Our website may use cookies to improve and personalize your experience and to display advertisements (if any). Our website may also include cookies from third parties like Google Adsense or Google Analytics. By using the website, you consent to the use of cookies. We’ve updated our Privacy Policy. Please click on the button to check our Privacy Policy.

AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

AboutDFIR Blog Posts Archive

Site Update to DFIR Research page

Jessica Hyde (@B1N2H3X) and Jonathan Wiley with a fresh idea for creation of a forensic image for public consumption, testing, and educational purposes of device running iOS 10 with robust documentation! https://aboutdfir.com/dfir-research/ page updated!
Read More

Site Updates

Busy weekend with new Certification and Training courses added, new Incident Response/Breach report added, DFIR Research additions and updated links, and even new tool updates.
Read More

Magnet User Summit 2019 Impressions

I wanted to make a quick note to start the blogging back up again (yes, I know -- don't judge me!) by discussing a recent Digital Forensics Summit that took place during the first week of April here in the United States. While there is some bias to this since both Devon and myself did present at the Summit, there is in no way, shape or form any endorsement or payment from Magnet for what…
Read More

Catching Up 3/19/2019

I’m overdue for an update, so here we go!  I came across some pretty cool stuff recently.  I know I’ve said this before, but it really is a fantastic time to be involved in DFIR! Nick Caldwell won me over with the very first article of his I came across, and he hasn’t disappointed me since!  He’s such a solid force of wisdom: https://hackernoon.com/the-worst-career-advice-i-ever-received-54aaf2a50c93 https://medium.com/@nickcaldwell/latest @NickCald Unless you live in a cave, you probably already knew this, but Eric…
Read More

Catching Up

I took some time this weekend to catch-up a bit with AboutDFIR and add some of the content I've been too busy to share.  I've got tons more, so that will be coming as time allows.  I know Devon has stated it, but I'll reiterate, the links that we add often have context and so I've decided to take a few minutes to add some backstory around the new additions I've made this weekend. First,…
Read More

AboutDFIR.com updates across the board

Tons of updates across the website this weekend to include the new Tools section: Tools & Artifacts - Android Tools & Artifacts - File Systems Tools & Artifacts - Windows In addition, the existing Conferences page received a big update with the addition of CFP information.
Read More

Forensic Tools

Forensic tools, whether software or hardware, or just like traditional forensic science tools - they are designed by humans and typically meant to be used by trained users who understand both the artifacts they are processing as well as the results produced by the tool. Some tools are as simple as a USB write blocker - you plug one end into a computer, you plug a USB device into the other end, and it "just…
Read More

Episode 886: The Price Of A Hack

"The Price of a Hack" w/Chris DiIenno of Mullen Coughlin LLC law firm, experts in legal advice following or during a cyber security event, along w/Dina Temple-Raston of NPR. This piece was born out of a prior Kroll Cyber Risk digital forensics and incident response-related investigation, directed by legal counsel, to assist a client they was preyed upon via a Business Email Compromise-oriented targeting scheme. NPR Planet Money - Episode 886 "The Price Of A…
Read More

Android Nougat Image Available to the DFIR Community

Joshua Hickman has created, for the DFIR community, an image of Android 7.x (Nougat) populated with apps and test data for a wide range of usage - everything from testing tools to training to teaching. It was created using a stock Android image from Google.  Several popular applications (apps) were populated with user data utilizing the capabilities of each individual app.  The stock Android apps were also populated with user data. An LG Nexus 5x,…
Read More

Threat Hunting for Non-Threat Hunters

Posted by MIKE ART REBULTAN at https://www.peerlyst.com/posts/threat-hunting-for-non-hunters-mike-art-rebultan-mit-ceh-ecsa. Threat hunting is a proactive task with an assumption that your organization has already been breached and you wanted to beat the average “dwell time” of 256 days; at least for me as a DFIR practitioner. And this is usually done with the help of different tools that we call “arsenals”; SIEM (security information and event management) and EDR (endpoint detection and response) mostly. However, security is not…
Read More

SANS SEC401 – Comprehensive Review

To get started in InfoSec, One must drink from the fire hose eventually  First, I want to apologize for the very late and posts over the last month or so. My life has been a little chaotic bouncing between a few different things and I went on holiday for a few weeks and was told no laptop :). But alas. For this post, I wanted to jump into something that has been very near and…
Read More

Office 365 DFIR

A planned methodology for developing and implementing a forensically sound incident response plan in Microsoft’s Office 365 cloud environment must be thoroughly researched and re-evaluated over time as the system evolves, new features are introduced, and older capabilities are deprecated. This presentation will walk through the numerous forensic, incident response, and evidentiary aspects of Office 365. The presentation is based on two years’ worth of collection of forensics and incident response data in Microsoft’s Office…
Read More

Dissecting Official Reddit App, What Your Tools Don’t Tell You

Sometimes, Some Light Reversing is in Order! Reddit in general So this is probably not new to much of the readers of this blog, Reddit is kind of a big deal at this moment in its lifespan. For those who do not know though, Reddit is a social media platform that touts itself as the "Frontpage of the Internet"  What makes this social media platform so much different than say Facebook or Twitter -- is…
Read More

Reddit, Lets Talk About It

Sorry for the very long delay. Between heading out to DC to TA/Moderate the FOR585 class and work, it has been very chaotic! No excuse, but just very busy. One thing though that I have been working on has been reversing the Reddit App that came out about a year or so ago. Now, what really drew me to this is I'm not seeing a lot of support from the main forensic tools out there…
Read More

So You Want to Get into DFIR? Social Media Edition

Posting 365 days straight is definitely a lot harder of a challenge than you would think! Even with scheduling, time just gets away from you. With this blog, I wanted to at least give my own opinion on something that could have some grave consequences against you as a DFIR specialist: Social Media. This was inspired by a post I saw on LinkedIn from a colleague who is a Senior Forensic Examiner within the public…
Read More

So You Want to Get into DFIR? Private Sector Edition

So you've decided that public sector is just not for you. Nothing wrong with that! We just need to work on getting you ready for different suits. This is a different animal all together! If you have a love for white collar issues, you'll see there is no end to the work you can do. If you love threat hunting, this will be a joy! What am I going to work?  This is going to…
Read More

So You Want to Get into DFIR? Public Sector Edition

So you've decided to go into the Public Sector for your Digital Forensics job? That is you've passed the rigorous background checks and the long awaited clearance background if you're going to a Federal entity. Awesome! What you'll probably see is that you'll already have some sort of training program put into place to get you going. On top of that you'll be working closely with folks who have "seen it all, done it all"…
Read More

So you want to get into DFIR?

For this week, I felt the need to touch on things for those who are looking for their pathway towards InfoSec, particularly with Digital Forensics & Incident Response.  So this will be a multi-part posting through the week with each day a different aspect. My hope is those who are looking to get into it will get something out of it, and for those within it may consider some things they had not yet...especially if…
Read More

Preparing for a GIAC Test….This is not the CISSP

I'm late for the day! Largely because my cities "summer festival" was last night and was out with friends, so blame them...not me :) This is a topic that has been touched on by others such as my good friend Lesley in her article in respects to making a good index for a GIAC exam. Lesley's template is still something I use, only over the course of my cert attempts I've tweaked it ever so…
Read More

Command Line or: How I learned to stop relying on GUI interfaces and love the syntax

So this is a little later than I thought I would post this, but life gets in the way! This is something very near and dear to me for a specific reason, my mentor was extremely anti GUI software. Not because he didn't understand (although he was about as G-Man you could imagine), but because he felt that to really understand the data, you needed to get into the weeds. Most vendor software out there…
Read More

Playing Nice in the Sandbox Together

Tell me how many of these you've heard of: Blue Team, Red Team, Purple Team, Green Team, Sprinkles Team ...okay that last one I just made up. Also, why doesn't DFIR ever have its own "team?" I'm not going to explain them all to you, but yes, these are in-fact terms of explanation of the many facets of IT Security in some way. In the mil days, they were a way of distinguishing who would…
Read More

Travel: It Is Not Just For Airline Status Pt. 2

In my last post, we were merely discussing things very pre-planning stages. While much of that was most likely already information known by the masses, it is still very important information for anyone who has never traveled abroad before for business. It is a different animal than when you do it for personal leisure. For the continuance of this, we are going to look at what is in my carry on bag when I am…
Read More

Travel: It Is Not Just For Airline Status Pt. 1

I elected to make this my first "real" posting to not only elaborate on the amazing work of my friend Lesley's post back in November, but to also provide my insight as someone who does it quite a bit. First, I'm not going into the "do's and don'ts" of a particular region or how to have proper OPSEC. Your security folks should be properly preparing you if you're going to austere conditions...not a blog. I will…
Read More

So, who am I?

Many are probably wondering who I am and if this is worth their own time. My hope is that it will be! To start, I won't go into my background too much...if you want to know it you'll probably be able to ask around to put the pieces together. Also, I'm not of the kind of person who thinks degrees and certs make the person. Do I have those? Yes, I do. We will leave…
Read More

Removing the Cloak

So I was basically challenged into starting up a blog in relation to giving back to the community. This was largely pushed by many of the SANS instructors within the digital forensics curriculum as there is a large gap within the field as a whole. Coming from my previous employer, this was just something that couldn't be done. We are always pushed to err on the side of caution while conducting any activity online as…
Read More

Forensic 4:cast 2018

This year, I have been nominated by the #DFIR industry for two categories of the Forensic 4:Cast awards (https://forensic4cast.com/). Please vote for Devon Ackerman as "Digital Forensic Investigator of the Year" and vote for this website, AboutDFIR.com, for "Digital Forensic Resource of the Year" for 2018. Regardless of who you cast your Forensic 4:cast 2018 votes for, please consider joining Mary Ellen and I in Austin, Texas at the SANS conference to celebrate no matter…
Read More

AMD and Intel Chipset Vulnerabilities & Exploits: March 2018 Update

Author: ShadowSherlock Editor: Devon Ackerman UPDATE: March 2018 It seems we are nearing the end of the Spectre/Meltdown issues from a patch availability stand point. INTEL Patches for older versions of Intel Chipsets has been released - Haswell (4th-generation) and Broadwell (5th-generation). The performance hit will be about 10% to 20% for real world applications. Intel has also promised updates for the last generation of Core2 Duo chipsets. All microcode updates are now being deployed…
Read More

Rick Kiper’s Research Project

A personal friend and FBI colleague of mine, Rick Kiper, has a research project that he is currently working on for Forensics.  The next phase of his research study is to develop a digital forensics tool typology. Basically, the goal is to identify the most important characteristics of digital forensics tools, so that a forensic examiner may be able to quickly assess and select a digital forensics tool appropriate for a particular task.  The goal…
Read More

Digital Forensics & CPUs

Reprinted with permission as originally written by Mark Vogel of F.A.S.T Forensics.   Kind of a book here but there's a LOT going on in the processor market right now between Intel & AMD, so there's a ton of information and considerations between the two now.   I have done a couple Ryzen builds since the release of the Ryzen 7 CPUs earlier this year to test out.  The chipsets for this platform seem to…
Read More

Yandex.ru and Intrusion Investigations

Quite often I notice that unauthorized actors who compromise RDP access will execute a native web browsing application and navigate to a website such as whoer.net to enumerate browser header information, IP address, ISP, and a smattering of other host identification information.  In reviewing these cases with forensic tools, I would also quite often see a hit for https://mc.yandex.ru/metrika/watch.js.  Observing a .ru domain hit usually raises my suspicion level a bit, but I could not…
Read More

Petya Ransomware Recap

Twitter, news media, and malware researchers were busy the past 30 hours as news of a ransomware variant being identified as Petya (NotPetya) was leveraging ETERNALBLUE to spread similar to how WannaCry ransomware had spread back in May 2017.  While variants of Petya have been seen going back a few months to include code similarities shared with Petrwrap and GoldenEye/Mischa ransomware strains, this quickly spreading variant leveraged a different attack than WannaCry in that it…
Read More

SANS DFIR Summit 2017 Wrapup

Awesome presentations, great humor throughout and well deserved wins across all of the forensic4:cast awards.  It was tough to compete in the same category as Magnet Forensics and Cellebrite and having been nominated to the top 3 with these 2 alone was humbling.  It was my first SANS Summit, but it certainly won't be my last - already blocking off my calendar for next year.  It also got me thinking about a book that I had started about a…
Read More

Here in Austin Texas!

SANS DFIR Summit 2017 is beginning with pre-registration this evening and the first two days Thursday and Friday.  Can't wait to meet everyone.
Read More