DailyDFIR

#DailyDFIR 134: Want to try to write an Unfurl parser but need an idea? How about Zoom? I hear it's popular these days . If you want to try this I'd be happy to help & answer any questions. I made a GitHub issue (https://t.co/A3GwmdFDMa) with some references. #DFIR #Python

#DailyDFIR 135: Want to learn #Python with fellow #DFIR folks? Check out @AlexisBrignoni's group! https://t.co/E0mpn3Bqxy

#DailyDFIR 136: If you haven't submitted your nominations yet for the @4cast Awards do it! Time is almost out! #DFIR https://t.co/Di40QZaQ4T

#DailyDFIR 137: Another great post from @josh_hickman1 on detailed timeline artifacts (including from deleted apps) on @Android: https://t.co/sMLKZfixMr I love how detailed Josh's research and write-ups are; great Saturday reading material. #DFIR #Android

#DailyDFIR 138: I've said it before but I'll say it again: check out @phillmoore's "This Week in 4n6" weekly round-up. Lots of great blog posts presentations and videos on #DFIR #RE threat hunting and more! Every week. https://t.co/mOmTBCzY9B

#DailyDFIR 139: "Introduction to DFIR" by @sroberts is older (2016) but holds up well especially a section at the end: T Shaped People. https://t.co/Fl1D7m1YyG #DFIR has many subdisciplines; we can't be equally great in all areas. That's ok. Find others that compliment you. https://t.co/iNwq3tvhPv

#DailyDFIR 143: @errno_fail's blog has a lot of great technical deep dives into different artifacts with an emphasis on NTFS & Windows artifacts: https://t.co/jIK1J8hGJD He is constantly looking at new releases of Windows for changed or new artifacts! Very helpful. #DFIR

#DailyDFIR 145: "Recovering & Replaying Garmin Voice Instructions" by @Cheeky4n6Monkey is a fun bit of analysis. It has data recovery log parsing & a script to "speak" the phonetic logs into audio files. https://t.co/gbm3HvvFOX You never know what a #DFIR case will entail!

#DailyDFIR 146: The papers from the 12th Conference on Cyber Conflict are up! 19 papers on how cyberspace & cyber conflict will evolve in the 2020s covering technical strategic & legal topics. https://t.co/DLcJTMLq61 Not exactly light holiday reading but good stuff! #DFIR

#DailyDFIR 147: If you write technical content about #DFIR this is a great resource. Going through the whole peer-review process for a traditional journal can be a bit daunting; @DFIRReview is a nice way to ease into that world. https://t.co/BorclJlLeN

#DailyDFIR 148: We've seen a big increase in virtual #DFIR events (which has been awesome!) including CTFs. If you want to build your own CTF @Russ_Taylor_ has a helpful guide documenting his experiences & advice on creating them: https://t.co/JJzl3Jm68k #CTF #Infosec

#DailyDFIR 150: Interested in doing #DFIR in multiple clouds with open source tools? Check out libcloudforensics! Features: Copy disks Query cloud logs Auto create analysis VMs Works on #AWS & #GCP; #Azure coming soon! https://t.co/0aptakqjiA #DFIR #Python #Infosec

#DailyDFIR 151: If you work with Macs check out mac_apt by @SwiftForensics. It parses artifacts from disk images or live machines and just got some cool new features in this update. #DFIR #Python #infosec https://t.co/GmW3oHmuGU

#DailyDFIR 152: Programming is an essential part of my #DFIR workflow. I know some in the field don't code (and that's fine); I just can't imagine myself doing this job without it. If you want to learn #Python this new free course by @dabeaz looks good: https://t.co/XKV3Efmuk4

#DailyDFIR 153: Do you need a way to manage threat intel? Check out yeti by @tomchop_ & @Sebdraven! https://t.co/rvCes8YHHE Yeti features: - Organize observables IOCs TTPs & more - Auto-enrichment - Visualize relationships in graphs - Open source #Python - Web UI & API

#DailyDFIR 154: Nice write-up on a new iOS 13 artifact (it was also fun to see the interactions between #DFIR researchers today on Twitter about this artifact). https://t.co/ugxvGZ0NZC

#DailyDFIR 155: Do you like jigsaw puzzles #DFIR and want to reconstruct RDP screenshots? Then you need to check out @brianjmoran's talk from the #MVS2020! Slides: https://t.co/fLOreJ0FHC Code: https://t.co/17L77zUKMd #DFIR

#DailyDFIR 156: @Hexacorn has a long-running (124 parts & counting!) truly impressive blog series on Windows persistence mechanisms called "Beyond good ol Run key": https://t.co/i23tMv2hkd Check it out; I've learned a ton from following his research. #DFIR #Malware #Infosec

#DailyDFIR 157: The @EFF has many good guides and how-tos. Check them out. You might learn something or find something relevant to send on to less tech-savvy friend/family member/etc: https://t.co/yWYpFMzsVF #DFIR #opsec

#DailyDFIR 159: DFRWS EU was last week. One interesting paper was "On Challenges in Verifying Trusted Executable Files in Memory Forensics" by Uroz & Rodríguez: Paper: https://t.co/zGeO3kmK3Z Slides: https://t.co/hpyckn6kme #DFIR #Volatility

#DailyDFIR 160: @BlakDouble has a post explaining Favicon artifacts on mobile Safari and how it can sometimes provide insight into when pages were visited: https://t.co/AFQ2mkYbZ2 I've found the Chrome Favicons to be of similar use. #DFIR

#DailyDFIR 161: @iamevltwin has a post on analyzing Apple TV using free tools she's built for iOS & Mac analysis - and it just works! It's sweet when tools do more than expected. https://t.co/6k4FjzLpjz It's a good reminder that #DFIR is more than phones laptops & desktops

#DailyDFIR 162: Hindsight is 2020! Okay it's actually v20200607 but I've been waiting years to make a bad "Hindsight 2020" joke. There's a new version of Hindsight! Features: #Python 3 Supports #Chrome 1 - 83 More Storage artifacts https://t.co/6eorratUJO #DFIR

#DailyDFIR 163: @jclausing has a post on a different kind of stackstring that's harder to spot: https://t.co/ILSFSebIGt Just like in the rest of #DFIR there's always something new to learn in #malware #RE!

#DailyDFIR 164: Im continually amazed at what attackers come up with. Impressive innovation. #DFIR https://t.co/naqCRdvwti

#DailyDFIR 165: Check out this nice resource by @technisette for finding the right OSINT tool: https://t.co/Yo9tHBXj5a It has an easy to browse collection of tools and tutorials grouped by category or you can just search the whole thing! #DFIR #OSINT

#DailyDFIR 166: I use #Python to build #DFIR things. The @pythonbytes podcast is great for learning: https://t.co/3229V14De2 Confession: I haven't ever actually listened to an episode; I just skim the summaries to learn about new scripts & modules. Still really helpful!

#DailyDFIR 167: Even #DFIR mailing lists get spam. Nice little write-up by @PhilHagen on how they dealt with a "gap spam" problem using a bit of creative thinking: https://t.co/uNgSrpp2sF #DFIR

#DailyDFIR 168: The @SANSInstitute @DFIRSummit is now FREE! It's a great event & it being online and free this year makes me happy b/c it's accessible to more people! July 16-17 2020 Register: https://t.co/G0DG16TnuW Agenda: https://t.co/wLC6EYJYgM #DFIR #Infosec

#DailyDFIR 170: Come learn about #DFIR Incident Management at @Google on the Forensic Lunch tomorrow! (8am PDT) https://t.co/UbL4xQxJlP @HECFBlog will have @0xMatt @joachimmetz @JamesNettesheim and @alexanderjaeger - should be a great show!