AboutDFIR Site Content Update – 02/23/2024

Jobs - old entries cleaned up, new entries added - Arete, Contact Discovery Services LLC, Huntress, Mandiant (now part of Google Cloud), Palo Alto Networks Unit 42, Surefire Cyber, Thames Valley Police, UCLA Health Tools & Artifacts - AWS - new entry added - AWS Incident Response - How to be IR Prepared in AWS Tools & Artifacts - Google Cloud - new entry added - Google Cloud Incident Response - Google Cloud Incident Response…
Read More

AboutDFIR Site Content Update – 02/16/2024

Jobs - old entries cleaned up, new entries added - Deloitte, IBM, NYU Langone Health, Warner Bros. Discovery Tools & Artifacts - Android - new entry added - Android - SMS - Investigating Android SMS Tools & Artifacts - iOS - new entry added - iOS Acquisition - Bootloader-Level Extraction for Apple Hardware Tools & Artifacts - Microsoft 365 - new entry added - Unified Audit Log (UAL) - What DFIR experts need to know…
Read More

AboutDFIR Site Content Update – 02/09/2024

Jobs - old entries cleaned up, new entries added - Adobe, Alight, Boston Consulting Group (BCG) Tools & Artifacts - Android - new entry added -  Android Acquisition - How to Acquire Digital Evidence with Android Screen Capturer in Belkasoft X Tools & Artifacts - iOS - new entries added - iOS Forensic Toolkit - iOS Forensic Toolkit: Mounting HFS Images in Windows, Snapchat - Investigating iOS Snapchat Tools & Artifacts - Linux - new…
Read More

AboutDFIR Site Content Update – 02/02/2024

Jobs - old entries cleaned up, new entries added - Kroll, Mandiant (now part of Google Cloud), OpenAI, Palo Alto Networks Unit 42 Tools & Artifacts - Google Workspace - new entry added - Google Drive File Stream (DriveFS) - Hunting for File Deletion Artifacts in Google File Stream Data Tools & Artifacts - iOS - new entry added -  iOS Voice Triggers - Investigating iOS Voice Triggers Tools & Artifacts - Windows - new…
Read More

AboutDFIR Site Content Update – 01/26/2024

Jobs - old entries cleaned up, new entries added - Accenture, Arete, Center For Internet Security (CIS), IBM, Red Canary, Surefire Cyber Tools & Artifacts - Android - new entries added - Android Acquisition - The Investigator’s Guide to Android Acquisition Methods. Part I: Device, Life360 - Analyzing Life360 on Android Tools & Artifacts - File Systems - new entries added - Tools - Indx2Csv, Tools - INDXRipper Tools & Artifacts - iOS - new…
Read More

AboutDFIR Site Content Update – 01/19/2024

Jobs - old entries cleaned up, new entries added - Arete, CyberClan, Kivu Consulting, modePUSH, Paramount Tools & Artifacts - DVR/Multimedia - new entry added - Video Analysis - Video Forensic Analysis of Samsung DVRs – Insights from 2024 Tools & Artifacts - iOS - new entries added - iOS Acquisition - When Extraction Meets Analysis: Cellebrite Physical Analyzer, iOS Calls - Investigating iOS Calls Tools & Artifacts - Windows - new entry added -…
Read More

AboutDFIR Site Content Update – 01/12/2024

Jobs - old entries cleaned up, new entries added - Atlassian, Cadence, Calix, CrowdStrike, SAIC Tools & Artifacts - AWS - new entries added - AWS Cloud Forensics - The Importance of Depth: Cloud Forensics Beyond Log Analysis, EC2 (Elastic Compute Cloud) - The Cado Platform can now Capture AWS EC2 Systems into E01 Format Tools & Artifacts - DVR/Multimedia - new entry added - ExifTool - ExifTool Basics for DFIR Tools & Artifacts -…
Read More

AboutDFIR Site Content Update – 01/05/2024

Jobs - old entries cleaned up, new entries added - ADP, Comcast, OpenText, Palo Alto Networks Unit 42, Paylocity, Prudential, State of Minnesota, United Airlines Tools & Artifacts - Android - new entries added - Android Unlocking - Android: Unlock and Rooting, Application Execution - Has the user ever used the XYZ application? aka traces of application execution on mobile devices, Instagram - Investigating Android Instagram Tools & Artifacts - iOS - new entries added -…
Read More

AboutDFIR Site Content Update – 12/29/2023

Jobs - old entries cleaned up, new entries added - ADP, Clear, NCC Group, Palo Alto Networks Unit 42, Pouvoir Judiciaire - Etat de Genève, Warner Bros. Discovery Tools & Artifacts - DVR/Multimedia - new entry added - Video/Image Analysis - Correct the Aspect Ratio of CCTV Footage Tools & Artifacts - Google Workspace - new entries added - Tools - DriveFS Sleuth, Google Drive File Stream (DriveFS) - DriveFS Sleuth — Your Ultimate Google…
Read More

AboutDFIR Site Content Update – 12/22/2023

Jobs - old entries cleaned up, new entries added - Arete, At-Bay, Kivu Consulting, Kroll, Notion, Palo Alto Networks Unit 42, Salesforce, Surefire Cyber Tools & Artifacts - Android - new entry added - Snapchat - Investigating Android Snapchat App Tools & Artifacts - DVR/Multimedia - new entry added - Video/Image Analysis - Measure Speed from Surveillance Video Tools & Artifacts - Linux - new entries added - Linux Forensics - Using the Unix-like Artifacts…
Read More

AboutDFIR Site Content Update – 12/15/2023

Jobs - old entries cleaned up, new entries added - AWS, Booz Allen Hamilton, CDW, Cyderes, Palo Alto Networks Unit 42, State Street, Verizon Challenges & CTFs - new entry added - CTF Walkthrough - Cellebrite CTF 2023 - Sharon (Forensafe) Tools & Artifacts - AWS - new entry added - CloudTrail - AWS CloudTrail Forensics - HTB Nubilum-1 Tools & Artifacts - iOS - new entry added - iTunes Backups - The Pitfalls of…
Read More

AboutDFIR Site Content Update – 12/08/2023

Jobs - old entries cleaned up, new entries added - Accenture, Booz Allen Hamilton, CDW, Cloudflare, Moderna, NCC Group Tools & Artifacts - Android - new entry added - Viber - Investigating Android Viber Tools & Artifacts - DVR/Multimedia - new entry added - Video/Image Analysis - Increase Exposure of Dark Footage Tools & Artifacts - Google Workspace - new entry added - Gmail - Dots do matter: Why dots in Gmail addresses impact Google…
Read More

AboutDFIR Site Content Update – 12/01/2023

Jobs - old entries cleaned up, new entries added - Magnet Forensics, NCC Group, Palo Alto Networks Unit 42, SentinelOne Tools & Artifacts - Android - new entries added - Android - Gmail - Investigating Android Gmail, WhatsApp - Forensic Duel: Exploring Deleted WhatsApp Messages—iOS vs Android Tools & Artifacts - AWS - new entry added - Tools - Cado's Import UI Tools & Artifacts - Azure - new entry added - Tools - Cado's…
Read More

AboutDFIR Site Content Update – 11/24/2023

Certifications & Training - new entry added - SANS - GX-PT Jobs - old entries cleaned up, new entries added - Cellebrite, CrowdStrike, Department of Homeland Security (DHS), FTI Consulting, IBM, JP Morgan Chase & Co., LinkedIn, Mandiant (now part of Google Cloud), Red Canary, USAA Tools & Artifacts - DVR/Multimedia - new entry added - Video/Image Analysis - Correct Optical Distortion Tools & Artifacts - Android - new entry added - Android - IMO…
Read More

AboutDFIR Site Content Update – 11/17/2023

Challenges & CTFs - new entries added - CTF Walkthrough - Cellebrite CTF 2023 - Abe (Forensafe), LetsDefend - Ransomware Attack (N00b_H@ck3r) Jobs - old entries cleaned up, new entries added - Ankura, Arete, Cadence, Lockheed Martin, Peraton, Tesla, TransPerfect Legal Tools & Artifacts - AWS - new entry added - Tools - cloudgrep Tools & Artifacts - Azure - new entry added - Tools - cloudgrep Tools & Artifacts - Google Cloud - new…
Read More

AboutDFIR Site Content Update – 11/10/2023

Challenges & CTFs - new entry added - CTF Walkthrough - Huntress Capture The Flag - A CTF Marathon (Doug Metz) Jobs - old entries cleaned up, new entries added - Palo Alto Networks Unit 42, Paramount, Rapid7, SentinelOne Tools & Artifacts - Android - new entries added - Android Acquisition - Data Extraction Cheatsheet, Android - Playstore - Investigating Android Playstore Search History Tools & Artifacts - AWS - new entry added - AWS…
Read More

AboutDFIR Site Content Update – 11/03/2023

Challenges & CTFs - new entries added - CTF - Dragos Capture The Flag 2023, Huntress Capture The Flag 2023, Cellebrite CTF 2023, CTF Walkthrough - Cellebrite CTF 2023 - Abe (Kevin Pagano), Cellebrite CTF 2023 - Felix (Kevin Pagano), Cellebrite CTF 2023 - Felix (Forensafe), Challenge #1 - Web Server Case (Joseph Moronwi) Jobs - old entries cleaned up, new entries added - Forensic Discovery LLC, Illinois State Police, Palo Alto Networks Unit 42,…
Read More

AboutDFIR Site Content Update – 10/27/2023

Home - new page created - AWS Home - new page created - Google Cloud Home - new page created - Google Workspace Home - new page created - Microsoft Azure Home - new page created - Microsoft 365 Jobs - old entries cleaned up, new entries added - Arete, Eli Lilly and Company, Fortinet, modePUSH, State Street, Sygnia, Uber Tools & Artifacts - Android - new entries added - Google Maps - Finding Phones…
Read More

AboutDFIR Site Content Update – 10/20/2023

Tools & Artifacts - Windows - new entries added - Prefetch - Artifacts of Execution: Prefetch - Part One, JLECmd - [DFIR TOOLS] JLECmd, what is it & how to use! Tools & Artifacts - Linux - new entry added - Linux Forensics - Investigating a Compromised Web Server Tools & Artifacts - DVR/Multimedia - new entries added - Image Analysis - Enhance a Backlit Scene, How To Reveal AI-generated Images by Checking Shadows and…
Read More

AboutDFIR Site Content Update – 10/13/2023

Tools & Artifacts - Windows - new entries added - Intrusion Analysis - Windows Artifacts For Intrusion Analysis: A Treasure Trove of Evidence, TeraCopy - Introducing TeraLogger, Timeline Analysis - Timeline Creation for Forensic Analysis Tools & Artifacts - macOS - new entry added - macOS - Sonoma - Sonoma’s log gets briefer and more secretive Tools & Artifacts - Linux - new entry added - Linux Forensics - Linux Forensics In Depth Tools &…
Read More

AboutDFIR Site Content Update – 10/06/2023

Tools & Artifacts - Windows - new entries added - ScreenConnect - From ScreenConnect to Hive Ransomware in 61 hours, UserAssist - Decoding Windows Registry Artifacts with Belkasoft X: UserAssist, USB Devices - Automated USB artefact parsing from the Registry Tools & Artifacts - iOS - new entry added - iOS15 - iOS 15 Image Forensics Analysis and Tools Comparison - Processing details and general device information Tools & Artifacts - Android - new entry…
Read More

AboutDFIR Site Content Update – 09/29/2023

Tools & Artifacts - Windows - new entry added - OneDriveExplorer - OneDriveExplorer ODL Parsing Issues Tools & Artifacts - iOS - new entries added - iOS Acquisition - iCloud Advanced Data Protection: Implications for Forensic Extraction Tools & Artifacts - Android - new entry added - Last SIM - Investigating Android Last SIM Tools & Artifacts - DVR/Multimedia - new entry added - Video/Image Analysis - Super Resolution from Different Perspectives Jobs - old…
Read More

AboutDFIR Site Content Update – 09/22/2023

Tools & Artifacts - Windows - new entry added - EventTransciptParser Tools & Artifacts - iOS - new entries added - iOS 17 - iOS 17 Forensics: Another Year, Another Byte of the Apple, iOS - iOS System Artifacts: Revealing Hidden Clues, iOS Acquisition - iOS Forensic Toolkit: Troubleshooting Low-Level Extraction Agent Tools & Artifacts - Android - new entry added - Android - Accounts - Investigating Android Accounts Tools & Artifacts - DVR/Multimedia -…
Read More

AboutDFIR Site Content Update – 09/15/2023

Tools & Artifacts - Windows - new entries added - Level.io - RMM - Level.io: Forensic Artifacts and Evidence, OneDriveExplorer - What's New in OneDriveExplorer, Microsoft Edge - Microsoft Edge Forensics: Screenshot History  Tools & Artifacts - iOS - new entry added - WhatsApp - iOS WhatsApp Forensics with Belkasoft X Tools & Artifacts - Android - new entry added - Android - Contacts - Investigating Android Contacts Tools & Artifacts - DVR/Multimedia - new…
Read More

AboutDFIR Site Content Update – 09/08/2023

Tools & Artifacts - Windows - new entry added - Microsoft Remote Access VPN - Forensic Aspects of Microsoft Remote Access VPN Tools & Artifacts - Linux - new entry added - Walk-through of Dr. Ali Hadi's Web Server Case CTF Tools & Artifacts - iOS - new entry added - Telegram - Investigating iOS Telegram Tools & Artifacts - DVR/Multimedia - new entry added - Deblur a Moving Car Jobs - old entries cleaned…
Read More

AboutDFIR Site Content Update – 07/15/2023

Tools & Artifacts - Windows - new entries added - qBittorrent, Recycle Bin, and Steam Tools & Artifacts - Android - new entry added - Yandex Mail Tools & Artifacts - File Systems - new entry added - $MFT Annual Industry Reports - proofpoint, Verizon, & Orange Cyberdefense Forensicators of DFIR - Fabian Mendoza Jobs - old entries cleaned up, new entries added - Optiv, UST, BetterUp, Stripe, TJX Companies, Rapid7, T Rowe Price, Blackbaud,…
Read More

AboutDFIR Site Content Update – 06/03/2023

Tools & Artifacts - Windows - new entries added - Jumplist - Windows 10, RDP, Event Logs - Hidden Insights, VMware Workstation Memory Analysis, WMI Events, and another Windows Management Instrumentation (WMI) Tools & Artifacts - MacOS - new entry added - Tool List, mac_apt, APOLLO, and fseventd parser Tools & Artifacts - iOS - new entries added - iOS 15 Image (also added to Tool Testing) and Location & Device Data  Tools & Artifacts -…
Read More

AboutDFIR Site Content Update – 05/20/2023

Tools & Artifacts - Windows - new entry added - INetCache Tools & Artifacts - iOS - new entries added - IPA Files, Jailbreak (iOS 15), Anonymous Chat Rooms (Dating App), & iOS Shortcuts Tools & Artifacts - Android - new entries added - Jami and Gboard & Clipboard Training & Certifications - Cyber5W Courses & CCDFA Jobs - old entries cleaned up, new entries added - HM Revenue and Customs Stratford, Sirius XM, Arete,…
Read More

AboutDFIR Site Content Update 05/06/2023

Tools & Artifacts - Windows - new entries added - Adobe Acrobat Reader (link updated), Windows 11 GUID Partition Scheme (GPT), Windows Search Index, & Windows Artifacts General Reference Tools & Artifacts - iOS - new entry added - iPhone PINs & iOS Artifact Reference  Jobs - old entries cleaned up, new entries added - Flashpoint, Cellebrite, Raytheon, Nozomi Networks, Radware, Marriott, & Stripe Don't forget to submit any missing forensicators to our Forensicators of…
Read More

AboutDFIR Site Content Update 04/22/2023

Tools & Artifacts - Windows - new entries added - Memories & pCloud Tools & Artifacts - Android - new entry added - WiFi Annual Industry Reports - new entries added - PwC, Sophos Labs, & Unit 42 Jobs - old entries cleaned up, new entries added - SecureWorks, Varonis, Prudential Financial, Amazon, Kimberly Clark, Voya, Pacific Northwest National Lab, & Microsoft Forensicators of DFIR - cleaned up some dead links and added Derek Eiri…
Read More

AboutDFIR Site Content Update 04/08/2023

Tools & Artifacts - Windows - new entry added - Hayabusa (tool), BitTorrent, Avira Antivirus, GoToMeeting, AnyDesk Tools & Artifacts - Android - new entry added - SetupWizard Tools & Artifacts - iOS - new entry added - Locked Data Annual Industry Reports - new entries added - proofpoint, Arctic Wolf, Avast, BeyondTrust, Blackberry, Check Point, Cisco, Cisco, Veeam, IBM X-Force, Kaspersky, Mandiant, McAfee, Meta, ODNI Jobs - old entries cleaned up, new entries added…
Read More

AboutDFIR Site Content Update 03/25/2023

Tools & Artifacts - Windows - new entries added - BitComet & imo (Messenger) Tools & Artifacts - Linux - new entries added - Image Mounting & Memory Acquisition Tools & Artifacts - MacOS - new entry added - Safari Tools & Artifacts - iOS - new entry added - Deleted Messages Tool Testing - new entries added - Android 13 (x2) Annual Reports - new entries added - FBI Internet Crime Report & Red…
Read More

AboutDFIR Site Content Update 03/11/23

Tools & Artifacts - Windows - new entries added - Artifacts: AVG Antivirus, Windows Mail, USB Connection Times, Remote Access Software, 1Password, & Unigram | Tools: Dissect, Dumpit, & Timesketch Annual Reports - new entries added - RiskLens, Cyble, BD, TrendMicro, Recorded Future, Any.Run, SonicWall, IBM Security X-Force, CrowdStrike, & Datto Jobs - old entries cleaned up, new entries added - Progressive, Oracle, Warner Bros. Discovery, Antigen Security, Sirius XM, & Activision Forensic 4:cast awards…
Read More

AboutDFIR Site Content Update 01/28/2023

Tools & Artifacts - Windows - new entries added - LNK Files, Malwarebytes, PsExec, and Prefetch Tools & Artifacts - Android - new entries added - uTorrent and Garmin Connect Tools & Artifacts - File Systems - new entry added - $Security Jobs - old entries cleaned up, new entries added - Raytheon, Charles Schwab, Vanderbilt University, Cisco Talos, IHG Hotels & Resorts, Costco, Trustwave Government Solutions, Toyota Tsusho Systems US, Inc, and Columbia Sportswear…
Read More

AboutDFIR Site Content Update 12/31/22

Tools & Artifacts - Windows - new entry added - Event Logs (Cheat Sheet), Google Drive FS, File Explorer - Temporary Zip Folders, and Kaspersky Antivirus Tools & Artifacts - MacOS- new entry added - Logs - Unified Log Rolling Tools & Artifacts - Android - new entry added - Tusky Jobs - old entries cleaned up, new entries added - ADP, Pearson, Dell Secureworks, GEICO, United Airways, Xerox, Broadcom, and Malwarebytes AboutDFIR stickers are still…
Read More

AboutDFIR Site Content Update 12/17/22

Tools & Artifacts - Windows - new entry added - Defender Tools & Artifacts - iOS- new entries added - Dual SIM Phones, Photos.sqlite - ZINTERNALRESOURCE, Cache.db Tools & Artifacts - Android - new entries added - Sygic, Dual SIM Phones, Mastodon, Android 13 Image SANS Difference Makers Awards - Will update our page soon, but here's a recording of the Ceremony Jobs - old entries cleaned up, new entries added - Yahoo, Detego, and…
Read More

AboutDFIR Site Content Update 12/3/22

Tools & Artifacts - Windows - new entries added - MUICache and FeatureUsage/Taskbar Tools & Artifacts - iOS- new entry added - Facebook Messenger and AppIntent Jobs - old entries cleaned up, new entries added - CISA, Deloitte, Reddit, DigitalOcean, Durham Police Department, SEROCU, and Tracepoint Page of the Month - SANS Posters - new and updated posters have been added. (This has become more of a "Resource of the Month" so I'm going to…
Read More

AboutDFIR Site Content Update 11/22/22

Tools & Artifacts - Windows - new entries added - iTunes, Recent Items, and Email Forensics Tools & Artifacts - Linux - new entry added - Linux History File Timestamps Tools & Artifacts - Android - new entry added - Bumble Jobs - old entries cleaned up, new entries added - Peloton, Edgewater, and LiveNation Entertainment Leading right into U.S. Thanksgiving, I need to give a huge thank you to Alex (you may know him…
Read More

AboutDFIR Site Content Update 11/6/22

Tools & Artifacts - Windows - new entries added - LogMeIn, ExpressVPN, Time Rules (Win11), SRUM, Quick Access, FileZilla, WSH, OneDrive in $MFT, VirtualBox, Chrome Deleted History, File Extension Associations, Browser Artifacts, Registry, and OneDrive. Tools & Artifacts - Android - new entry added - Kik Messenger and Android Reset Data Tools & Artifacts - iOS - new entries added - Deleted SMS/iMessage, KnowledgeC.db Notifications, and Sysdiagnose Tools & Artifacts - File Systems - new…
Read More

AboutDFIR Site Content Update 10/9/22

Tools & Artifacts - Windows - new entries added - Slack, Event Log Access, ProtonVPN, Hintfo Tools & Artifacts - Android - new entry added - Device Health Services Tools & Artifacts - iOS - new entries added - AppInstalls, AppLaunch, & AppIntents, Carplay, Safari, Siri, Unsent Messages, KnowledgeC.db Jobs - old entries cleaned up, new entries added - ZenDesk, Binary Defense, Circle, Charles Schwab, and AllState AboutDFIR stickers are still a thing! If you're interested…
Read More

AboutDFIR Site Content Update 9/24/22

Tools & Artifacts - Windows - new entries added - Microsoft Management Console MRU, File Carving, WordPad Recent Files, SDeleted Files, MRU, File Signature and Hash Analysis, Desktop Wallpaper, Windows Startup Programs, Microsoft Teams, and Email Forensics Tools & Artifacts - Android - new entry added - Forensic References Tools & Artifacts - iOS - new entry added - DFU: iPhone 8, 8 Plus, and iPhone X and Shared with You Syndication Photo Library Jobs…
Read More

AboutDFIR Site Content Update 9/10/22

Updates! Tools & Artifacts - Windows - new entries added - ShimCache, YARA Rules, AnyDesk, Registry, WinZip, Swapfile URLs, viber.db Tools & Artifacts - MacOS - new entry added - Unified Logs Tools & Artifacts - iOS - new entry added - Apple Health Jobs - old entries cleaned up, new entries added - KPMG, Deloitte, Cisco, Microsoft, Charles River Associates, Coalfire, Amazon, EY, and Raytheon Technologies Forensicators of DFIR - new entry added -…
Read More

AboutDFIR Site Content Update 8/27/22

The Forensic 4:cast Awards were announced. While we wait for the official posting, feel free to check my SANS DFIR Summit link collection for the results towards the bottom. I will add the official link to the Awards page on here as soon as I can.  Tools & Artifacts - Windows - new entries added - SQLite Databases, Recents Folder, Last Shutdown Jobs - old entries cleaned up, new entries added - Trellix, Bank of…
Read More

AboutDFIR Site Content Update 8/14/22

Sunday fun day post! SANS DFIR Summit this week! I will be collecting links as usual and stashing them here.  Big community news for tomorrow! The DFIR Discord will be publishing their crowdsourced book - The Hitchhiker's Guide to DFIR: Experiences From Beginners and Experts! There are chapters on everything from the history of the server to malware analysis to CTFs. While this version will be released tomorrow, there are additional chapters in the works.…
Read More

AboutDFIR Site Content Update 7/30/22

The site update is busy this week!  SANS Security Awareness Summit is next week Aug 3 & 4 and is still doing hybrid/virtual. This means you can still sign up to attend virtually for free today! The suggested attendees include CISOs, Security Engineers/Architects, Education/Training professionals, and Compliance/Legal/Auditing professionals. Topics include Phishing, Office365, Equifax, Metaverse, Psychology, Human Risk, and staying safe online. Tools & Artifacts - Windows - new entries added - Browser Downloads, Machine SID,…
Read More

AboutDFIR Site Content Update 7/16/22

Forensic 4:cast Award voting is now open!  Tools & Artifacts - Windows - new entries added - Event Tracing (ETW), Event Logs, Registry Hive Bins, ADS Zone.Identifier, Profiles, 360 Secure Browser, and Windows Management Instrumentation (WMI) Tools & Artifacts - Android - new entry added - Session Tools & Artifacts - iOS - new entry added - Speed/ZRTCLLOCATIONMO Jobs - old entries cleaned up, new entries added - ZeroFox, PWC, Gartner, Zoom, Cisco, Sophos, and Arctic…
Read More

AboutDFIR Site Content Update 7/2/22

Summer is ramping up and July seems to be a somewhat light month for updates. I'm hoping this means everyone is getting to enjoy some time to themselves doing whatever it is that you enjoy!  Featured Page of the Month - A link to "The Effect of Ransomware After The Investigation" authored by Devon. Read up on how ransomware can impact people and businesses. Tools & Artifacts - Windows - new entries added - Memory…
Read More

AboutDFIR Site Content Update 6/18/22

SANS held their first Ransomware Summit this week. If you missed it, I grabbed all the links I could and the sessions will be shared by SANS on Youtube soon. I especially liked Kunal Shandil's talk, "Multifaceted Extortion: Analysis of Data Exfiltration TTPs Used by Ransomware Threat Actors" and Jeffry Lang's break down "Kaseya Ransomware Reaction - Lessons Learned".  Tools & Artifacts - Windows - new entries added - Logfile, Tasks, Powershell Logs, VSS Carver,…
Read More

AboutDFIR Site Content Update 6/4/22

Surprise, not surprise, I posted the research!  Informally, I'd like to break down a little more what it could be useful for. App Timeline Provider logs mouse, keyboard, and audio activity for apps that are in focus on Windows 8+ machines. If you have mouse and keyboard activity within an app, you're validating that the window was "in focus" and that it was interacted with. If you have audio input and audio output, you can…
Read More

AboutDFIR Site Content Update 5/21/22

This post is a bit lighter than recently but it's because I've been working on my own research! Hopefully I'll be posted it here in the next week or two in time for the next update. Convenient that today is World Whisky Day because, after all that, I could use a drink.  New Site Post - The Effect of Ransomware After The Investigation by Devon Ackerman Tools & Artifacts - Windows - new entries added…
Read More