Investigation Scenario π
While attending a conference, a user reports they were connected to a rogue access point for a couple of hours rather than the official conference wifi.
What do you look for to investigate the impact of the incident?
#InvestigationPath #DFIR #SOC
22.10.2025 14:00 β π 0 π 0 π¬ 0 π 0
When an admin creates a new user account on a domain, what do you suspect is the average time between account creation and its first authentication? I don't know the answer, generally curious on others input.
20.10.2025 18:05 β π 0 π 0 π¬ 0 π 0
Come with Me to Teach Kids about Meteorites! βοΈ#astronomy #science #space #stem #geology #shortsSpace is within your reach! Want to own a meteorite of your o...
Come with Me to Teach Kids about Meteorites! βοΈ
A peek behind the scenes on some of the @RuralTechFund space and tech outreach we do -- this time from my local library!
youtube.com/shorts/yaZW...
17.10.2025 19:29 β π 0 π 0 π¬ 0 π 0
A week from now, I'll be speaking at @securityonion con alongside my good friend @DefensiveDepth. We'll talk about human-centric investigation playbooks and how those manifest in Security Onion now. Hope to see you there in Augusta!
securityonionsolutions.com/conference/
17.10.2025 14:14 β π 1 π 0 π¬ 0 π 0
Investigation Scenario π
Someone inside your network opened a file containing a honeytoken. The file is a spreadsheet on a web server that isn't linked anywhere publicly facing.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
14.10.2025 14:00 β π 0 π 0 π¬ 0 π 0
The reddish NWA 17405 end cut (center) is quite unique. Scientists believe it gets its color from aqueous alteration... ancient water on the moon! The stone is also a fragmental breccia, which constitutes the main mass of the recovery.
10.10.2025 13:22 β π 1 π 0 π¬ 0 π 0
The dark NWA 14577 end cut (right) is a fragmental breccia; a mixture of broken lunar rock and glass fused together by impacts. They likely come from highland regolith where light clasts are mixed into a darker matrix.
10.10.2025 13:22 β π 1 π 0 π¬ 1 π 0
The grey-white slice (left) is Adrar 17, a troctolitic anorthosite. It's an ancient piece of the Moonβs highlands crust rich in pale plagioclase with some olivine.
10.10.2025 13:22 β π 1 π 0 π¬ 1 π 0
My photo submission for the 2026 Meteorite Calendar... three lunar stones from my collection, titled "Colors of the Moon". While we primarily think of the moon as a uniform shade, there's a lot more there than what initially meets the eye!
#space #astronomy #science #geology #STEM
10.10.2025 13:22 β π 1 π 0 π¬ 1 π 0
We've got students in our @RuralTechFund Infinite Sky cohort building high-altitude balloon experiments that will...
...create atmospheric and solar irradiance profiles
...collect temperature and pressure readings
...detect levels of UV and IR radiation in the upper atmosphere
08.10.2025 14:07 β π 0 π 0 π¬ 1 π 0
Logically, it's okay to start with the broad question, but you can't end there. If you want to level up your investigative skills, focus on unpacking your broad questions.
08.10.2025 13:37 β π 0 π 0 π¬ 0 π 0
Maybe a dropped file deleted it... "Were any new files created right after the download?"
Maybe AV caught it... "Did AV detect or block the file?"
Maybe its name has changed... "Does the file hash exist anywhere on the system?
08.10.2025 13:37 β π 0 π 0 π¬ 1 π 0
That's a start, but it doesn't exactly point you straight towards an evidence source to examine. So, you ask yourself, if the file isn't on the file system, what could have happened to it? That's forecasting... simulating and considering possibilities.
08.10.2025 13:37 β π 0 π 0 π¬ 1 π 0
You might ask, "Why isn't the downloaded file on the file system?"
08.10.2025 13:37 β π 0 π 0 π¬ 1 π 0
Good analysts take broad investigative questions and unpack them into specific questions that are directly answerable from evidence.
Let's say that you observed the download of a suspicious file, but it's no longer located on the file system.
08.10.2025 13:37 β π 1 π 0 π¬ 1 π 0
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
07.10.2025 14:04 β π 0 π 0 π¬ 0 π 0
Investigation Scenario π
A Windows prefetch file named RUNDLL32.EXE-3A2B9C71[.]pf shows a referenced file at C:\Users\Public\update.dll, but the DLL is missing.
You're unable to collect a memory dump and no EDR is available.
07.10.2025 14:04 β π 0 π 0 π¬ 1 π 0
I don't think we ought to deny kids access to technology education opportunities because they're struggling in geometry or English. There's too much at stake, and many of these kids are fighting other battles that aren't always so clear.
03.10.2025 14:18 β π 0 π 0 π¬ 0 π 0
I believe that equitable access to technology education means giving kids who don't meet traditional measures of academic achievement a shot at opportunities that might change their lives.
03.10.2025 14:18 β π 0 π 0 π¬ 1 π 0
That's just my story, but I know *many* people for which tech education and access was an outlet or the thing that unlocked their potential. It was the thing that helped them learn how to learn or shut out all the distracting noise in their brain.
03.10.2025 14:18 β π 0 π 0 π¬ 1 π 0
However, when I found an interest and opportunity with computers, it changed everything for me. It helped me reframe how I viewed myself, the world, and how those things related. It reframed my outlook on the future. Slowly, I got somewhere.
03.10.2025 14:18 β π 0 π 0 π¬ 1 π 0
I didn't have great grades in school. I'm not naturally academically gifted; I could get good grades, but I really had to work for them. I also had a lot going on that made things more complex. My mom died when I was 15, and my dad wasn't around. That made everything harder.
03.10.2025 14:18 β π 0 π 0 π¬ 1 π 0
I understand why districts would implement these policies and why parents often support them. However, those decisions should be made on a case-by-case basis, rather than adhering to a hard-line policy (at least not at such a high watermark). Some personal context...
03.10.2025 14:18 β π 0 π 0 π¬ 1 π 0
The politics of a school can also pose challenges... I recall one instance a few months ago where a school tech club was placed under the district's athletics travel policy, which prevented any student with a grade below a C average from fully participating in those programs.
03.10.2025 14:18 β π 0 π 0 π¬ 1 π 0
That approach leads to some tough decisions. We've had to deny great project ideas because the school wanted them limited to gifted programs.
03.10.2025 14:18 β π 0 π 0 π¬ 1 π 0
At @RuralTechFund, we require that schools/clubs/programs we financially support aren't academically exclusionary. That means they can't limit access to tech education to only students with high grades.
03.10.2025 14:18 β π 1 π 1 π¬ 1 π 0
If you're a student who shows up at my office hours today, I expect you to come with your favorite song from the new Taylor album.
03.10.2025 13:05 β π 3 π 0 π¬ 0 π 0
They're all bangers π₯π―
03.10.2025 04:21 β π 0 π 0 π¬ 0 π 0
Investigation Scenario π
AV on a point of sale system flags a new startup entry named βPSLService.exeβ in C:\Users\Public\Kiosk\.
Festive fall plugin or cred stealer? Something else?
What are your first few moves to investigate this finding?
#InvestigationPath #DFIR #SOC
01.10.2025 14:00 β π 0 π 0 π¬ 0 π 0
