AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

AboutDFIR Blog Posts Archive

03 Jun 2023
By Cassie Doemel

AboutDFIR Site Content Update – 06/03/2023

Tools & Artifacts - Windows - new entries added - Jumplist - Windows 10, RDP, Event Logs - Hidden Insights, VMware Workstation Memory Analysis, WMI Events, and another Windows Management Instrumentation (WMI) Tools & Artifacts - MacOS - new entry added - Tool List, mac_apt, APOLLO, and fseventd parser Tools & Artifacts - iOS - new entries added - iOS 15 Image (also added to Tool Testing) and Location & Device Data  Tools & Artifacts -…
Read More
30 May 2023
By Mary

InfoSec News Nuggets 05/30/2023

Emby shuts down user media servers hacked in recent attack  Emby says it remotely shut down an undisclosed number of user-hosted media server instances that were recently hacked by exploiting a previously known vulnerability and an insecure admin account configuration. "We have detected a malicious plugin on your system which has probably been installed without your knowledge. [..] For your safety we have shutdown your Emby Server as a precautionary measure," the company informed users of affected servers in…
Read More
20 May 2023
By Cassie Doemel

AboutDFIR Site Content Update – 05/20/2023

Tools & Artifacts - Windows - new entry added - INetCache Tools & Artifacts - iOS - new entries added - IPA Files, Jailbreak (iOS 15), Anonymous Chat Rooms (Dating App), & iOS Shortcuts Tools & Artifacts - Android - new entries added - Jami and Gboard & Clipboard Training & Certifications - Cyber5W Courses & CCDFA Jobs - old entries cleaned up, new entries added - HM Revenue and Customs Stratford, Sirius XM, Arete,…
Read More
12 May 2023
By Mary

InfoSec News Nuggets 05/12/2023

Australian software giant won’t say if customers affected by hack  Australian enterprise software company TechnologyOne has halted trading after confirming it was hit by a cyberattack. In a stock exchange filing on Wednesday, the Brisbane-based software maker said it had detected that “an unauthorized third-party acted illegally to access its internal Microsoft 365 back-office system.” TechnologyOne said the company’s customer-facing platform is not connected to the affected Microsoft 365 system and “therefore has not been impacted,” but when reached, the company would…
Read More
11 May 2023
By Mary

InfoSec News Nuggets 05/11/2023

Hackers attempt to extort Dragos and its executives in suspected ransomware attempt  Unknown hackers attempted to infiltrate Dragos, one of the leading industrial cybersecurity firms that works with government agencies and utilities globally, in a unsuccessful campaign that targeted the company’s executives and their family members, the firm said on Wednesday. “We are confident that our layered security controls prevented the threat actor from accomplishing what we believe to be their primary objective of launching ransomware,”…
Read More
06 May 2023
By Cassie Doemel

AboutDFIR Site Content Update 05/06/2023

Tools & Artifacts - Windows - new entries added - Adobe Acrobat Reader (link updated), Windows 11 GUID Partition Scheme (GPT), Windows Search Index, & Windows Artifacts General Reference Tools & Artifacts - iOS - new entry added - iPhone PINs & iOS Artifact Reference  Jobs - old entries cleaned up, new entries added - Flashpoint, Cellebrite, Raytheon, Nozomi Networks, Radware, Marriott, & Stripe Don't forget to submit any missing forensicators to our Forensicators of…
Read More
22 Apr 2023
By Cassie Doemel

AboutDFIR Site Content Update 04/22/2023

Tools & Artifacts - Windows - new entries added - Memories & pCloud Tools & Artifacts - Android - new entry added - WiFi Annual Industry Reports - new entries added - PwC, Sophos Labs, & Unit 42 Jobs - old entries cleaned up, new entries added - SecureWorks, Varonis, Prudential Financial, Amazon, Kimberly Clark, Voya, Pacific Northwest National Lab, & Microsoft Forensicators of DFIR - cleaned up some dead links and added Derek Eiri…
Read More
08 Apr 2023
By Cassie Doemel

AboutDFIR Site Content Update 04/08/2023

Tools & Artifacts - Windows - new entry added - Hayabusa (tool), BitTorrent, Avira Antivirus, GoToMeeting, AnyDesk Tools & Artifacts - Android - new entry added - SetupWizard Tools & Artifacts - iOS - new entry added - Locked Data Annual Industry Reports - new entries added - proofpoint, Arctic Wolf, Avast, BeyondTrust, Blackberry, Check Point, Cisco, Cisco, Veeam, IBM X-Force, Kaspersky, Mandiant, McAfee, Meta, ODNI Jobs - old entries cleaned up, new entries added…
Read More
25 Mar 2023
By Cassie Doemel

AboutDFIR Site Content Update 03/25/2023

Tools & Artifacts - Windows - new entries added - BitComet & imo (Messenger) Tools & Artifacts - Linux - new entries added - Image Mounting & Memory Acquisition Tools & Artifacts - MacOS - new entry added - Safari Tools & Artifacts - iOS - new entry added - Deleted Messages Tool Testing - new entries added - Android 13 (x2) Annual Reports - new entries added - FBI Internet Crime Report & Red…
Read More
11 Mar 2023
By Cassie Doemel

AboutDFIR Site Content Update 03/11/23

Tools & Artifacts - Windows - new entries added - Artifacts: AVG Antivirus, Windows Mail, USB Connection Times, Remote Access Software, 1Password, & Unigram | Tools: Dissect, Dumpit, & Timesketch Annual Reports - new entries added - RiskLens, Cyble, BD, TrendMicro, Recorded Future, Any.Run, SonicWall, IBM Security X-Force, CrowdStrike, & Datto Jobs - old entries cleaned up, new entries added - Progressive, Oracle, Warner Bros. Discovery, Antigen Security, Sirius XM, & Activision Forensic 4:cast awards…
Read More
25 Feb 2023
By Cassie Doemel

AboutDFIR Site Content Update 02/25/23

Tools & Artifacts - Windows - new entries added - Bitdefender, BoxDrive, F-Secure, and OpenVPN Tools & Artifacts - Android - new entry added - GroupMe Jobs - old entries cleaned up, new entries added - Cisco, North American Electric Reliability Corporation (NERC), Deepwatch, Nature's Way, Affinity Federal Credit Union, Sophos, Warner Bros, United Airlines, JP Morgan Chase & Co, American Electric Power, Jackson, and Newell AboutDFIR stickers are still a thing! If you're interested in…
Read More
28 Jan 2023
By Cassie Doemel

AboutDFIR Site Content Update 01/28/2023

Tools & Artifacts - Windows - new entries added - LNK Files, Malwarebytes, PsExec, and Prefetch Tools & Artifacts - Android - new entries added - uTorrent and Garmin Connect Tools & Artifacts - File Systems - new entry added - $Security Jobs - old entries cleaned up, new entries added - Raytheon, Charles Schwab, Vanderbilt University, Cisco Talos, IHG Hotels & Resorts, Costco, Trustwave Government Solutions, Toyota Tsusho Systems US, Inc, and Columbia Sportswear…
Read More
18 Jan 2023
By Fabian Mendoza

The Key to Identify PsExec

Summary: In one way or another, PsExec - a wildly popular remote administration tool in the Microsoft SysInternals Suite - peeks its head in the wild. Threat actors tend to leverage PsExec for various reasons, such as executing programs on a remote host in a victim’s environment, or for more nefarious reasons, such as deploying ransomware. The focus of this blog is to bring attention to a relatively new method of identifying the source host…
Read More
15 Jan 2023
By Cassie Doemel

AboutDFIR Site Content Update 01/15/23

Tools & Artifacts - Windows - new entries added - Program Compatibility Assistant, Security:4624 (Win11), and Notepad++ Tools & Artifacts - iOS- new entries added - Apple Watch Data and Continuity/Cellular Relay Tools & Artifacts - Android - new entry added - TikTok Annual Industry Reports - new entry added - Google Threat Report Jobs - old entries cleaned up, new entries added -Fortinet, Nissan, American Express, Verizon, Marriott, Synchrony, Tyson Foods, and FanDuel AboutDFIR…
Read More
03 Jan 2023
By Andrew Rathbun

New Windows 11 Pro (22H2) Evidence of Execution Artifact!

By: Andrew Rathbun and Lucas Gonzalez Background In the last week of December 2022, on the Digital Forensics Discord Server, some discussion was brought up by a member in the #computer-forensics channel asking if anyone knew a Windows 11 folder path of interest, linked here. The location in question is C:\Windows\appcompat\pca. This may look like a familiar folder path, as the Amcache resides in C:\Windows\appcompat\Programs\Amcache.hve. What is PCA? PCA stands for Program Compatibility Assistant, which…
Read More
03 Jan 2023
By Andrew Rathbun

DFIR FYI: Security:4624 has been updated in Windows 11 Pro (22H2)

FYSA, the 4624 event that we all know and love in DFIR has been updated to Version 3 as of Windows 11 (22H2).  Using the beloved EVTX-ETW Resources GitHub repository that Nasredinne Bencherchali and I have curated, looking at the Microsoft-Windows-Security-Auditing Provider CSV will provide us with a history of all events associated with that Provider (Microsoft-Windows-Security-Auditing). If we filter on the 4624 Event ID and sort on Event Version, we'll see that Version 3 shows…
Read More
31 Dec 2022
By Cassie Doemel

AboutDFIR Site Content Update 12/31/22

Tools & Artifacts - Windows - new entry added - Event Logs (Cheat Sheet), Google Drive FS, File Explorer - Temporary Zip Folders, and Kaspersky Antivirus Tools & Artifacts - MacOS- new entry added - Logs - Unified Log Rolling Tools & Artifacts - Android - new entry added - Tusky Jobs - old entries cleaned up, new entries added - ADP, Pearson, Dell Secureworks, GEICO, United Airways, Xerox, Broadcom, and Malwarebytes AboutDFIR stickers are still…
Read More
17 Dec 2022
By Cassie Doemel

AboutDFIR Site Content Update 12/17/22

Tools & Artifacts - Windows - new entry added - Defender Tools & Artifacts - iOS- new entries added - Dual SIM Phones, Photos.sqlite - ZINTERNALRESOURCE, Cache.db Tools & Artifacts - Android - new entries added - Sygic, Dual SIM Phones, Mastodon, Android 13 Image SANS Difference Makers Awards - Will update our page soon, but here's a recording of the Ceremony Jobs - old entries cleaned up, new entries added - Yahoo, Detego, and…
Read More
03 Dec 2022
By Cassie Doemel

AboutDFIR Site Content Update 12/3/22

Tools & Artifacts - Windows - new entries added - MUICache and FeatureUsage/Taskbar Tools & Artifacts - iOS- new entry added - Facebook Messenger and AppIntent Jobs - old entries cleaned up, new entries added - CISA, Deloitte, Reddit, DigitalOcean, Durham Police Department, SEROCU, and Tracepoint Page of the Month - SANS Posters - new and updated posters have been added. (This has become more of a "Resource of the Month" so I'm going to…
Read More
22 Nov 2022
By Cassie Doemel

AboutDFIR Site Content Update 11/22/22

Tools & Artifacts - Windows - new entries added - iTunes, Recent Items, and Email Forensics Tools & Artifacts - Linux - new entry added - Linux History File Timestamps Tools & Artifacts - Android - new entry added - Bumble Jobs - old entries cleaned up, new entries added - Peloton, Edgewater, and LiveNation Entertainment Leading right into U.S. Thanksgiving, I need to give a huge thank you to Alex (you may know him…
Read More
06 Nov 2022
By Cassie Doemel

AboutDFIR Site Content Update 11/6/22

Tools & Artifacts - Windows - new entries added - LogMeIn, ExpressVPN, Time Rules (Win11), SRUM, Quick Access, FileZilla, WSH, OneDrive in $MFT, VirtualBox, Chrome Deleted History, File Extension Associations, Browser Artifacts, Registry, and OneDrive. Tools & Artifacts - Android - new entry added - Kik Messenger and Android Reset Data Tools & Artifacts - iOS - new entries added - Deleted SMS/iMessage, KnowledgeC.db Notifications, and Sysdiagnose Tools & Artifacts - File Systems - new…
Read More
09 Oct 2022
By Cassie Doemel

AboutDFIR Site Content Update 10/9/22

Tools & Artifacts - Windows - new entries added - Slack, Event Log Access, ProtonVPN, Hintfo Tools & Artifacts - Android - new entry added - Device Health Services Tools & Artifacts - iOS - new entries added - AppInstalls, AppLaunch, & AppIntents, Carplay, Safari, Siri, Unsent Messages, KnowledgeC.db Jobs - old entries cleaned up, new entries added - ZenDesk, Binary Defense, Circle, Charles Schwab, and AllState AboutDFIR stickers are still a thing! If you're interested…
Read More
07 Oct 2022
By Mary

InfoSec News Nuggets 10/07/2022

TikTok's "secret operation" tracks you even if you don't use it  Consumer Reports (CR), a US-based nonprofit consumer organization, has revealed that TikTok gathers data on people who don't even use the app itself. If this sounds familiar, it's because it's happened before. Meta's near-omnipresence wherever you are online enabled it to gather data on users, even those who don't have Facebook accounts—thanks, in part, to the Facebook "Like" button, a piece of code embedded on most websites. According…
Read More
24 Sep 2022
By Cassie Doemel

AboutDFIR Site Content Update 9/24/22

Tools & Artifacts - Windows - new entries added - Microsoft Management Console MRU, File Carving, WordPad Recent Files, SDeleted Files, MRU, File Signature and Hash Analysis, Desktop Wallpaper, Windows Startup Programs, Microsoft Teams, and Email Forensics Tools & Artifacts - Android - new entry added - Forensic References Tools & Artifacts - iOS - new entry added - DFU: iPhone 8, 8 Plus, and iPhone X and Shared with You Syndication Photo Library Jobs…
Read More
10 Sep 2022
By Cassie Doemel

AboutDFIR Site Content Update 9/10/22

Updates! Tools & Artifacts - Windows - new entries added - ShimCache, YARA Rules, AnyDesk, Registry, WinZip, Swapfile URLs, viber.db Tools & Artifacts - MacOS - new entry added - Unified Logs Tools & Artifacts - iOS - new entry added - Apple Health Jobs - old entries cleaned up, new entries added - KPMG, Deloitte, Cisco, Microsoft, Charles River Associates, Coalfire, Amazon, EY, and Raytheon Technologies Forensicators of DFIR - new entry added -…
Read More
27 Aug 2022
By Cassie Doemel

AboutDFIR Site Content Update 8/27/22

The Forensic 4:cast Awards were announced. While we wait for the official posting, feel free to check my SANS DFIR Summit link collection for the results towards the bottom. I will add the official link to the Awards page on here as soon as I can.  Tools & Artifacts - Windows - new entries added - SQLite Databases, Recents Folder, Last Shutdown Jobs - old entries cleaned up, new entries added - Trellix, Bank of…
Read More
14 Aug 2022
By Cassie Doemel

AboutDFIR Site Content Update 8/14/22

Sunday fun day post! SANS DFIR Summit this week! I will be collecting links as usual and stashing them here.  Big community news for tomorrow! The DFIR Discord will be publishing their crowdsourced book - The Hitchhiker's Guide to DFIR: Experiences From Beginners and Experts! There are chapters on everything from the history of the server to malware analysis to CTFs. While this version will be released tomorrow, there are additional chapters in the works.…
Read More
30 Jul 2022
By Cassie Doemel

AboutDFIR Site Content Update 7/30/22

The site update is busy this week!  SANS Security Awareness Summit is next week Aug 3 & 4 and is still doing hybrid/virtual. This means you can still sign up to attend virtually for free today! The suggested attendees include CISOs, Security Engineers/Architects, Education/Training professionals, and Compliance/Legal/Auditing professionals. Topics include Phishing, Office365, Equifax, Metaverse, Psychology, Human Risk, and staying safe online. Tools & Artifacts - Windows - new entries added - Browser Downloads, Machine SID,…
Read More
16 Jul 2022
By Cassie Doemel

AboutDFIR Site Content Update 7/16/22

Forensic 4:cast Award voting is now open!  Tools & Artifacts - Windows - new entries added - Event Tracing (ETW), Event Logs, Registry Hive Bins, ADS Zone.Identifier, Profiles, 360 Secure Browser, and Windows Management Instrumentation (WMI) Tools & Artifacts - Android - new entry added - Session Tools & Artifacts - iOS - new entry added - Speed/ZRTCLLOCATIONMO Jobs - old entries cleaned up, new entries added - ZeroFox, PWC, Gartner, Zoom, Cisco, Sophos, and Arctic…
Read More
02 Jul 2022
By Cassie Doemel

AboutDFIR Site Content Update 7/2/22

Summer is ramping up and July seems to be a somewhat light month for updates. I'm hoping this means everyone is getting to enjoy some time to themselves doing whatever it is that you enjoy!  Featured Page of the Month - A link to "The Effect of Ransomware After The Investigation" authored by Devon. Read up on how ransomware can impact people and businesses. Tools & Artifacts - Windows - new entries added - Memory…
Read More
22 Jun 2022
By Mary

InfoSec News Nuggets 06/22/2022

DDoS-for-hire service provider jailed Matthew Gatrel, a 33-year-old man from St. Charles, Illinois, has been sentenced to two years in prison for running websites that provide powerful distributed denial-of-service (DDoS) attacks against internet users and websites. This sentencing resulted in the seizure of his websites, making the internet a little safer from DDoS attacks. Gatrel was the administrator and owner of DownThem.org and AmpNode.com, two DDoS-for-hire websites with thousands of clients which launched attacks against more than 200,000 targets. He was convicted of three…
Read More
18 Jun 2022
By Cassie Doemel

AboutDFIR Site Content Update 6/18/22

SANS held their first Ransomware Summit this week. If you missed it, I grabbed all the links I could and the sessions will be shared by SANS on Youtube soon. I especially liked Kunal Shandil's talk, "Multifaceted Extortion: Analysis of Data Exfiltration TTPs Used by Ransomware Threat Actors" and Jeffry Lang's break down "Kaseya Ransomware Reaction - Lessons Learned".  Tools & Artifacts - Windows - new entries added - Logfile, Tasks, Powershell Logs, VSS Carver,…
Read More
04 Jun 2022
By Cassie Doemel

AboutDFIR Site Content Update 6/4/22

Surprise, not surprise, I posted the research!  Informally, I'd like to break down a little more what it could be useful for. App Timeline Provider logs mouse, keyboard, and audio activity for apps that are in focus on Windows 8+ machines. If you have mouse and keyboard activity within an app, you're validating that the window was "in focus" and that it was interacted with. If you have audio input and audio output, you can…
Read More
23 May 2022
By Cassie Doemel

App Timeline Provider – SRUM Database

The System Resource Usage Monitor (SRUM) is a currently parsed artifact available on Windows 8+ systems. On a basic level, SRUM appears to be the backend database supporting the Task Manager. These tables are stored in an Extensible Storage Engine (ESE) database saved as SRUDB.dat. Generally, there are 30 to 60 days of data saved in this database. The data is written to the database approximately every hour and around shutdowns. Some the tables within…
Read More
21 May 2022
By Cassie Doemel

AboutDFIR Site Content Update 5/21/22

This post is a bit lighter than recently but it's because I've been working on my own research! Hopefully I'll be posted it here in the next week or two in time for the next update. Convenient that today is World Whisky Day because, after all that, I could use a drink.  New Site Post - The Effect of Ransomware After The Investigation by Devon Ackerman Tools & Artifacts - Windows - new entries added…
Read More
18 May 2022
By Devon

The Effect of Ransomware After The Investigation

Ransomware. It’s a word that has become interwoven into the fabric of global corporate, business and legal vernacular. The threat is briefed to executive leadership teams during security update calls and to boards of directors during quarterly earnings calls. Its risks are part of mergers and acquisitions (M&A) strategy planning and are specifically identified in cyber insurance coverage policies with exclusions and sub-limits. And an entire industry exists around threat intelligence, in which the proverbial…
Read More
07 May 2022
By Cassie Doemel

AboutDFIR Site Content Update 5/7/22

Thursday was World Password Day! While I'm sure anyone who finds this page has an excellent professional and personal password policy and/or password manager, don't also forget to convince your friends and family to review their passwords. World Password Day was covered differently by different organizations but the sentiment from me remains - if you're set, make sure those you care about are as well.  Annual Industry Reports- new entries added - PwC Threat Report,…
Read More
23 Apr 2022
By Cassie Doemel

AboutDFIR Site Content Update 4/23/22

Big thing right up front - this is the last site update before the Forensic 4:Cast nominations close -  click here to nominate your favorite or most useful resources!  Annual Industry Reports- new entries added - RIA, Arctic Wolf, and Meta Jobs - new entries added - Raytheon Intelligence & Space, Zachary Piper Solutions, Cognizant, Kyndryl, and Center for Internet Security Tools & Artifacts - Windows - new entries added - Windows Registry, a graphing…
Read More
09 Apr 2022
By Cassie Doemel

AboutDFIR Site Content Update 4/9/22

Keeping it short and sweet today. Hope you're all doing well! Annual Industry Reports- new entry added - 2022 Cyberthreat Defense Report & Cyber Security Breaches Survey 2022 Jobs - new entries added and old cleaned up - New positions include: Kroll, Peraton, Crowdstrike, Secureworks, and the Federal Public Defender's Office in Los Angeles Tools & Artifacts - Windows - new entries added - Pagefile URLs, Battery Levels, & PowerShell Scripts Tools & Artifacts -…
Read More
26 Mar 2022
By Cassie Doemel

AboutDFIR Site Content Update 3/26/22

Happy start of Spring to those in the Northern Hemisphere! Are you in our Forensicators of #DFIR list? If not, maybe you'd like to check out those who are listed there or submit yourself as a resource. Just one of the areas I've been looking at for potential site updates. Speaking of... Annual Industry Reports - new entries added  Jobs - new entries added Scholarships - new entries added/updated - Thanks again to Dave G for…
Read More
12 Mar 2022
By Cassie Doemel

AboutDFIR Site Content Update 3/12/22

Don't forget to Spring Forward tomorrow for those of us that observe daylight savings time! Losing that hour of sleep isn't my favorite but it sounds like it's bringing a bit of warm weather and I'm ready for it. Jobs - new entries added  Annual Industry Reports - new entries added Tools & Artifacts - Windows - new entries added Tools & Artifacts - Android - new entries added Tools & Artifacts - iOS -…
Read More
26 Feb 2022
By Cassie Doemel

AboutDFIR Site Update 2/26/22

It's been a busy two weeks on AboutDFIR so I'll get right to the updates! Jobs - new entries added  Annual Industry Reports - new entries added Tools & Artifacts - Windows - new entries added Tools & Artifacts - Android - new entries added OSINT Opt-Out Guide - entries added/updated, name changed Early update to the Featured Page of the Month for March On the topic of the Featured Page of the Month, Mark…
Read More
12 Feb 2022
By Cassie Doemel

AboutDFIR Site Update 2/12/22

While science may not entirely support it, Punxsutawney Phil announced 6 more weeks of winter. Hopefully the prediction also includes no extra static in the DFIR world! On to the site updates: Jobs - new entries added  Tools & Artifacts - Windows - new entries added Tools & Artifacts - Android - new entries added Tools & Artifacts - iOS - new entries added Training & Certifications - new entries added focused on MacOS forensics…
Read More
29 Jan 2022
By Cassie Doemel

AboutDFIR Site Content Update 1/29/22

It's National Puzzle Day today! DFIR can be a little like a puzzle -- looking for the pieces to put together to see the bigger picture. Since I don't have a quick DFIR puzzle, here's a small distraction in the form of the Daily Mini Crossword Puzzle from the New York Times. If you don't like Crosswords, you could try the daily word puzzle that's taken over Twitter as of late - Wordle. On to…
Read More
28 Jan 2022
By Cassie Doemel

A Conversation about Transitioning to Incident Response

In working on AboutDFIR the last couple months, I’ve come to learn that while digital forensics and incident response share some basic foundational knowledge, they are widely different in practice. I’ve taken SANS FOR500: Windows Forensic Analysis and have been reading the recent articles about vulnerabilities, and have to say it’s been a series of eye-openers, especially coming from a law enforcement digital forensic background, as to how evidence and analysis can differ depending on…
Read More
15 Jan 2022
By Cassie Doemel

AboutDFIR Site Content Update 1/15/22

It's hard to believe we're already halfway through January! As for the site updates: Jobs - new entries added  Tools & Artifacts - Windows - new entries added Tools & Artifacts - Android - new entries added DFIR Research - updated links AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: In case you missed it, Abhiram Kumar wrote a post about his experience with…
Read More
11 Jan 2022
By Abhiram Kumar

My Experience: FOR508 & GCFA

A small blogpost on my first ever experience taking a SANS course and my attempt at GCFA.   Intro This was my first time taking a SANS course. I did hear about SANS courses and also many people in the DFIR industry attempt exams for GIAC certifications.   I was a little overwhelmed. I did have a lot of dilemmas in deciding which certification to pursue. The main ones were GCFE (FOR500) and GCFA (FOR508).…
Read More
31 Dec 2021
By Cassie Doemel

AboutDFIR Site Content Update 1/1/22

Happy New Year!! Here's hoping 2022 brings good things to you and yours!  As for the site updates: Jobs - new entries added  Tools & Artifacts - Windows - new entries added Tools & Artifacts - Android - new entries added AboutDFIR stickers are a thing! If you're interested in one, please let us know! Here's what they look like: In case you missed it, Andrew Rathbun appeared on Chewing the FAT with Phil & Adam…
Read More
18 Dec 2021
By Cassie Doemel

AboutDFIR Site Content Update 12/18/21

Happy Holidays, Round 2! Merry early Christmas! Happy late Hanukkah! Happy early Winter Solstice! Happy early Kwanzaa! If I missed something you celebrate, I apologize but I hope it's amazing. I also hope the DFIR world this time of year is far less exciting through the upcoming holidays than it has been with the log4j/log4shell surprises on the IR side. As for the site updates: Jobs - new entries added (updated weekly) Tools & Artifacts…
Read More
04 Dec 2021
By Cassie Doemel

AboutDFIR Site Content Update 12/4/21

Happy Holidays! It's the first post in December so you're probably going to see that greeting at least once more. Speaking of holidays, it's almost Holiday Hack time! Sign up to be notified for the SANS Holiday Hack and KringleCon 2021 talks at this link or try your hand at the 2020 Holiday Hack while you wait. Don't know what the Holiday Hack is? "The SANS Holiday Hack Challenge is a FREE series of super…
Read More