Fabian Mendoza, Author at AboutDFIR - The Definitive Compendium Project

22 Sep 2023

AboutDFIR Site Content Update – 09/22/2023

Tools & Artifacts - Windows - new entry added - EventTransciptParser Tools & Artifacts - iOS - new entries added - iOS 17 - iOS 17 Forensics: Another Year, Another Byte of the Apple, iOS - iOS System Artifacts: Revealing Hidden Clues, iOS Acquisition - iOS Forensic Toolkit: Troubleshooting Low-Level Extraction Agent Tools & Artifacts - Android - new entry added - Android - Accounts - Investigating Android Accounts Tools & Artifacts - DVR/Multimedia -…

18 Sep 2023

By Fabian Mendoza

GX-FA Exam: My Experience

Introduction I recently attended the 2023 SANS DFIR Summit in Austin, TX when I saw an advertisement for the brand new GIAC Experienced Forensic Analyst (GX-FA) certification. SANS offered a discount for attendees that were interested in taking this exam and so I decided why not? The last GIAC exam I had taken was the GIAC Certified Forensic Analyst (GCFA) exam in December 2022 and so I found it to be very appropriate to follow…

15 Sep 2023

By Fabian Mendoza

AboutDFIR Site Content Update – 09/15/2023

Tools & Artifacts - Windows - new entries added - Level.io - RMM - Level.io: Forensic Artifacts and Evidence, Microsoft 365 (M365) - Wrangling the M365 UAL with SOF-ELK and CSV Data (Parts 1-3), OneDriveExplorer - What's New in OneDriveExplorer, Microsoft Edge - Microsoft Edge Forensics: Screenshot History Tools & Artifacts - iOS - new entry added - WhatsApp - iOS WhatsApp Forensics with Belkasoft X Tools & Artifacts - Android - new entry added…

08 Sep 2023

By Fabian Mendoza

AboutDFIR Site Content Update – 09/08/2023

Tools & Artifacts - Windows - new entry added - Microsoft Remote Access VPN - Forensic Aspects of Microsoft Remote Access VPN Tools & Artifacts - Linux - new entry added - Walk-through of Dr. Ali Hadi's Web Server Case CTF Tools & Artifacts - iOS - new entry added - Telegram - Investigating iOS Telegram Tools & Artifacts - DVR/Multimedia - new entry added - Deblur a Moving Car Jobs - old entries cleaned…

18 Jan 2023

By Fabian Mendoza

The Key to Identify PsExec

Summary: In one way or another, PsExec - a wildly popular remote administration tool in the Microsoft SysInternals Suite - peeks its head in the wild. Threat actors tend to leverage PsExec for various reasons, such as executing commands or programs on a remote host in a victim’s environment, or for more nefarious reasons, such as deploying ransomware. The focus of this blog is to bring attention to a relatively new method of identifying the…