b00010111

Adaptive Collections in Velociraptor :: Velociraptor - Digging deeper! Velociraptor Adaptive Collections

Adaptive Collections in Velociraptor:

docs.velociraptor.app/blog/2025/20... #DFIR

Exploring Data Extraction from iOS Devices: What Data You Can Access and How DFIR research

blog.digital-forensics.it/2025/09/expl...

GitHub - olafhartong/BamboozlEDR: A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. - olafhartong/BamboozlEDR

"A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes" #dfir # eventlogs
github.com/olafhartong/...

I wrote up a quick article on the Medusa stealth rootkit on Linux and how to work around and investigate this style of LD_PRELOAD rootkit. | Craig Rowland I wrote up a quick article on the Medusa stealth rootkit on Linux and how to work around and investigate this style of LD_PRELOAD rootkit.

Medusa stealth rootkit on Linux and how to work around and investigate this style of LD_PRELOAD rootkit: www.linkedin.com/posts/craigh... #dfir #linux

signature-base/yara/expl_sharepoint_jul25.yar at master · Neo23x0/signature-base · GitHub YARA signature and IOC database for my scanners and tools - Neo23x0/signature-base

github.com/Neo23x0/sign...
#CVE-2025-53770

Hiding Payloads in Linux Extended File Attributes
isc.sans.edu/diary/Hiding...
#DFIR #linux

shodan@mastodon.shodan.io: "Check out our new Data Status page for an overview of what Shodan crawlers have collected the past day: data-status.shodan.io "

I still in the process to decide which stats do frighten me the most.....

Release v2025.05.30 · Beercow/OneDriveExplorer · GitHub Change Log Fixed ODL bug fix FileUsageSynce bug fix

Something you may not know. OneDriveExplorer also works for the OneDrive sync client for macOS.

github.com/Beercow/OneD...

GitHub - ekky19/Yara-Standalone-Webshell-Scanner: YARA Standalone WSS is an offline webshell scanning tool that uses YARA rules to detect malicious or suspicious files in webroot directories. No installation required — just drop your files, run the scanner, and review the generated HTML and TXT reports. YARA Standalone WSS is an offline webshell scanning tool that uses YARA rules to detect malicious or suspicious files in webroot directories. No installation required — just drop your files, run th...

Offline webshell scanning tool, based on YARA rules github.com/ekky19/Yara-... #DFIR #yara #webshell

Windows Registry Forensics Cheat Sheet 2025 - Cyber Triage Save. This. Post. Our expert staff has compiled an up-to-date and comprehensive Windows Registry forensics cheat sheet, and it might be just what you need

Windows Registry Forensics Cheat Sheet 2025 by Cyber Triage. Potentially worth a look to check your docu against it. www.cybertriage.com/blog/windows... #DFIR #Registry

tools/qelp-ir-triage-esxi at master · cudeso/tools · GitHub Different tools, koen.vanimpe@cudeso.be . Contribute to cudeso/tools development by creating an account on GitHub.

Tool for triage & analysis of ESXi logs:
- Combined timeline of Bash activity, logons and user activity
- Timeline of logon events by type, along with a user/IP logon timeline
- Summary of Bash history, network-tool usage and newly created users

github.com/cudeso/tools... #DFIR #Logs #esxi

iOS Unified Logs: The Myth of 30 Days Retention In this article, I explain how to use the log stats command to quickly learn more about a .logarchive and the unified logs it contains. I show how to read the main statistics using the command log stats, what TTL (Time To Live) really means, and why it’s so important for digital forensics. I also highlight a few inconsistencies in how Apple presents these statistics, and how to work around them.

"iOS Unified Logs: The Myth of 30 Days Retention - Analysis of TTLs and log stats Command" ->
www.ios-unifiedlogs.com/post/ios-uni... #DFIR #iOS #logs

Scouting a Threat Actor

Censys on C2 server called the “SCOUT PROJECT,” censys.com/blog/scoutin... #DFIR

The Impact of Microsoft’s ReFS on DFIR | by Mat Cyb3rF0x Fuchs | Apr, 2025 | Medium A New File System, New Forensic Challenges

"The Impact of Microsoft’s ReFS on DFIR" -> comparing NTFS evidences with ReFS. What stays, what changes and what will be gone. Recommended read! medium.com/@mathias.fuc... #DFIR #ReFS #NTFS #FileSystems

Waiting Thread Hijacking: A Stealthier Version of Thread Execution Hijacking - Check Point Research Research by: hasherezade Key Points Introduction Process injection is one of the important techniques used by attackers. We can find its variants implemented in almost every malware. It serves purpose...

My new blog for CPR: introducing Waiting Thread Hijacking - a remote process injection technique targeting waiting threads: research.checkpoint.com/2025/waiting... #ProcessInjection

Daily Blog #805: Mount That Thing! | Hacking Exposed Computer Forensics Blog A hacking exposed blog about computer and digital forensics and techniques, exposed dfir incident response file systems journaling by David Cowen

Sounds very handy:
"Mounting disk images (E01 or raw)
Handling LVM volumes
Automatically identifying and mounting partitions
...
All mount operations are performed read-only, with noexec and other conservative options to preserve evidence integrity."

www.hecfblog.com/2025/04/dail... #DFIR #Linux

Next noteworthy #breach incoming? Reading some chatter that there are claims of #checkpoint being breached by #coreinjection .
#dfir #threatintel

The 2024 Volatility Plugin Contest results are in! Results from the 12th Annual Volatility Plugin Contest are in! We received 6 submissions, from 6 different countries, that included 7 plugins, a Linux profile generation tool, and 9 supporti…

We are excited to announce that the @volatilityfoundation.org #PluginContest First Place winner is:

Valentin Obst for btf2json

Read the full Contest Results:
volatilityfoundation.org/the-2024-vol...

Congrats to all winners & thank you to all participants!
#DFIR #memoryforensics

Detect suspicious foci token logins:
The in cluded description includes an explanation what foci tokens are and why a hunt might be useful. Nice work!

https://github.com/HybridBrothers/Hunting-Queries-Detection-Rules/blob/main/Entra%20ID/DetectSuspiciousFociTokenLogins.md
#DFIR #BlueTeam #KQL

Detecting Bincrypter Linux Malware Obfuscation
https://www.linkedin.com/pulse/detecting-bincrypter-linux-malware-obfuscation-craig-rowland-dzewc #DFIR #Linux #BlueTeam

MALoney (It's in the name): OneDrive Microsoft.FileUsageSync.db I recently started to look into the Microsoft.FileUsageSync.db . The database can be found in %localappdat...

I started exploring OneDrive’s FileUsageSync.bd. There is some useful information on files shared via email, Teams, etc… that may not be in the user’s OneDrive.

https://malwaremaloney.blogspot.com/2025/02/onedrive-microsoftfileusagesyncdb.html

I just came across email information in one of the OneDrive databases. Sender, recipients, subject, mailbox, attachments, etc…
Pretty much everything except the body. More to come. 🤔 #DFIR

GitHub - odedshimon/BruteShark: Network Analysis Tool Network Analysis Tool. Contribute to odedshimon/BruteShark development by creating an account on GitHub.

I'll definitely have a look at BruteShark.
Seems to be a nice addition to the toolset for network analysis/forensics.
Would be great if the network graphics feature works with filters (it might does, I have not checked yet). graphics for report = win
https://github.com/odedshimon/BruteShark #DFIR

Ryan O'Donnell on LinkedIn: The January 2025 Cumulative Update introduced some very interesting… The January 2025 Cumulative Update introduced some very interesting changes to Event IDs 4768 and 4769. Several new fields were added that provide visibility…

More on the update of Event ID 4768,4769 in this post on LinkedIn. Includes examples how these fields are filled by windows,getTGT.py & Rubeus https://www.linkedin.com/posts/odonnell-ryan_the-january-2025-cumulative-update-introduced-activity-7290153947669880832-6ReK

#DFIR #blueteam #threathunting

Active Directory Hardening Series - Part 4 – Enforcing AES for Kerberos | Microsoft Community Hub Disabling Kerberos RC4 is a top priority for many organizations today but identifying devices that don't support AES has been very challenging.  In this...

Updates for event ID 4768 and 4769 in January cumulative update. See the * Update * section: https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/active-directory-hardening-series---part-4-%E2%80%93-enforcing-aes-for-kerberos/4114965
#DFIR #blueteam #threathunting

MALoney (It's in the name): OneDrive Offline Mode (Recallish vibes) Back in April 2024, Microsoft announced a new feature coming to OneDrive for Business called Offline Mode. The feature al...

There seemed to be enough interest so I decided to do a write up on what I have found about OneDrive Offline Mode. Hate to burn a forensic artifact but I’m concerned about what Microsoft feels is secure. #DFIR

https://malwaremaloney.blogspot.com/2025/01/onedrive-offline-mode-recallish-vibes.html

Stratoshark

"Stratoshark lets you explore and analyze applications at the system call level using a mature, proven interface based on Wireshark."

https://stratoshark.org/

https://medium.com/@nigel.douglas/how-to-capture-an-scap-for-stratoshark-826d194ef52a

this sounds very nice...
#DFIR #BlueTeam

TAOMM Books about Mac malware (by Patrick Wardle)

Nice.... free book The Art of Mac Malware Volume I and Volume II https://taomm.org/ #DFIR #BlueTeam

NTFS Usnjrnl Rewind | CyberCX We discuss using the NTFS filesystem journal for recreating deleted file/folder full paths, issues with current methods and tools, and introduce an alternate method (and a new tool) to guarantee correct and complete path information.

Just recently came across this article about getting full path from USNJournal, even for deleted/moved files. https://cybercx.com.au/blog/ntfs-usnjrnl-rewind/
Nice work, need to test the PoC tool.
#DFIR

CVE-2024-49113 event log · GitHub CVE-2024-49113 event log. GitHub Gist: instantly share code, notes, and snippets.

CVE-2024-49113 event log export: https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7
#DFIR #blueteam #threathunting