Investigation goals in DFIR reports
When a DFIR investigation starts you never know how big it will be. Some cases might give you a hint (if law enforcement have let you know about a compromise, or if EDR alerts tell you about a compromise on…
Mastering Sysmon free DFIR e-book release
Today is the day! I’m announcing the release of my guide: “Mastering Sysmon: Deploying, Configuring, and Fine-Tuning”, a free mini eBook designed specifically for digital forensics and incident response professionals. This guide provides a practical, step-by-step approach to: Deploying and…
Instant forensics with plaso and psort in docker
If you’ve ever attempted to run log2timeline on your local machine, you might be familiar with the error messages which happen at the worst time (when you need to use the tool for an investigation!). Issues such as file permission…
Troubleshooting Log2timeline on Ubuntu
After recently earning the SANS 608 GIAC Enterprise Incident Response (GEIR) certification, I didn’t want to get complacent. The real world and real incidents won’t stop. Although the SANS FOR608 course provided a structured lab, I wanted to get better…
Quick Fixes for plaso / Log2timeline Error: Key Troubleshooting on Ubuntu
Title: Post-SANS 608: Troubleshooting Log2timeline on Ubuntu After recently earning the SANS 608 GIAC Enterprise Incident Response (GEIR) certification, I didn’t want to get complacent. The real world and real incidents won’t stop. Although the SANS FOR608 course provided a…
Ubuntu 24.04 freezes and locks up on VMWare virtual machine
After breaking my SANS Linux SIFT environment today while doing a Forensic CTF from pico CTF, (not their fault, it was mine by trying to upgrade sleuth kit) I decided to rebuild. I use the SIFT VM for a lot…
Defending Against APT40 (Leviathan): TTP’s, Detection and Defence
APT40 has been on the radar for many years, causing significant disturbances within the cybersecurity community. Believed to be a Chinese state-sponsored group, they’ve been active since at least 2009, likely operating under the Ministry of State Security (MSS). Their…
Phishing Detection, Defence and Response
Phishing attacks are a classic in the cybersecurity world, but they are far from outdated. Despite advancements in technology and user awareness, phishing remains one of the most prevalent and successful attack vectors. In this post, we’ll explore why phishing…
Exploring Host-Based Digital Forensics with Memory Analysis
Host-based digital forensics is just one aspect of investigating cyber security incidents with a lens on the investigation and analysis of individual computers and devices. This is in contrast to Network forensics which is focused on network logs and packet…
The role of Incident Response in Cyber Security
Without being a pessimist, as I am at my core an optimist, it is not a matter of if you will be breached, but when. It is a reality that vendors face when they are deploying the latest security tool…