POSH-Triage
Mike Cary has written a PowerShell script that automates the use of Eric Zimmerman’s cmd line tools (https://ericzimme…
Magnet User Summit CTF: Intrusion
So, we decided to finish our write-up today. The forth part – the most interesting part. Intrusion! Again, no more AXI…
Magnet User Summit CTF: Exfiltration
Hope you are having a great Sunday, and we are continuing our write-up. No more AXIOM, by the way! You wanted open source to…
Magnet User Summit CTF: Misc
We are continuing our write-up. The second part will walk you through the solution of the second set of CTF problems –…
RDP Event Log Forensics
As a continuation of the “Introduction to Windows Forensics” series, this episode takes a comprehensive look at …
DFIR Summit & Training 2018
SANS Institute has published the presentations from DFIR Summit & Training 2018. You can find all of them here. …
Windows Phone Physical Imaging Without JTAG and Chip-off
Windows Phones are not frequent guests of our digital forensic lab, especially now, as Microsoft stopped developing the plat…
WxTCmd – Windows 10 Timeline parser
Eric Zimmerman presented a tool for parsing ActivitiesCache.db, which contains Windows 10 Timeline data. You can learn how t…
Windows 10 Timeline Forensic Artefacts
Alex Caithness has published a post in CCL Group blog overviewing the newest Windows 10 feature – the Timeline. All Ti…
Cloud Forensics: pCloud Drive
We continue our unforgetable journey to the world of cloud forensics. This time we are going to forensicate pCloud desktop a…
