How to analyze different types of devices and find connections between them
Modern digital forensics and incident response cases may involve quite different types of devices. The variety of electronic…
Looking at Microsoft Teams from a DFIR Perspective
David Cowen’s Sunday Funday is back, so why not to take part in this fun? Last Sunday’s challenge was to look at…
SQM: New Evidence of Execution Source?
Forensicating one of compromised hosts during our recent incident response activities we have found some interesting artifac…
Tools up: the best software and hardware tools for computer forensics
Igor Mikhailov is a digital forensic analyst of the digital forensic laboratory at Group-IB and the picture below shows how …
Following the RTM
Researchers became aware of the activities of the RTM group in December 2015. Since then, phishing emails distributing the t…
Using MITRE ATT&CK for Forensics: Image File Execution Options Injection (T1183)
As was promised, we continue our Using MITRE ATT&CK for Forensics series. This time we are going to discuss another pers…
Using MITRE ATT&CK for Forensics: WMI Event Subscription (T1084)
First of all, I would like to thank all of those who liked and retweeted the previous article from this series, BITS Jobs (T…
Using MITRE ATT&CK for Forensics: BITS Jobs (T1197)
If you are doing incident response, you must know what MITRE ATT&CK is. As it’s a great guide to threat actors tac…
Parsing Carved EVTX Records Using EvtxECmd
Teru Yamazaki has posted about how to extract Windows Event Log files from allocated space, Volume Shadow Copies, carve them…
PowerShell and Python Together: Targeting Digital Investigations
A new book by Chet Hosmer has been released. The book will teach you how to use PowerShell and Python for conducting digital…
