AboutDFIR Site Content Update – 04/26/2024

Challenges & CTFs - old entries cleaned up, new entries added: CTFs: BelkaCTF #6: Bogus Bill CTF Walkthroughs: Belkasoft CTF 6: Write-up Jobs - old entries cleaned up, new entries added: CyberClan IronGate Cybersecurity Mandiant (now part of Google Cloud) modePUSH NCC Group RSM SentinelOne Tools & Artifacts - Android - new entries added: Tools: ALEAPP Artifacts: Android - Digital Wellbeing - Investigating Android Digital Wellbeing Samsung Bluetooth Call Routes - Road Trippin’ – Exploring…
Read More

AboutDFIR Site Content Update – 04/12/2024

Challenges & CTFs - new entries added: Challenges: The DFIR Report - DFIR Labs XINTRA - Advanced APT Emulation Labs Jobs - old entries cleaned up, new entries added: AT&T Mandiant (now part of Google Cloud) Microsoft modePUSH Palo Alto Networks Unit 42 ZeroFox Tools & Artifacts - AWS - new entry added: Artifacts: AWS Amplify Logs - Do NOT forget the AWS Amplify Logs Tools & Artifacts - iOS - new entries added: Tools:…
Read More

AboutDFIR Site Content Update – 03/29/2024

Challenges & CTFs - new entries added - CTF - Magnet Virtual Summit 2024 Capture The Flag, CTF Walkthrough - Magnet Virtual Summit 2024 Capture The Flag - Cipher, iOS (Doug Metz), Magnet Virtual Summit 2024 Capture The Flag - Android, Cipher (DFIR101), Magnet Virtual Summit 2024 Capture The Flag - Android, Cipher, iOS (Forensafe, Kairos (Hestia) Tay, Kevin Pagano, Madi Brumbelow at The Hive) Jobs - old entries cleaned up, new entries added -…
Read More

AboutDFIR Site Content Update – 03/22/2024

Jobs - old entries cleaned up, new entries added - Arete, CrowdStrike, Kivu Consulting, Kroll, Mandiant (now part of Google Cloud), Palo Alto Networks Unit 42, Salesforce, Surefire Cyber, Trustwave Tools & Artifacts - Android - new entry added - WhatsApp - Android WhatsApp Forensics. Part II: Analysis Tools & Artifacts - File Systems - new entry added - NTFS - NTFS Artifacts Tools & Artifacts - iOS - new entries added - Apple Accounts…
Read More

AboutDFIR Site Content Update – 03/15/2024

Jobs - old entries cleaned up, new entries added - Aperture, JPMorgan Chase & Co., Kraft Heinz, Mandiant (now part of Google Cloud), modePUSH, RSM, TrustedSec Tools & Artifacts - Windows - new entries added - AmCache - Evidence of Program Existence - Amcache, Event Tracing (ETW) - ETL File analysis in live, Triage Analysis - Chaos to Clarity: Why Triage is Not Optional, Tools - Invoke-LiveResponse SANS has released an overview for the new…
Read More

AboutDFIR Site Content Update – 03/08/2024

Jobs - old entries cleaned up, new entries added - CrowdStrike, JPMorgan Chase & Co., Keith Borer Consultants, Mitiga, NCC Group, Palo Alto Networks Unit 42, Zurich Tools & Artifacts - Android - new entries added - Android Acquisition - Mobile Forensic Images and Acquisition Priorities, WhatsApp - Android WhatsApp Forensics. Part I: Acquisition Tools & Artifacts - Google Workspace - new entry added - Google Chrome - Google Chrome Platform Notification Analysis Tools &…
Read More

AboutDFIR Site Content Update – 03/01/2024

Jobs - old entries cleaned up, new entries added - JetBlue, Kaseya, Palo Alto Networks Unit 42, Rapid7, Secureworks, Soteria, Sygnia Tools & Artifacts - Android - new entry added - WhatsApp - Investigating Android WhatsApp Tools & Artifacts - AWS - new entry added - AWS Incident Response - AWS Ransomware Tools & Artifacts - Microsoft 365 - new entry added - MailItemsAccessed - MailItemsAccessed Woes: M365 Investigation Challenges Tools & Artifacts - iOS…
Read More

AboutDFIR Site Content Update – 02/23/2024

Jobs - old entries cleaned up, new entries added - Arete, Contact Discovery Services LLC, Huntress, Mandiant (now part of Google Cloud), Palo Alto Networks Unit 42, Surefire Cyber, Thames Valley Police, UCLA Health Tools & Artifacts - AWS - new entry added - AWS Incident Response - How to be IR Prepared in AWS Tools & Artifacts - Google Cloud - new entry added - Google Cloud Incident Response - Google Cloud Incident Response…
Read More

AboutDFIR Site Content Update – 02/16/2024

Jobs - old entries cleaned up, new entries added - Deloitte, IBM, NYU Langone Health, Warner Bros. Discovery Tools & Artifacts - Android - new entry added - Android - SMS - Investigating Android SMS Tools & Artifacts - iOS - new entry added - iOS Acquisition - Bootloader-Level Extraction for Apple Hardware Tools & Artifacts - Microsoft 365 - new entry added - Unified Audit Log (UAL) - What DFIR experts need to know…
Read More

AboutDFIR Site Content Update – 02/09/2024

Jobs - old entries cleaned up, new entries added - Adobe, Alight, Boston Consulting Group (BCG) Tools & Artifacts - Android - new entry added -  Android Acquisition - How to Acquire Digital Evidence with Android Screen Capturer in Belkasoft X Tools & Artifacts - iOS - new entries added - iOS Forensic Toolkit - iOS Forensic Toolkit: Mounting HFS Images in Windows, Snapchat - Investigating iOS Snapchat Tools & Artifacts - Linux - new…
Read More

AboutDFIR Site Content Update – 02/02/2024

Jobs - old entries cleaned up, new entries added - Kroll, Mandiant (now part of Google Cloud), OpenAI, Palo Alto Networks Unit 42 Tools & Artifacts - Google Workspace - new entry added - Google Drive File Stream (DriveFS) - Hunting for File Deletion Artifacts in Google File Stream Data Tools & Artifacts - iOS - new entry added -  iOS Voice Triggers - Investigating iOS Voice Triggers Tools & Artifacts - Windows - new…
Read More

AboutDFIR Site Content Update – 01/26/2024

Jobs - old entries cleaned up, new entries added - Accenture, Arete, Center For Internet Security (CIS), IBM, Red Canary, Surefire Cyber Tools & Artifacts - Android - new entries added - Android Acquisition - The Investigator’s Guide to Android Acquisition Methods. Part I: Device, Life360 - Analyzing Life360 on Android Tools & Artifacts - File Systems - new entries added - Tools - Indx2Csv, Tools - INDXRipper Tools & Artifacts - iOS - new…
Read More

AboutDFIR Site Content Update – 01/19/2024

Jobs - old entries cleaned up, new entries added - Arete, CyberClan, Kivu Consulting, modePUSH, Paramount Tools & Artifacts - DVR/Multimedia - new entry added - Video Analysis - Video Forensic Analysis of Samsung DVRs – Insights from 2024 Tools & Artifacts - iOS - new entries added - iOS Acquisition - When Extraction Meets Analysis: Cellebrite Physical Analyzer, iOS Calls - Investigating iOS Calls Tools & Artifacts - Windows - new entry added -…
Read More

AboutDFIR Site Content Update – 01/12/2024

Jobs - old entries cleaned up, new entries added - Atlassian, Cadence, Calix, CrowdStrike, SAIC Tools & Artifacts - AWS - new entries added - AWS Cloud Forensics - The Importance of Depth: Cloud Forensics Beyond Log Analysis, EC2 (Elastic Compute Cloud) - The Cado Platform can now Capture AWS EC2 Systems into E01 Format Tools & Artifacts - DVR/Multimedia - new entry added - ExifTool - ExifTool Basics for DFIR Tools & Artifacts -…
Read More

AboutDFIR Site Content Update – 01/05/2024

Jobs - old entries cleaned up, new entries added - ADP, Comcast, OpenText, Palo Alto Networks Unit 42, Paylocity, Prudential, State of Minnesota, United Airlines Tools & Artifacts - Android - new entries added - Android Unlocking - Android: Unlock and Rooting, Application Execution - Has the user ever used the XYZ application? aka traces of application execution on mobile devices, Instagram - Investigating Android Instagram Tools & Artifacts - iOS - new entries added -…
Read More

AboutDFIR Site Content Update – 12/29/2023

Jobs - old entries cleaned up, new entries added - ADP, Clear, NCC Group, Palo Alto Networks Unit 42, Pouvoir Judiciaire - Etat de Genève, Warner Bros. Discovery Tools & Artifacts - DVR/Multimedia - new entry added - Video/Image Analysis - Correct the Aspect Ratio of CCTV Footage Tools & Artifacts - Google Workspace - new entries added - Tools - DriveFS Sleuth, Google Drive File Stream (DriveFS) - DriveFS Sleuth — Your Ultimate Google…
Read More

AboutDFIR Site Content Update – 12/22/2023

Jobs - old entries cleaned up, new entries added - Arete, At-Bay, Kivu Consulting, Kroll, Notion, Palo Alto Networks Unit 42, Salesforce, Surefire Cyber Tools & Artifacts - Android - new entry added - Snapchat - Investigating Android Snapchat App Tools & Artifacts - DVR/Multimedia - new entry added - Video/Image Analysis - Measure Speed from Surveillance Video Tools & Artifacts - Linux - new entries added - Linux Forensics - Using the Unix-like Artifacts…
Read More

AboutDFIR Site Content Update – 12/15/2023

Jobs - old entries cleaned up, new entries added - AWS, Booz Allen Hamilton, CDW, Cyderes, Palo Alto Networks Unit 42, State Street, Verizon Challenges & CTFs - new entry added - CTF Walkthrough - Cellebrite CTF 2023 - Sharon (Forensafe) Tools & Artifacts - AWS - new entry added - CloudTrail - AWS CloudTrail Forensics - HTB Nubilum-1 Tools & Artifacts - iOS - new entry added - iTunes Backups - The Pitfalls of…
Read More

AboutDFIR Site Content Update – 12/08/2023

Jobs - old entries cleaned up, new entries added - Accenture, Booz Allen Hamilton, CDW, Cloudflare, Moderna, NCC Group Tools & Artifacts - Android - new entry added - Viber - Investigating Android Viber Tools & Artifacts - DVR/Multimedia - new entry added - Video/Image Analysis - Increase Exposure of Dark Footage Tools & Artifacts - Google Workspace - new entry added - Gmail - Dots do matter: Why dots in Gmail addresses impact Google…
Read More

AboutDFIR Site Content Update – 12/01/2023

Jobs - old entries cleaned up, new entries added - Magnet Forensics, NCC Group, Palo Alto Networks Unit 42, SentinelOne Tools & Artifacts - Android - new entries added - Android - Gmail - Investigating Android Gmail, WhatsApp - Forensic Duel: Exploring Deleted WhatsApp Messages—iOS vs Android Tools & Artifacts - AWS - new entry added - Tools - Cado's Import UI Tools & Artifacts - Azure - new entry added - Tools - Cado's…
Read More

AboutDFIR Site Content Update – 11/24/2023

Certifications & Training - new entry added - SANS - GX-PT Jobs - old entries cleaned up, new entries added - Cellebrite, CrowdStrike, Department of Homeland Security (DHS), FTI Consulting, IBM, JP Morgan Chase & Co., LinkedIn, Mandiant (now part of Google Cloud), Red Canary, USAA Tools & Artifacts - DVR/Multimedia - new entry added - Video/Image Analysis - Correct Optical Distortion Tools & Artifacts - Android - new entry added - Android - IMO…
Read More

AboutDFIR Site Content Update – 11/17/2023

Challenges & CTFs - new entries added - CTF Walkthrough - Cellebrite CTF 2023 - Abe (Forensafe), LetsDefend - Ransomware Attack (N00b_H@ck3r) Jobs - old entries cleaned up, new entries added - Ankura, Arete, Cadence, Lockheed Martin, Peraton, Tesla, TransPerfect Legal Tools & Artifacts - AWS - new entry added - Tools - cloudgrep Tools & Artifacts - Azure - new entry added - Tools - cloudgrep Tools & Artifacts - Google Cloud - new…
Read More

AboutDFIR Site Content Update – 11/10/2023

Challenges & CTFs - new entry added - CTF Walkthrough - Huntress Capture The Flag - A CTF Marathon (Doug Metz) Jobs - old entries cleaned up, new entries added - Palo Alto Networks Unit 42, Paramount, Rapid7, SentinelOne Tools & Artifacts - Android - new entries added - Android Acquisition - Data Extraction Cheatsheet, Android - Playstore - Investigating Android Playstore Search History Tools & Artifacts - AWS - new entry added - AWS…
Read More

AboutDFIR Site Content Update – 11/03/2023

Challenges & CTFs - new entries added - CTF - Dragos Capture The Flag 2023, Huntress Capture The Flag 2023, Cellebrite CTF 2023, CTF Walkthrough - Cellebrite CTF 2023 - Abe (Kevin Pagano), Cellebrite CTF 2023 - Felix (Kevin Pagano), Cellebrite CTF 2023 - Felix (Forensafe), Challenge #1 - Web Server Case (Joseph Moronwi) Jobs - old entries cleaned up, new entries added - Forensic Discovery LLC, Illinois State Police, Palo Alto Networks Unit 42,…
Read More

AboutDFIR Site Content Update – 10/27/2023

Home - new page created - AWS Home - new page created - Google Cloud Home - new page created - Google Workspace Home - new page created - Microsoft Azure Home - new page created - Microsoft 365 Jobs - old entries cleaned up, new entries added - Arete, Eli Lilly and Company, Fortinet, modePUSH, State Street, Sygnia, Uber Tools & Artifacts - Android - new entries added - Google Maps - Finding Phones…
Read More

AboutDFIR Site Content Update – 10/20/2023

Tools & Artifacts - Windows - new entries added - Prefetch - Artifacts of Execution: Prefetch - Part One, JLECmd - [DFIR TOOLS] JLECmd, what is it & how to use! Tools & Artifacts - Linux - new entry added - Linux Forensics - Investigating a Compromised Web Server Tools & Artifacts - DVR/Multimedia - new entries added - Image Analysis - Enhance a Backlit Scene, How To Reveal AI-generated Images by Checking Shadows and…
Read More

AboutDFIR Site Content Update – 10/13/2023

Tools & Artifacts - Windows - new entries added - Intrusion Analysis - Windows Artifacts For Intrusion Analysis: A Treasure Trove of Evidence, TeraCopy - Introducing TeraLogger, Timeline Analysis - Timeline Creation for Forensic Analysis Tools & Artifacts - macOS - new entry added - macOS - Sonoma - Sonoma’s log gets briefer and more secretive Tools & Artifacts - Linux - new entry added - Linux Forensics - Linux Forensics In Depth Tools &…
Read More

AboutDFIR Site Content Update – 10/06/2023

Tools & Artifacts - Windows - new entries added - ScreenConnect - From ScreenConnect to Hive Ransomware in 61 hours, UserAssist - Decoding Windows Registry Artifacts with Belkasoft X: UserAssist, USB Devices - Automated USB artefact parsing from the Registry Tools & Artifacts - iOS - new entry added - iOS15 - iOS 15 Image Forensics Analysis and Tools Comparison - Processing details and general device information Tools & Artifacts - Android - new entry…
Read More

AboutDFIR Site Content Update – 09/29/2023

Tools & Artifacts - Windows - new entry added - OneDriveExplorer - OneDriveExplorer ODL Parsing Issues Tools & Artifacts - iOS - new entries added - iOS Acquisition - iCloud Advanced Data Protection: Implications for Forensic Extraction Tools & Artifacts - Android - new entry added - Last SIM - Investigating Android Last SIM Tools & Artifacts - DVR/Multimedia - new entry added - Video/Image Analysis - Super Resolution from Different Perspectives Jobs - old…
Read More

AboutDFIR Site Content Update – 09/22/2023

Tools & Artifacts - Windows - new entry added - EventTransciptParser Tools & Artifacts - iOS - new entries added - iOS 17 - iOS 17 Forensics: Another Year, Another Byte of the Apple, iOS - iOS System Artifacts: Revealing Hidden Clues, iOS Acquisition - iOS Forensic Toolkit: Troubleshooting Low-Level Extraction Agent Tools & Artifacts - Android - new entry added - Android - Accounts - Investigating Android Accounts Tools & Artifacts - DVR/Multimedia -…
Read More

GX-FA Exam: My Experience

Introduction I recently attended the 2023 SANS DFIR Summit in Austin, TX when I saw an advertisement for the brand new GIAC Experienced Forensic Analyst (GX-FA) certification. SANS offered a discount for attendees that were interested in taking this exam and so I decided why not? The last GIAC exam I had taken was the GIAC Certified Forensic Analyst (GCFA) exam in December 2022 and so I found it to be very appropriate to follow…
Read More

AboutDFIR Site Content Update – 09/15/2023

Tools & Artifacts - Windows - new entries added - Level.io - RMM - Level.io: Forensic Artifacts and Evidence, OneDriveExplorer - What's New in OneDriveExplorer, Microsoft Edge - Microsoft Edge Forensics: Screenshot History  Tools & Artifacts - iOS - new entry added - WhatsApp - iOS WhatsApp Forensics with Belkasoft X Tools & Artifacts - Android - new entry added - Android - Contacts - Investigating Android Contacts Tools & Artifacts - DVR/Multimedia - new…
Read More

AboutDFIR Site Content Update – 09/08/2023

Tools & Artifacts - Windows - new entry added - Microsoft Remote Access VPN - Forensic Aspects of Microsoft Remote Access VPN Tools & Artifacts - Linux - new entry added - Walk-through of Dr. Ali Hadi's Web Server Case CTF Tools & Artifacts - iOS - new entry added - Telegram - Investigating iOS Telegram Tools & Artifacts - DVR/Multimedia - new entry added - Deblur a Moving Car Jobs - old entries cleaned…
Read More

The Key to Identify PsExec

Summary: In one way or another, PsExec - a wildly popular remote administration tool in the Microsoft SysInternals Suite - peeks its head in the wild. Threat actors tend to leverage PsExec for various reasons, such as executing commands or programs on a remote host in a victim’s environment, or for more nefarious reasons, such as deploying ransomware. The focus of this blog is to bring attention to a relatively new method of identifying the…
Read More