Looking at Microsoft Teams from a DFIR Perspective
David Cowen’s Sunday Funday is back, so why not to take part in this fun? Last Sunday’s challenge was to look at…
Forensic Walkthrough: QBot Infection
For some reason, there are not so many posts on forensic examination of hosts infected with different malware families. We d…
SQM: New Evidence of Execution Source?
Forensicating one of compromised hosts during our recent incident response activities we have found some interesting artifac…
Windows Forensics: Event Trace Logs
Looking for a “new” Windows artifact that is currently being underutilized and contains a wealth of information? Event Traci…
RBCmd: Recycle Bin artifact parser
Eric Zimmerman has released a new tool. This time it’s Recycle Bin artifact parser called RBCmd. It supports both…
The Little Handbook of Windows Forensics
Andrea Fortunan has released his “The Little Handbook of Windows Forensics”. Here is the description from the au…
Cloud Forensics: Google Drive
We decided to continue our cloud forensics series, but focus on more popular desktop applications, this time it’s goin…
Amcache_Scan Autopsy Plugin
This Autopsy plugin by Rebecca Anderson won Autopsy Plugin Contest this year at Open Source Digital Forensics Conf…
Join our Telegram DFIR group!
Guys, we have created a Telegram group, where we will do our best to answer all your questions. We will be very happy if you…
Eric Zimmerman Updated Most of His Tools
Eric Zimmerman has updated most of his tools: WxTCmd, Hasher, Timeline Explorer, ShellBags Explorer, AppCompa…
