Accessing Windows 10 Volume Shadows
In this post Harlan Carvey shows that most known methods used for forensicating Volume Shadow copies no longer work with Win…
The Newest Version of SANS Windows Forensic Analysis Poster is Online
SANS DFIR posted the newest version of Windows Forensic Analysis poster. Updated Windows Time Rules table, lots of artifacts…
Imaginary C2: Malware Network Behavior Analysis Tool
Imaginary C2 is a python tool which aims to help in the behavioral (network) analysis of malware. Imaginary C2 hosts a HTTP …
Persistence Mechanisms
As a continuation of the “Introduction to Windows Forensics” series by Richard Davis, this episode looks at pers…
Defcon DFIR CTF 2018 Open to the Public
David Cowen has posted Defcon DFIR CTF 2018 images and questions at his blog. It’s time to download them and have a go…
POSH-Triage
Mike Cary has written a PowerShell script that automates the use of Eric Zimmerman’s cmd line tools (https://ericzimme…
Magnet User Summit CTF: Intrusion
So, we decided to finish our write-up today. The forth part – the most interesting part. Intrusion! Again, no more AXI…
Magnet User Summit CTF: Exfiltration
Hope you are having a great Sunday, and we are continuing our write-up. No more AXIOM, by the way! You wanted open source to…
Magnet User Summit CTF: Misc
We are continuing our write-up. The second part will walk you through the solution of the second set of CTF problems –…
RDP Event Log Forensics
As a continuation of the “Introduction to Windows Forensics” series, this episode takes a comprehensive look at …
