In this module

IR1.13 Check My Knowledge

90-120 minutes · Module 1 · Free

Check My Knowledge

1. Why must the forensic workstation be a separate machine from the compromised system?

The compromised system may be too slow to run analysis tools

Running analysis on the compromised system contaminates the evidence — every tool installation, file access, and query modifies the artifacts you are trying to analyze

Forensic tools only run on Windows Server, not Windows 10

The compromised system's antivirus will block forensic tools

Correct. Evidence integrity requires isolation. Every file you open on the compromised system modifies the $MFT. Every tool you install changes the registry. Every query creates Prefetch entries. Analysis must happen on a separate, clean workstation.

2. What is the primary advantage of KAPE triage collection over full disk imaging?

KAPE collects forensically relevant artifacts in 2-5 minutes instead of 45-90 minutes for a full image, allowing the investigation to start sooner

KAPE is free while disk imaging tools cost money

KAPE output is more accurate than a full disk image

KAPE does not require administrator privileges

Correct. Speed is the primary advantage. KAPE collects only the forensically relevant artifacts (Prefetch, event logs, registry, $MFT) in minutes. A full disk image captures everything — including hundreds of GB of forensically irrelevant data — and takes significantly longer. For most IR investigations, KAPE triage provides the evidence needed to begin.

3. Which EZTools parser would you use to determine when a specific program was executed and how many times?

EvtxECmd

PECmd (Prefetch parser)

MFTECmd

Registry Explorer

Correct. PECmd parses Windows Prefetch files, which record the executable name, last run timestamp, run count, and previous run timestamps (up to 7). This is the primary evidence of execution artifact on Windows.

4. What does Velociraptor provide that KAPE does not?

Better parsing of Windows artifacts

Memory forensics capabilities

Remote evidence collection across the network without physically accessing the endpoint, and enterprise-wide hunting across all connected clients

Integration with Microsoft Defender

Correct. KAPE requires local execution on or from the target system. Velociraptor deploys an agent and collects artifacts remotely — critical for endpoints in home offices, remote locations, or cloud-hosted VMs. Enterprise-wide hunting (running a query across all connected endpoints simultaneously) enables rapid scope determination during an incident.

5. Why is memory forensics essential for investigating modern attacker tooling like Cobalt Strike?

Memory forensics is faster than disk forensics

Cobalt Strike cannot run on Windows systems with disk encryption

Cobalt Strike beacons are loaded reflectively into memory — no file is written to disk, no Prefetch entry is created, and no registry key is modified, making the implant invisible to disk-based forensic analysis

Memory forensics can recover encrypted files

Correct. Modern attacker tooling operates primarily in memory. Reflective DLL injection loads the implant into a legitimate process without writing to disk. The only evidence of the implant exists in RAM — which Volatility 3's Malfind and DllList plugins can detect. Without memory forensics, the most common commercial attack tools are invisible.

6. What is the correct order of evidence collection priority according to the jump bag checklist?

Memory → network connections → KAPE triage → M365 audit → full disk image

Full disk image → KAPE triage → memory → M365 audit → network connections

M365 audit → KAPE triage → memory → full disk image → network connections

Network connections → full disk image → memory → KAPE triage → M365 audit

Correct. Evidence is collected in order of volatility — the most volatile evidence first because it disappears soonest. Memory is lost on reboot. Network connections change constantly. KAPE triage collects persistent but time-sensitive artifacts. M365 audit logs are persistent but retention-limited. Full disk images are persistent and collected last (if needed at all).

7. You need to revoke a compromised user's active sessions immediately. Which PowerShell command accomplishes this?

Set-MgUser -AccountEnabled:$false

Remove-InboxRule -Identity "malicious rule"

Revoke-MgUserSignInSession — this forces re-authentication and breaks stolen session tokens

Disconnect-ExchangeOnline

Correct. Revoke-MgUserSignInSession invalidates all active sessions for the user, forcing re-authentication. This breaks stolen session tokens (including AiTM-stolen tokens). Disabling the account (Set-MgUser -AccountEnabled:$false) prevents new sign-ins but does not terminate existing sessions — both actions should be executed during containment.

8. What is the purpose of hashing all tool binaries in the jump bag?

To speed up tool execution on the target system

To verify tool integrity — if hashes change, the USB may have been tampered with or corrupted, and the tools cannot be trusted

To comply with software licensing requirements

To allow antivirus to whitelist the tools

Correct. Hash verification ensures the tools have not been modified since they were placed in the jump bag. If an attacker or malware modified a tool binary on the USB (replacing KAPE with a trojanized version, for example), the hash comparison would detect the change. Tool integrity is part of evidence integrity — the tools used to collect evidence must themselves be trustworthy.

9. A developer tenant for M365 is being used as the course lab. Which critical audit capability requires E5 licensing to function?

Basic sign-in log access

Defender XDR Advanced Hunting

MailItemsAccessed — the Purview audit event that records exactly which email messages were read by a user or application

PowerShell remoting to Exchange Online

Correct. MailItemsAccessed is an E5 premium audit event that logs each individual email message accessed in a mailbox. Without E5, you can determine that a user signed in — but you cannot determine which specific emails they read. This is the difference between "the attacker had mailbox access" and "the attacker read 47 emails containing invoice data." The developer tenant includes E5 licensing.

10. How often should the jump bag be tested?

Only after a tool update

Monthly — verify tool hashes, run each tool to confirm it executes, check for updates, and verify credential access

Annually during the IR plan review

Only before a known incident

Correct. Monthly testing takes 15 minutes and catches tool corruption, outdated versions, expired credentials, and USB drive failures before they matter. An untested jump bag discovered to be non-functional during a 02:00 incident costs the investigation its first hour of evidence collection.

11. A compromised server has application whitelisting that blocks KAPE and Velociraptor from executing. What is your best approach for evidence collection?

Use native Windows commands (Get-CimInstance, Get-NetTCPConnection, Get-ScheduledTask, Get-WinEvent, wevtutil) to collect processes, network connections, persistence mechanisms, and event logs — then export the .evtx files for EvtxECmd analysis on the forensic workstation

Wait until the whitelisting policy can be modified to allow KAPE

Take a full disk image instead

Ask the user to describe what they observed

Correct. Native Windows commands are built into the OS and execute regardless of application whitelisting policies. They collect 60-70% of the evidence needed for initial triage and containment decisions. The critical bridge technique is using wevtutil to export .evtx files that can be parsed with EvtxECmd on the forensic workstation — combining native collection with dedicated tool analysis.

12. What does Hayabusa provide that EvtxECmd does not?

Hayabusa parses more event log formats than EvtxECmd

Hayabusa is faster at parsing event logs

Hayabusa applies 4,000+ Sigma detection rules to event logs and outputs only the events matching known attack patterns — providing threat detection rather than comprehensive parsing

Hayabusa produces better CSV output for Timeline Explorer

Correct. EvtxECmd parses ALL events into a comprehensive CSV — every logon, every process creation, every service installation. The investigator must manually filter to find relevant entries. Hayabusa filters first by applying Sigma rules and outputs only events matching known attack techniques, with severity levels and MITRE ATT&CK mapping. Use EvtxECmd for comprehensive analysis; use Hayabusa for threat hunting in large log collections.

13. What is the primary advantage of Magnet AXIOM Cyber over the free toolkit (KAPE + EZTools + Velociraptor + Volatility)?

AXIOM Cyber produces more accurate forensic findings

AXIOM Cyber unifies acquisition, parsing, analysis, and reporting from computer, cloud, and mobile sources in a single platform — eliminating the tool-orchestration overhead the free toolkit requires

AXIOM Cyber is required for court-admissible evidence

AXIOM Cyber detects threats that free tools cannot

Correct. The forensic analysis is identical whether performed by AXIOM Cyber or the free toolkit — both parse the same artifacts and produce the same findings. AXIOM's advantage is workflow efficiency: unified interface, integrated cloud acquisition, automated artifact correlation, and built-in case management and reporting. The free toolkit requires the investigator to orchestrate 6-8 separate tools and manually correlate findings. The investigation outcomes are the same; the effort differs.

💬

How was this module?

Your feedback helps us improve the course. One click is enough — comments are optional.

Thank you — your feedback has been received.

You've finished the free tier. The investigation starts now.

IR0 established the incident shape — how Microsoft-stack attacks cross the cloud-endpoint boundary in minutes — and gave you the five-step reasoning chain and three-statement evidence discipline that every subsequent module applies. IR0 also covered the current NIST SP 800-61 Rev 3 / CSF 2.0 vocabulary for the reports you will write. IR1 got your forensic workstation built: KAPE, the Eric Zimmerman Tools suite, Velociraptor, Volatility 3, and the Microsoft 365 investigation stack installed, validated, and ready. From here, every module applies the reasoning chain against real evidence.

Phase 2 — Windows Endpoint Forensics (IR2–IR7) — evidence acquisition and chain of custody, execution and persistence artefacts, filesystem and registry forensics, event log analysis, memory forensics with Volatility 3, lateral movement and credential theft
Phase 3 — Microsoft 365 Cloud Investigation (IR8–IR12) — identity compromise, Exchange Online and email forensics, SharePoint/OneDrive/Teams investigation, Entra ID persistence, Defender XDR as the unified investigation platform
Phase 4 — Investigation Scenarios (IR13–IR16) — ransomware, business email compromise, insider threat, and advanced persistent threat. Each a complete worked investigation integrating Phase 2 and Phase 3 skills
Phase 5 — Reporting, Readiness, and Capstone (IR17–IR19) — technical and executive reporting, regulatory notifications under current law (GDPR, NIS2, SEC), IR readiness building, and the IR19 end-to-end capstone investigation
Worked practical content throughout — every content subsection contains annotated KQL queries, walked-through tool output, real artefact data with interpretation, and procedures you run yourself

Unlock the full course with Premium See Full Syllabus

← Previous Next →