The Newest Version of SANS Windows Forensic Analysis Poster is Online
SANS DFIR posted the newest version of Windows Forensic Analysis poster. Updated Windows Time Rules table, lots of arti…
Dear Blue Team: Forensic Advice to Non-Forensic Professionals to Supercharge Organization DFIR
In an age where data breaches and malware infections are quickly becoming the norm, we must prepare for Digital Forensics an…
Search for Malware on Webservers with Blazescan
Blazescan is a Linux webserver malware scanning and incident response tool, with built in support for cPanel servers, but wi…
Deobfuscate malicious VBA Macros with ViperMonkey
ViperMonkey is a VBA Emulation engine written in Python, designed to analyze and deobfuscate malicious VBA Macros contained …
Persistence Mechanisms
As a continuation of the “Introduction to Windows Forensics” series by Richard Davis, this episode looks at pers…
PhishPhinder: Locate and Purge Messages in O365
PhishPhinder is a tool for locating and purging messages in O365. You can learn more about how to use this PowerShell s…
Defcon DFIR CTF 2018 Open to the Public
David Cowen has posted Defcon DFIR CTF 2018 images and questions at his blog. It’s time to download them and have…
Knowledge is Power! Using the macOS/iOS knowledgeC.db Database to Determine Precise User and Application Usage
Sarah Edwards has posted her research of knowledgeC.db database. This database can be found on macOS and iOS devices. O…
Business Email Compromise; Office 365 Making Sense of All the Noise
Office 365, or O365, has made online applications easier for businesses of all sizes. Its also created a significant attack …
Deobfuscating Emotet’s PowerShell Payload
Lasq has posted a step-by-step guide on how to deobfuscate Emotet’s PowerShell payload. Also he shared a Python script…
