28 Jan 2022
By Cassie Doemel

A Conversation about Transitioning to Incident Response

In working on AboutDFIR the last couple months, I’ve come to learn that while digital forensics and incident response share some basic foundational knowledge, they are widely different in practice. I’ve taken SANS FOR500: Windows Forensic Analysis and have been reading the recent articles about vulnerabilities, and have to say it’s been a series of eye-openers, especially coming from a law enforcement digital forensic background, as to how evidence and analysis can differ depending on…
Read More
22 Aug 2021
By Tony Knutson

SOF-ELK and Integration with KAPE

Archer: FX  Amazing how fast time flies when you're juggling so much during the trying times we all have since 2020! At at the time of publishing this article, we are all still facing a lot of uncertainties. I hope time has been gracious to you all...and continues to be!  Why this post?  As we push through some very trying times in the Digital Forensic and Incident Response world, there are two things I've experienced…
Read More
17 Dec 2020
By Andrew Rathbun

Introducing AboutDFIR’s MFT Explorer/MFTECmd Guide

Greetings everyone! I’ve been working on a detailed guide geared towards LE/Private Sector examiners who’ve never used MFT Explorer/MFTECmd before as well as anyone looking to learn what the tool is all about. Learning a new tool is intimidating and can be frustrating, but hopefully this guide will make things easier. The MFT Explorer/MFTECmd Guide comes on the heels of the previous guides I put together recently: KAPE, Timeline Explorer, and Registry Explorer/RECmd. All guides,…
Read More
06 Oct 2020
By Andrew Rathbun

Introducing AboutDFIR’s Registry Explorer/RECmd Guide

Greetings everyone! I’ve been working on a detailed guide geared towards LE/Private Sector examiners who’ve never used Registry Explorer/RECmd before as well as anyone looking to learn what the tool is all about. Learning a new tool is intimidating and can be frustrating, but hopefully this guide will make things easier. The Registry Explorer/RECmd Guide comes on the heels of the previous guides I put together recently: KAPE and Timeline Explorer . All guides, current…
Read More
05 Sep 2020
By Andrew Rathbun

Join Devon Ackerman on Cache Up

Cache Up is a series ran by Jessica Hyde of Magnet Forensics. Our very own Devon Ackerman will be featured on the Tuesday, September 8th episode at 1100 hours EST. If you can't make it live, then watch the recording on the Magnet Forensics YouTube channel in the Cache Up playlist. See you there! EDIT: Link is now posted here.
Read More
19 Aug 2020
By Andrew Rathbun

Introducing AboutDFIR’s Timeline Explorer Guide

Greetings everyone! I’ve been working on a detailed guide geared towards LE/Private Sector examiners who’ve never used Timeline Explorer before as well as anyone looking to learn what the tool is all about. Learning a new tool is intimidating and can be frustrating, but hopefully this guide will make things easier. This guide for Timeline Explorer comes on the heels of last month's release of the KAPE Guide. It can also be currently located in…
Read More
04 Aug 2020
By Andrew Rathbun

SANS FOR508: A Review

Introduction I recently attended the SANS DFIR Summit 2020 and took FOR508 with Chad Tilbury. I elected to take the GCFA certification which I am currently preparing for and creating my index similar to how I laid out in a previous blog post. At Kroll, FOR500 and FOR508 are our daily bread and butter so I was very excited to finally take FOR508. LiveOnline Review First things first, let's cover the new format SANS is…
Read More
18 Jul 2020
By Andrew Rathbun

Introducing AboutDFIR’s KAPE Guide

Greetings everyone! I've been working on a detailed guide geared towards LE/Private Sector examiners who've never used KAPE before as well as anyone looking to learn what the tool is all about. Learning a new tool is intimidating and can be frustrating, but hopefully this guide will make things easier. The guide can be found here. It can also be currently located in the site's recently redesigned menu via Tools & Artifacts -> Tools ->…
Read More
10 Jul 2020
By Tony Knutson

DFIR Without Certs – What Books Can Help You

This has been an absolute long time coming from me, I think! The reason for this is during the crazy times we currently live in here in 2020, this is probably something I should have worked on much earlier to give folks a bit of a leg up on some reading material. Coming full circle, I feel this is something that really needs to be updated within our field. One of the few places where…
Read More
18 Apr 2020
By Andrew Rathbun

A General Overview of DFIR Resources

Introduction The world of Digital Forensics and Incident Response (DFIR) is so expansive that it's impossible for one person to know it all, let alone a fraction of it. To combat this, one must first be aware of and second utilize the resource that's best catered to the issue at hand. There are multiple resources out there that digital forensic examiners and incident responders should be aware of.  Not all resources are created equal nor…
Read More
17 Dec 2019
By Tony Knutson

Jailbreaking – Checkra1n Configuration

In this installment, I felt that I should discuss how to use Checkra1n, and how to actually get into the device via 2 methods: localhost (tethered) and WiFi (untethered). This is not a blog to discuss how Checkra1n is doing, what it is doing, or what Checkm8 is doing prior to the device booting. Additionally, you do this at your own risk. Just because it works on one device does not mean it'll work on…
Read More
19 Aug 2019
By Andrew Rathbun

InfoSec News Nuggets 08/19/2019

1 Apple's warning: Break Safari's web-tracking rules and we'll hit back ITP broadly aims to limit marketers from tracking iOS and macOS Safari users across different websites, but without impeding a marketer's ability to measure the performance of their online ads. The document outlines what Apple considers to be tracking, different types of tracking, the types it will prevent, and how it treats any attempt to bypass its anti-tracking measures. The company warns it will…
Read More
17 Aug 2019
By Devon

Holiday Hack Sneak Peek 2019

It seems the SANS Annual Holiday Hack Challenge buzz begins earlier and earlier every year.  This year is no exception.  My first HolidayHack CheatSheet of the season is here! HUGE shout-out to our Red Team mole, Stephen Sampana for infiltrating Ed Skoudis' party in Vegas during BlackHat/DEFCON/BSides week and reporting back clues. Download v1.0 of my Kringle Con CheatSheet NOW! Enjoy! In other news, I've added some new items to our site that may interest…
Read More
04 Apr 2019
By Tony Knutson

Magnet User Summit 2019 Impressions

I wanted to make a quick note to start the blogging back up again (yes, I know -- don't judge me!) by discussing a recent Digital Forensics Summit that took place during the first week of April here in the United States. While there is some bias to this since both Devon and myself did present at the Summit, there is in no way, shape or form any endorsement or payment from Magnet for what…
Read More
13 Jan 2019
By Devon

Forensic Tools

Forensic tools, whether software or hardware, or just like traditional forensic science tools - they are designed by humans and typically meant to be used by trained users who understand both the artifacts they are processing as well as the results produced by the tool. Some tools are as simple as a USB write blocker - you plug one end into a computer, you plug a USB device into the other end, and it "just…
Read More
06 Jan 2019
By Devon

Episode 886: The Price Of A Hack

"The Price of a Hack" w/Chris DiIenno of Mullen Coughlin LLC law firm, experts in legal advice following or during a cyber security event, along w/Dina Temple-Raston of NPR. This piece was born out of a prior Kroll Cyber Risk digital forensics and incident response-related investigation, directed by legal counsel, to assist a client they was preyed upon via a Business Email Compromise-oriented targeting scheme. NPR Planet Money - Episode 886 "The Price Of A…
Read More
03 Jan 2019
By Devon

Android Nougat Image Available to the DFIR Community

Joshua Hickman has created, for the DFIR community, an image of Android 7.x (Nougat) populated with apps and test data for a wide range of usage - everything from testing tools to training to teaching. It was created using a stock Android image from Google.  Several popular applications (apps) were populated with user data utilizing the capabilities of each individual app.  The stock Android apps were also populated with user data. An LG Nexus 5x,…
Read More
18 Nov 2018
By Devon

Office 365 DFIR

A planned methodology for developing and implementing a forensically sound incident response plan in Microsoft’s Office 365 cloud environment must be thoroughly researched and re-evaluated over time as the system evolves, new features are introduced, and older capabilities are deprecated. This presentation will walk through the numerous forensic, incident response, and evidentiary aspects of Office 365. The presentation is based on two years’ worth of collection of forensics and incident response data in Microsoft’s Office…
Read More
12 Dec 2017
By Devon

Rick Kiper’s Research Project

A personal friend and FBI colleague of mine, Rick Kiper, has a research project that he is currently working on for Forensics.  The next phase of his research study is to develop a digital forensics tool typology. Basically, the goal is to identify the most important characteristics of digital forensics tools, so that a forensic examiner may be able to quickly assess and select a digital forensics tool appropriate for a particular task.  The goal…
Read More
22 Jul 2017
By Devon

Yandex.ru and Intrusion Investigations

Quite often I notice that unauthorized actors who compromise RDP access will execute a native web browsing application and navigate to a website such as whoer.net to enumerate browser header information, IP address, ISP, and a smattering of other host identification information.  In reviewing these cases with forensic tools, I would also quite often see a hit for https://mc.yandex.ru/metrika/watch.js.  Observing a .ru domain hit usually raises my suspicion level a bit, but I could not…
Read More