AboutDFIR Site Content Update 8/14/22

Sunday fun day post! SANS DFIR Summit this week! I will be collecting links as usual and stashing them here.  Big community news for tomorrow! The DFIR Discord will be publishing their crowdsourced book - The Hitchhiker's Guide to DFIR: Experiences From Beginners and Experts! There are chapters on everything from the history of the server to malware analysis to CTFs. While this version will be released tomorrow, there are additional chapters in the works.…
Read More

AboutDFIR Site Content Update 7/30/22

The site update is busy this week!  SANS Security Awareness Summit is next week Aug 3 & 4 and is still doing hybrid/virtual. This means you can still sign up to attend virtually for free today! The suggested attendees include CISOs, Security Engineers/Architects, Education/Training professionals, and Compliance/Legal/Auditing professionals. Topics include Phishing, Office365, Equifax, Metaverse, Psychology, Human Risk, and staying safe online. Tools & Artifacts - Windows - new entries added - Browser Downloads, Machine SID,…
Read More

AboutDFIR Site Content Update 7/16/22

Forensic 4:cast Award voting is now open!  Tools & Artifacts - Windows - new entries added - Event Tracing (ETW), Event Logs, Registry Hive Bins, ADS Zone.Identifier, Profiles, 360 Secure Browser, and Windows Management Instrumentation (WMI) Tools & Artifacts - Android - new entry added - Session Tools & Artifacts - iOS - new entry added - Speed/ZRTCLLOCATIONMO Jobs - old entries cleaned up, new entries added - ZeroFox, PWC, Gartner, Zoom, Cisco, Sophos, and Arctic…
Read More

AboutDFIR Site Content Update 7/2/22

Summer is ramping up and July seems to be a somewhat light month for updates. I'm hoping this means everyone is getting to enjoy some time to themselves doing whatever it is that you enjoy!  Featured Page of the Month - A link to "The Effect of Ransomware After The Investigation" authored by Devon. Read up on how ransomware can impact people and businesses. Tools & Artifacts - Windows - new entries added - Memory…
Read More

AboutDFIR Site Content Update 6/18/22

SANS held their first Ransomware Summit this week. If you missed it, I grabbed all the links I could and the sessions will be shared by SANS on Youtube soon. I especially liked Kunal Shandil's talk, "Multifaceted Extortion: Analysis of Data Exfiltration TTPs Used by Ransomware Threat Actors" and Jeffry Lang's break down "Kaseya Ransomware Reaction - Lessons Learned".  Tools & Artifacts - Windows - new entries added - Logfile, Tasks, Powershell Logs, VSS Carver,…
Read More

AboutDFIR Site Content Update 6/4/22

Surprise, not surprise, I posted the research!  Informally, I'd like to break down a little more what it could be useful for. App Timeline Provider logs mouse, keyboard, and audio activity for apps that are in focus on Windows 8+ machines. If you have mouse and keyboard activity within an app, you're validating that the window was "in focus" and that it was interacted with. If you have audio input and audio output, you can…
Read More

AboutDFIR Site Content Update 5/21/22

This post is a bit lighter than recently but it's because I've been working on my own research! Hopefully I'll be posted it here in the next week or two in time for the next update. Convenient that today is World Whisky Day because, after all that, I could use a drink.  New Site Post - The Effect of Ransomware After The Investigation by Devon Ackerman Tools & Artifacts - Windows - new entries added…
Read More

AboutDFIR Site Content Update 5/7/22

Thursday was World Password Day! While I'm sure anyone who finds this page has an excellent professional and personal password policy and/or password manager, don't also forget to convince your friends and family to review their passwords. World Password Day was covered differently by different organizations but the sentiment from me remains - if you're set, make sure those you care about are as well.  Annual Industry Reports- new entries added - PwC Threat Report,…
Read More

AboutDFIR Site Content Update 4/23/22

Big thing right up front - this is the last site update before the Forensic 4:Cast nominations close -  click here to nominate your favorite or most useful resources!  Annual Industry Reports- new entries added - RIA, Arctic Wolf, and Meta Jobs - new entries added - Raytheon Intelligence & Space, Zachary Piper Solutions, Cognizant, Kyndryl, and Center for Internet Security Tools & Artifacts - Windows - new entries added - Windows Registry, a graphing…
Read More

AboutDFIR Site Content Update 4/9/22

Keeping it short and sweet today. Hope you're all doing well! Annual Industry Reports- new entry added - 2022 Cyberthreat Defense Report & Cyber Security Breaches Survey 2022 Jobs - new entries added and old cleaned up - New positions include: Kroll, Peraton, Crowdstrike, Secureworks, and the Federal Public Defender's Office in Los Angeles Tools & Artifacts - Windows - new entries added - Pagefile URLs, Battery Levels, & PowerShell Scripts Tools & Artifacts -…
Read More

AboutDFIR Site Content Update 3/26/22

Happy start of Spring to those in the Northern Hemisphere! Are you in our Forensicators of #DFIR list? If not, maybe you'd like to check out those who are listed there or submit yourself as a resource. Just one of the areas I've been looking at for potential site updates. Speaking of... Annual Industry Reports - new entries added  Jobs - new entries added Scholarships - new entries added/updated - Thanks again to Dave G for…
Read More

AboutDFIR Site Content Update 3/12/22

Don't forget to Spring Forward tomorrow for those of us that observe daylight savings time! Losing that hour of sleep isn't my favorite but it sounds like it's bringing a bit of warm weather and I'm ready for it. Jobs - new entries added  Annual Industry Reports - new entries added Tools & Artifacts - Windows - new entries added Tools & Artifacts - Android - new entries added Tools & Artifacts - iOS -…
Read More

AboutDFIR Site Update 2/26/22

It's been a busy two weeks on AboutDFIR so I'll get right to the updates! Jobs - new entries added  Annual Industry Reports - new entries added Tools & Artifacts - Windows - new entries added Tools & Artifacts - Android - new entries added OSINT Opt-Out Guide - entries added/updated, name changed Early update to the Featured Page of the Month for March On the topic of the Featured Page of the Month, Mark…
Read More

AboutDFIR Site Update 2/12/22

While science may not entirely support it, Punxsutawney Phil announced 6 more weeks of winter. Hopefully the prediction also includes no extra static in the DFIR world! On to the site updates: Jobs - new entries added  Tools & Artifacts - Windows - new entries added Tools & Artifacts - Android - new entries added Tools & Artifacts - iOS - new entries added Training & Certifications - new entries added focused on MacOS forensics…
Read More

AboutDFIR Site Content Update 1/29/22

It's National Puzzle Day today! DFIR can be a little like a puzzle -- looking for the pieces to put together to see the bigger picture. Since I don't have a quick DFIR puzzle, here's a small distraction in the form of the Daily Mini Crossword Puzzle from the New York Times. If you don't like Crosswords, you could try the daily word puzzle that's taken over Twitter as of late - Wordle. On to…
Read More

AboutDFIR Site Content Update 1/15/22

It's hard to believe we're already halfway through January! As for the site updates: Jobs - new entries added  Tools & Artifacts - Windows - new entries added Tools & Artifacts - Android - new entries added DFIR Research - updated links AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: In case you missed it, Abhiram Kumar wrote a post about his experience with…
Read More

AboutDFIR Site Content Update 1/1/22

Happy New Year!! Here's hoping 2022 brings good things to you and yours!  As for the site updates: Jobs - new entries added  Tools & Artifacts - Windows - new entries added Tools & Artifacts - Android - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: In case you missed it, Andrew Rathbun appeared on Chewing the FAT with Phil & Adam…
Read More

AboutDFIR Site Content Update 12/18/21

Happy Holidays, Round 2! Merry early Christmas! Happy late Hanukkah! Happy early Winter Solstice! Happy early Kwanzaa! If I missed something you celebrate, I apologize but I hope it's amazing. I also hope the DFIR world this time of year is far less exciting through the upcoming holidays than it has been with the log4j/log4shell surprises on the IR side. As for the site updates: Jobs - new entries added (updated weekly) Tools & Artifacts…
Read More

AboutDFIR Site Content Update 12/4/21

Happy Holidays! It's the first post in December so you're probably going to see that greeting at least once more. Speaking of holidays, it's almost Holiday Hack time! Sign up to be notified for the SANS Holiday Hack and KringleCon 2021 talks at this link or try your hand at the 2020 Holiday Hack while you wait. Don't know what the Holiday Hack is? "The SANS Holiday Hack Challenge is a FREE series of super…
Read More

AboutDFIR Site Content Update 11/20/21

Hope everyone has a fantastic weekend and if you celebrate, hope you have a Happy Thanksgiving! Jobs - new entries added  Tools & Artifacts - iOS - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: In case you missed it, SANS Pen Test HackFest Summit & Training 2021 link board is complete.…
Read More

AboutDFIR Site Content Update 11/6/21

First update of November!  Jobs - new entries added - added expiration column Tools & Artifacts - iOS - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: Looking forward to attending SANS Pen Test HackFest Summit & Training 2021 - Live Online. The free virtual summit portion is November 15 & 16…
Read More

AboutDFIR Content Update 10/23/21

End of October update! Jobs - new entries added - added expiration column Annual Industry Reports - new entries added Tools & Artifacts - Android - new entries added Tools & Artifacts - iOS - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: Looking forward to attending SANS Pen Test HackFest Summit…
Read More

AboutDFIR Content Update 10/09/2021

Over the last year with the new virtual options for SANS Summits, I've started attending a few and each time I've saved the links I could from the Slack before it goes down at night. Yesterday was the last day of the SANS Threat Hunting Summit so I have a new start.me board full of links for you to view if you're interested! SANS Threating Hunting Link List. Just a few site updates this round!…
Read More

AboutDFIR Content Update 9/25/2021

I've been crawling through some of the older content on AboutDFIR and making some updates. If there's something you think needs more immediate attention, don't hesitate to throw a note in the site feedback form and I can start there. Annual Industry Reports - new entries added Law Enforcement Opt-Out Guide - new entries and updates Tools & Artifacts - Windows - new entries added, old entries updated AboutDFIR stickers are a thing! If you're…
Read More

AboutDFIR Content Update 9/11/2021

Cassie bringing the update this week! I'm immersing myself in the DFIR world so it made sense to couple that up with some research and doing the Site Update was a perfect excuse to make it happen. On September 21st, Josh Mitchell and Andrew will be putting on a Webinar regarding the new DFIR artifact they've been researching called EventTranscript.db. Register for the webinar here! As always, you can find Andrew and his work on…
Read More

AboutDFIR Content Update 8/26/2021

The Forensic 4:cast Awards update is here: Jobs - new entries added Tools & Artifacts - Android - new entries added Tools & Artifacts - iOS - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like:   My colleague Josh Mitchell and I will be putting on a Webinar regarding the new DFIR…
Read More

AboutDFIR Content Update 8/8/2021

A huge backend update to AboutDFIR has arrived: Migration of all data tables on the site from WPDataTables to TablePress Main benefit: data within the tables are now searchable sitewide! As a result, most tables were refined in some form or another Tools & Artifacts - Android - new entries added Tools & Artifacts - iOS - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If…
Read More

AboutDFIR Content Update 7/26/2021

The Forensic 4:cast Awards update is here: Awards - updated for 2020 Awards that just occurred as well as adjusted years to be more accurate Certifications & Training - new entries added Tools & Artifacts - Windows - new entries added Tool Testing - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: The 2021 Forensic 4:cast Awards were last week. AboutDFIR…
Read More

AboutDFIR Content Update 7/15/2021

AboutDFIR's mid-July update arrives: Tools & Artifacts - Android - new entries added Tools & Artifacts - iOS - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: The 2021 Forensic 4:cast Awards voting period is open! Please be sure to vote for AboutDFIR if you feel we've served you well in 2020!…
Read More

AboutDFIR Content Update 7/2/2021

The first update of July arrives: Tools & Artifacts - Android - new entries added Tools & Artifacts - DVR/Multimedia- new entries added Tools & Artifacts - File Systems - new entries added Tools & Artifacts - iOS - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: The 2021 Forensic 4:cast Awards…
Read More

AboutDFIR Content Update 6/19/2021

Lots of Windows artifact updates this week: Tools & Artifacts - DVR/Multimedia- new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: The 2021 Forensic 4:cast Awards voting period is open! Please be sure to vote for AboutDFIR if you feel we've served you well in 2020! Vote here! I've been continuing lots of…
Read More

AboutDFIR Content Update 6/5/2021

The first update of June awaits: Tools & Artifacts - Android - new entries added Tools & Artifacts - DVR/Multimedia- new entries added Tools & Artifacts - iOS - new entries added Tools & Artifacts - macOS - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: Sorry for the delay in posting.…
Read More

AboutDFIR Content Update 5/8/2021

The first update of May awaits: Tools & Artifacts - Android - new entries added Tools & Artifacts - Linux - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: The 2021 Forensic 4:cast Awards are open for the year 2020. If you feel that AboutDFIR served you well in 2020, we would…
Read More

AboutDFIR Content Update 4/19/2021

Yet another AboutDFIR update: KAPE Guide - new links added Timeline Explorer Guide - new links added Tools & Artifacts - Android - new entries added Tools & Artifacts - DVR/Multimedia - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: The 2021 Forensic 4:cast Awards are open for the year 2020. If…
Read More

AboutDFIR Content Update 4/10/2021

The first update of April is below: Awards - updated with info about the Forensic 4:cast Awards for 2021 Certifications & Training - new entries added Tools & Artifacts - Android - new entries added Tools & Artifacts - DVR/Multimedia - new entries added Tools & Artifacts - iOS - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us…
Read More

AboutDFIR Content Update 3/27/2021

The "I can't believe March is almost over already" update: Awards - updated with info about the Forensic 4:cast Awards for 2021 Certifications & Training - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: The 2021 Forensic 4:cast Awards are open for the year 2020. If you feel that AboutDFIR served you…
Read More

AboutDFIR Content Update 3/12/2021

The "I can't believe March is halfway over already" update: Annual Industry Reports - lots of new entries added Tool Testing - new images for macOS and iOS 14 from Josh Hickman Tools & Artifacts - Android - new entries added Tools & Artifacts - File Systems - new entries added Tools & Artifacts - iOS - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If…
Read More

AboutDFIR Content Update 2/21/2021

The second AboutDFIR update of February 2021 is here: Tool Testing - new images for macOS and iOS 14 from Josh Hickman Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: Not a lot of sections of the site updated this week, but lots of new, useful content added within those two sections. Check them out!…
Read More

AboutDFIR Content Update 1/29/2021

Yet Another AboutDFIR Update: Tools & Artifacts - Android - new entries added Tools & Artifacts - DVR/Multimedia - new entries added Tools & Artifacts - macOS - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: I've been continuing lots of work on GitHub to help improve the KAPE, RECmd, and EVTXECmd…
Read More

AboutDFIR Content Update 1/12/2021

The first update of 2021 is here: KAPE Guide - added links to KAPE Target Guide and Template Tools & Artifacts - Android - new entries added Tools & Artifacts - File Systems - new entries added Tools & Artifacts - iOS - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: For those who use Eric Zimmerman's Tools, make sure you're…
Read More

AboutDFIR Content Update 12/31/2020

Happy (almost) New Year and with that, the last update of 2020: Annual Industry Reports - new entries added Tools & Artifacts - Android - new entries added Tools & Artifacts - iOS - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: 2020 was an awesome year for AboutDFIR. We saw the…
Read More

AboutDFIR Content Update 12/18/2020

Likely the last site update post of the year: Tools & Artifacts - iOS - new entries added Tools & Artifacts - macOS - new entries added Tools & Artifacts - Windows - new entries added Tools & Artifacts - Linux - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: This week saw the release of the MFT Explorer/MFTECmd Guide. Check…
Read More

Introducing AboutDFIR’s MFT Explorer/MFTECmd Guide

Greetings everyone! I’ve been working on a detailed guide geared towards LE/Private Sector examiners who’ve never used MFT Explorer/MFTECmd before as well as anyone looking to learn what the tool is all about. Learning a new tool is intimidating and can be frustrating, but hopefully this guide will make things easier. The MFT Explorer/MFTECmd Guide comes on the heels of the previous guides I put together recently: KAPE, Timeline Explorer, and Registry Explorer/RECmd. All guides,…
Read More

AboutDFIR Content Update 12/5/2020

After a short break, we're back: Tools & Artifacts - DVR/Multimedia - new entries added Tools & Artifacts - iOS - new entries added Tools & Artifacts - macOS - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: I finally put the GCFA behind me and thankfully I passed! I will be…
Read More

AboutDFIR Content Update 11/21/2020

After a short break, we're back: Tools & Artifacts - DVR/Multimedia - new entries added Tools & Artifacts - File Systems- new entries added Tools & Artifacts - iOS - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: I finally put the GCFA behind me and thankfully I passed! I will be…
Read More

AboutDFIR Content Update 11/7/2020

Happy November! A short update this week: Tools & Artifacts - File Systems- new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: I am going to be taking my GCFA in a couple weeks so updates may be sparse between now and then. Once I (hopefully) pass the GCFA, look for an update…
Read More

AboutDFIR Content Update 10/31/2020

Happy Halloween! A summary of recent updates: KAPE - various updates/fixes Timeline Explorer - various updates/fixes Tools & Artifacts - Android - new entries added Tools & Artifacts - iOS - new entries added Tools & Artifacts - macOS - new entries added Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: My guide for Registry…
Read More

AboutDFIR Content Update 10/23/2020

Greetings! A relatively small update this week: Tools & Artifacts - Windows - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: Check out Devon Ackerman's recent appearance on the Forensic Happy Hour with Lee Reiber here! My guide for Registry Explorer/RECmd went up earlier this month! Check it out here as well as my KAPE and Timeline Explorer guides. Look for…
Read More

AboutDFIR Content Update 10/16/2020

Greetings! Another week, another content update: Tools & Artifacts - Android - new entries added Tools & Artifacts - iOS - new entries added Tool Testing - added Josh Hickman's new Android 11 image AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: Check out Devon Ackerman's appearance on the Forensic Happy Hour with Lee Reiber here! My guide for Registry Explorer/RECmd has been posted!…
Read More