This website is the companion to the Incident Response Workbook, which contains 12 hands-on scenarios using PowerShell to perform incident response. From this site, readers of the book can download data sets and receive updates to the book. 

The Incident Response Workbook was written for those who are seeking hands-on practice performing incident response. The activities use PowerShell, which is installed on Windows computers by default. In the hands-on exercises, the reader will be:

  • Presented with a realistic scenario,

  • Given a PowerShell setup script that will place artifacts on a Windows computer to simulate realistic artifacts from the scenario,

  • Provided an opportunity to perform a hands-on incident response activities (i.e., triage, investigation, and mitigation activities),

  • Walked through a solution to the scenario, and

  • Given a clean-up script to run that will remove artifacts that were put in place during the setup.

Rather than just reading about incident response, the reader will perform hands-on tasks to conduct a response effort. The solutions for each scenario contain explanations of incident response concepts and PowerShell commands. PowerShell, as explained through the lens of incident response, makes the book suitable for novices in incident response and PowerShell. The book is also suited for experienced responders who like practical problems to solve.

The workbook is designed to be used either as a companion to those studying computer security, digital forensics, or incident response courses, as training material for companies, or as a stand-alone resource. The book and scripts can be incorporated in formalized academic courses, industry training classes, on-the-job learning, or independent studying. Instructor material for each chapter is also available upon request. Each chapter contains step-by-step activities with pictures of results from the known data sets so the reader can achieve the same results published in the book. The activities are followed with additional content in PowerShell and discussion activities.