsTree/PsScan/CmdLine) → network analysis (NetScan) → malware detection (Malfind) → credential extraction (Hashdump). Alternative memory sources: hiberfil.sys, crash dumps, pagefile.

Cloud investigation tools (IR1.6). Three interfaces: Defender XDR Advanced Hunting (30+ KQL tables, fastest for active incidents), Purview Audit (MailItemsAccessed for email forensics), Sentinel (long-term retention and cross-source correlation). Log retention understanding for evidence preservation. Investigation-ready KQL queries saved to the library.

PowerShell (IR1.7). The universal tool — collection, containment, and automation. Contain-Identity.ps1 executes the complete BEC containment sequence in 30 seconds. Entra ID investigation cmdlets for service principal and MFA analysis. Batch automation for multi-target scope determination. The IR script library lives in C:\IR\Tools\Scripts\.

The jump bag (IR1.8). Pre-staged USB drive and virtual network share with all tools, automated collection scripts (COLLECT.bat, MEMORY.bat), go/no-go decision checklist, contact sheet, and evidence custody forms. Three deployment scenarios: remote worker, onsite server, multi-endpoint ransomware. Monthly testing ensures readiness.

Native Windows IR (IR1.9). Evidence collection using only built-in OS commands — the fallback when no tools can be deployed. Process investigation, network analysis, persistence detection, and event log export using PowerShell and CMD. Collect-Native.ps1 script for one-pass native collection.

Scanning and detection tools (IR1.10). THOR Lite for YARA + Sigma-based compromise assessment. Hayabusa for fast event log forensics with 4,000+ Sigma rules. RegRipper for deep registry analysis. Sysinternals (Autoruns, Process Explorer, ProcMon, TCPView, Strings, PsExec) for live system investigation. These tools add a detection layer to the KAPE/EZTools pipeline.

Magnet AXIOM Cyber (IR1.11). The commercial alternative that unifies acquisition, parsing, analysis, and reporting. Cloud acquisition, remote endpoint collection, unified timeline, IOC dashboard, case management, and report generation. When to use it versus the free toolkit. How to evaluate commercial alternatives (EnCase, FTK, Binalyze AIR).

Next module: IR2 — Evidence Acquisition and Chain of Custody. With the tools deployed, IR2 teaches the methodology for using them — how to collect evidence that is forensically sound, properly documented, and defensible in both the IR report and (if necessary) legal proceedings.

Velociraptor (IR1.4). Remote evidence collection and enterprise-wide hunting. Three deployment modes: standalone collector (no server, USB-portable), single server (course lab), cloud/production (enterprise fleet). VQL queries run across all connected endpoints simultaneously for scope determination. Deployed at C:\IR\Tools\Velociraptor\. Validated with a test collection.

Volatility 3 (IR1.5). Memory forensics — the evidence source for fileless attacks, process injection, and credential theft. Analyzes RAM dumps using PsList, NetScan, Malfind, and dozens of other plugins. Requires Python 3.10+ and a virtual environment. WinPMem for memory acquisition. Installed at C:\IR\Tools\Volatility3\. Validated with process listing and network scanning on a test dump.

Cloud investigation tools (IR1.6). KQL Advanced Hunting in Defender XDR queries 30+ tables spanning email, device, identity, and cloud app events. Microsoft Purview Audit provides the deep M365 activity trail including MailItemsAccessed (E5). Microsoft Sentinel aggregates all sources for long-term retention and cross-source correlation. M365 Developer Tenant set up for the course lab.

PowerShell (IR1.7). The universal tool — collection, containment, and automation. PowerShell remoting for remote evidence gathering. Exchange Online and Microsoft Graph modules for M365 investigation. Core IR cmdlets tested: process collection, network connections, session revocation, account disable, inbox rule removal, audit log search.

The jump bag (IR1.8). Pre-staged USB drive with all tools, automated KAPE collection script (COLLECT.bat), go/no-go decision checklist, chain of custody forms, and contact references. Monthly testing ensures the kit remains functional. Accessible within 60 seconds of the decision to investigate.

Next module: IR2 — Evidence Acquisition and Chain of Custody. With the tools deployed, IR2 teaches the methodology for using them — how to collect evidence that is forensically sound, properly documented, and defensible in both the IR report and (if necessary) legal proceedings.

Beyond this investigation

The techniques taught in this subsection apply beyond the specific scenario presented here. The same evidence sources, tools, and analytical methods are used across ransomware, BEC, insider threat, and APT investigations — the context changes but the methodology is consistent.

Artifact Output
Module IR1 complete. Every tool in the IR toolkit is installed, configured, and validated. The jump bag is ready for deployment. Proceed to IR2 for evidence acquisition methodology, or jump to IR3 (Windows) or IR8 (M365) if you are comfortable with evidence handling and want to start investigating immediately — though IR2 is strongly recommended first.
Next module → IR2 Evidence Acquisition and Chain of Custody
💬

How was this module?

Your feedback helps us improve the course. One click is enough — comments are optional.

Thank you — your feedback has been received.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
← Previous Next →