Tag: DFIR

PCAP Command Hunter

🔍 PCAP Command Hunter Generate context-aware command-line snippets for hunting malicious activity in network captures. Describe what you’re …

4N6Post Artifacts

Registry - SAM

SAM Database - Windows Security Account Manager Security Account Manager (SAM) database in short, is the critical components of Windows security …

MACB Timestamp Reference

MACB Forensic Timestamp Reference I put together a nice little post here detailing the behavior of MACB timestamps (Modified, Accessed, Changed, …

MRU (Most Recently Used)

The MRU (Most Recently Used) registry is a database in Microsoft Windows that stores information about recently opened files, URLs, and other items. …

Velociraptor - Endpoint Visibility & Digital Forensics

Velociraptor is a web-based tool designed for endpoint visibility and management. It provides a user-friendly interface for monitoring and managing …

Registry- Start, Shutdown, and Reboot

Windows Registry: System Start, Shutdown, and Reboot Tracking The Windows registry is a hierarchical database that stores configuration settings for …

ShimCache

ShimCache - Windows Application Compatibility Cache for Digital Forensics Shimcache is a Windows artifact that stores information about programs that …

Dream Server - DFIR

Example Direction: Lock Picking Lawyer Server Category Item Blue 1 Gmail in session of browser Blue 2 Email in URL of the payload download Blue 3 …

Key Replicator

Example Direction: Lock Picking Lawyer

Neck Tie Connection

Serial Connection Connection Type: Serial Baud Rate/Speed: 115200 Port: COM3 Client: PuTTY Reference Reverse Engineering of ESP32 Flash Dumps with …

Neck Tie QR Code

The Clock

Other Write-Up See SD Card Data for more information. Challenge Walkthrough 1. Splash Screen Flag When the device boots, a flag flashes very quickly …

The Rules

Warmups

Download mypcap.pcap Spoiler Command: bash 5 lines tshark -r mypcap.pcap -Tfields -e data \ | cut -c -2 \ | sed ':a;N;$!ba;s/\n/ /g' \ | sed …

Windows Install Date & Time

The Windows registry is a central repository of configuration data for the Windows operating system and its applications. One important aspect of the …

File and Folder Opening - Link Files (LNK)

Windows users are likely familiar with .lnk files, also known as LNK Link files. These files are shortcuts that point to another file or folder on …

JumpList Forensics

JumpList Forensics JumpList is a feature of Microsoft Windows operating systems that allows users to quickly access frequently used files, folders, …

MFT

MFT Analysis - Master File Table Forensics Guide The $MFT, or Master File Table, plays a crucial role in the NTFS (New Technology File System) …

Prefetch

Windows Prefetch Analysis - Digital Forensics Execution Tracking Windows Prefetch is a feature in the Windows operating system that was first …

Recycling.Bin / Recycler

The Recycling Bin is a well-known feature in Windows operating systems that acts as a temporary storage location for deleted files. However, what …

SysInternals Tools Registry Forensics

SysInternals Tools - Registry Forensics and Analysis What is SysInternals? SysInternals is a suite of advanced system utilities for Microsoft Windows …

TimeZone Information

The Windows registry is a critical component of the Windows operating system. It stores important configuration data and settings that help the …

TypedPath Registry

Registry Section of TypedPath: Understanding Its Importance in Digital Forensics The registry is an important aspect of a computer’s operating …

Windows Border Size Modification

Exploring Windows Border Size Modification Welcome to our exploration of a subtle yet impactful customization in the Windows operating system. Today, …

Windows Generic Installation Keys

SOURCE: https://www.windowsafg.com/keys.html This is just a copy of the data from the source windowafg. I make a copy so that others can find it. …

Windows USB Connection Analysis

USB connections are a commonly used method for transferring data between computers and other electronic devices. In Windows, the use of USB …

WMI Filter Query Consumer

Windows Management Instrumentation (WMI) is a Microsoft technology that provides a unified way of managing Windows operating systems and …

WordWheelQuery

The Registry Section of WordWheelQuery: An Overview for Digital Forensic Investigators The WordWheelQuery registry section is a critical component …

Hackademy – Authorization 1

Check the html Or in the PCAP: