#windowsforensics — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #windowsforensics, aggregated by home.social.
-
FortiGuard IR researchers have highlighted unexpected forensic value in the AutoLogger-Diagtrack-Listener.etl file on modern Windows systems.
Despite low exploitation severity, the artefact has shown the ability to preserve historical process-execution data, including deleted binaries and command-line traces — helpful in ransomware investigations.
What’s your view on ETW-based artefacts in DFIR workflows?
Share your insights and follow us for more clear, unbiased analysis.
#InfoSec #DFIR #ThreatIntel #WindowsForensics #ETW #Telemetry #CyberSecurity #IncidentResponse #SecurityResearch #ThreatAnalysis
-
FortiGuard IR researchers have highlighted unexpected forensic value in the AutoLogger-Diagtrack-Listener.etl file on modern Windows systems.
Despite low exploitation severity, the artefact has shown the ability to preserve historical process-execution data, including deleted binaries and command-line traces — helpful in ransomware investigations.
What’s your view on ETW-based artefacts in DFIR workflows?
Share your insights and follow us for more clear, unbiased analysis.
#InfoSec #DFIR #ThreatIntel #WindowsForensics #ETW #Telemetry #CyberSecurity #IncidentResponse #SecurityResearch #ThreatAnalysis
-
FortiGuard IR researchers have highlighted unexpected forensic value in the AutoLogger-Diagtrack-Listener.etl file on modern Windows systems.
Despite low exploitation severity, the artefact has shown the ability to preserve historical process-execution data, including deleted binaries and command-line traces — helpful in ransomware investigations.
What’s your view on ETW-based artefacts in DFIR workflows?
Share your insights and follow us for more clear, unbiased analysis.
#InfoSec #DFIR #ThreatIntel #WindowsForensics #ETW #Telemetry #CyberSecurity #IncidentResponse #SecurityResearch #ThreatAnalysis
-
🛠️ Tool
===================Opening: DFIR Galaxy Workstation is a preconfigured Windows virtual machine image aimed at streamlining digital forensics and incident response workflows. The release packages a curated toolset, a preconfigured DFIR_Toolbar (by Brian Maloney) for quick access, and Windows Explorer right-click integrations to trigger artifact parsing and disk-image analysis without memorizing tool parameters.
Key Features:
• Tool catalog and UI: A pinned DFIR_Toolbar provides categorized shortcuts and quick-launch access to forensic utilities.
• Explorer context integration: Right-click menus map artifacts, folders, and disk images to specific parsing and analysis actions.
• Preconfigured automation: Common parsing sequences and artifact collection tasks are automated to reduce manual steps during triage.
• SIFT-inspired layout: Design choices and included toolset draw explicit inspiration from the SANS SIFT Workstation model for forensic investigations.Technical Implementation (conceptual):
• The distribution is delivered as a Windows VM image containing a curated set of open-source and community tools, pre-wired into a centralized toolbar interface.
• Context-menu hooks appear to invoke scripted workflows that call specific parsers on selected files or mounted images; these are presented as UI actions rather than raw command invocations.
• The environment organizes tool binaries and parsers into categories for forensic phases (collection, parsing, timeline, extraction), while retaining native Windows artifacts and filesystem access.Use Cases:
• Rapid triage of suspect Windows hosts where analysts need a ready toolchain and common artifact parsers available from the desktop.
• Forensic examiners who prefer GUI-driven shortcuts for long-running parsing jobs and reproducible tool sequences.
• Blue team exercises and training where a standardized, offline forensic workstation reduces setup variability.Limitations & Considerations:
• The deliverable is a VM image; specifics about included tool versions, update processes, and licensing for bundled components depend on author documentation.
• No single VM covers every forensic niche—investigators may still need specialized tools or custom scripts for specific evidence types.
• Operational constraints such as maintaining the VM image currency, verifying integrity of bundled binaries, and adapting to environment-specific policies are relevant.References & Notes:
• The author notes explicit inspiration from SANS SIFT Workstation and provides links to a full tool list and start guide in the original announcement. #DFIR #WindowsForensics #DFIR_Toolbar #SIFT #tool -
Deleted a folder? Shellbags is the accessory you need...
They’re one of the most valuable forensic artifacts for tracing user activity in Windows, even if the folders are gone.
This blog post by our Joseph Williams walks through how Shellbags work, how to analyse them with tools like ShellBags Explorer, and what they reveal about user navigation through local, external, and network locations.
If you're in DFIR, this is one artifact you don't want to miss.
📌 Read the blog: https://www.pentestpartners.com/security-blog/dfir-tools-and-techniques-for-tracing-user-footprints-through-shellbags/
#DFIR #DigitalForensics #WindowsForensics #IncidentResponse #Shellbags #CyberSecurity #ForensicAnalysis
-
Deleted a folder? Shellbags is the accessory you need...
They’re one of the most valuable forensic artifacts for tracing user activity in Windows, even if the folders are gone.
This blog post by our Joseph Williams walks through how Shellbags work, how to analyse them with tools like ShellBags Explorer, and what they reveal about user navigation through local, external, and network locations.
If you're in DFIR, this is one artifact you don't want to miss.
📌 Read the blog: https://www.pentestpartners.com/security-blog/dfir-tools-and-techniques-for-tracing-user-footprints-through-shellbags/
#DFIR #DigitalForensics #WindowsForensics #IncidentResponse #Shellbags #CyberSecurity #ForensicAnalysis
-
Deleted a folder? Shellbags is the accessory you need...
They’re one of the most valuable forensic artifacts for tracing user activity in Windows, even if the folders are gone.
This blog post by our Joseph Williams walks through how Shellbags work, how to analyse them with tools like ShellBags Explorer, and what they reveal about user navigation through local, external, and network locations.
If you're in DFIR, this is one artifact you don't want to miss.
📌 Read the blog: https://www.pentestpartners.com/security-blog/dfir-tools-and-techniques-for-tracing-user-footprints-through-shellbags/
#DFIR #DigitalForensics #WindowsForensics #IncidentResponse #Shellbags #CyberSecurity #ForensicAnalysis
-
Deleted a folder? Shellbags is the accessory you need...
They’re one of the most valuable forensic artifacts for tracing user activity in Windows, even if the folders are gone.
This blog post by our Joseph Williams walks through how Shellbags work, how to analyse them with tools like ShellBags Explorer, and what they reveal about user navigation through local, external, and network locations.
If you're in DFIR, this is one artifact you don't want to miss.
📌 Read the blog: https://www.pentestpartners.com/security-blog/dfir-tools-and-techniques-for-tracing-user-footprints-through-shellbags/
#DFIR #DigitalForensics #WindowsForensics #IncidentResponse #Shellbags #CyberSecurity #ForensicAnalysis
-
Deleted a folder? Shellbags is the accessory you need...
They’re one of the most valuable forensic artifacts for tracing user activity in Windows, even if the folders are gone.
This blog post by our Joseph Williams walks through how Shellbags work, how to analyse them with tools like ShellBags Explorer, and what they reveal about user navigation through local, external, and network locations.
If you're in DFIR, this is one artifact you don't want to miss.
📌 Read the blog: https://www.pentestpartners.com/security-blog/dfir-tools-and-techniques-for-tracing-user-footprints-through-shellbags/
#DFIR #DigitalForensics #WindowsForensics #IncidentResponse #Shellbags #CyberSecurity #ForensicAnalysis
-
Windows Registry Forensics 2025: https://www.cybertriage.com/blog/windows-registry-forensics-2025/
-
Windows Registry Forensics 2025: https://www.cybertriage.com/blog/windows-registry-forensics-2025/
-
NTUSER.DAT Forensics Analysis 2025: https://www.cybertriage.com/blog/ntuser-dat-forensics-analysis-2025/
-
NTUSER.DAT Forensics Analysis 2025: https://www.cybertriage.com/blog/ntuser-dat-forensics-analysis-2025/
-
Windows Registry Forensics Cheat Sheet 2025: https://www.cybertriage.com/blog/windows-registry-forensics-cheat-sheet-2025/
-
Windows Registry Forensics Cheat Sheet 2025: https://www.cybertriage.com/blog/windows-registry-forensics-cheat-sheet-2025/
-
Windows Event Log Forensics: Techniques, Tools, and Use Cases: https://belkasoft.com/windows-event-log-forensics
-
Windows Event Log Forensics: Techniques, Tools, and Use Cases: https://belkasoft.com/windows-event-log-forensics
-
ShimCache vs AmCache: Key Windows Forensic Artifacts: https://www.magnetforensics.com/blog/shimcache-vs-amcache-key-windows-forensic-artifacts/
-
ShimCache vs AmCache: Key Windows Forensic Artifacts: https://www.magnetforensics.com/blog/shimcache-vs-amcache-key-windows-forensic-artifacts/
-
ShimCache vs AmCache: Key Windows Forensic Artifacts: https://www.magnetforensics.com/blog/shimcache-vs-amcache-key-windows-forensic-artifacts/
-
Remote Desktop Application vs MSTSC Forensics: The RDP Artifacts You Might Be Missing: https://www.zerofox.com/blog/remote-desktop-application-vs-mstsc-forensics-the-rdp-artifacts-you-might-be-missing/
-
Remote Desktop Application vs MSTSC Forensics: The RDP Artifacts You Might Be Missing: https://www.zerofox.com/blog/remote-desktop-application-vs-mstsc-forensics-the-rdp-artifacts-you-might-be-missing/
-
Remote Desktop Application vs MSTSC Forensics: The RDP Artifacts You Might Be Missing: https://www.zerofox.com/blog/remote-desktop-application-vs-mstsc-forensics-the-rdp-artifacts-you-might-be-missing/
-
Handbook of windows forensic artifacts across multiple Windows version with interpretation tips with some examples: https://github.com/Psmths/windows-forensic-artifacts
-
Handbook of windows forensic artifacts across multiple Windows version with interpretation tips with some examples: https://github.com/Psmths/windows-forensic-artifacts
-
Handbook of windows forensic artifacts across multiple Windows version with interpretation tips with some examples: https://github.com/Psmths/windows-forensic-artifacts
-
Handbook of windows forensic artifacts across multiple Windows version with interpretation tips with some examples: https://github.com/Psmths/windows-forensic-artifacts
-
Windows Forensics Process from BelCyber.
1. Gathering Volatile Information: https://belcyber.medium.com/windows-forensic-investigation-dd2c0f2d3170
2. Collecting Non-volatile Information: https://belcyber.medium.com/windows-forensic-investigation-2-collecting-non-volatile-information-8dc88d6fb903
3. Memory Analysis: https://belcyber.medium.com/windows-forensic-investigation-3-memory-analysis-e1169b5a842f
4. Registry Analysis: https://belcyber.medium.com/windows-forensic-investigation-4-registry-analysis-3d61a10b463f
5. Cache, Cookies, and History Analysis: https://belcyber.medium.com/examine-the-cache-cookies-and-history-recorded-in-web-browsers-670db69bbef7
6. Windows File Analysis & 7. Metadata Investigation: https://belcyber.medium.com/windows-forensics-examine-windows-files-and-metadata-f8c3c43ea05a
8. Event Logs Analysis: https://belcyber.medium.com/windows-forensics-event-logs-analysis-e21b08cf1c05
-
Windows Forensics Process from BelCyber.
1. Gathering Volatile Information: https://belcyber.medium.com/windows-forensic-investigation-dd2c0f2d3170
2. Collecting Non-volatile Information: https://belcyber.medium.com/windows-forensic-investigation-2-collecting-non-volatile-information-8dc88d6fb903
3. Memory Analysis: https://belcyber.medium.com/windows-forensic-investigation-3-memory-analysis-e1169b5a842f
4. Registry Analysis: https://belcyber.medium.com/windows-forensic-investigation-4-registry-analysis-3d61a10b463f
5. Cache, Cookies, and History Analysis: https://belcyber.medium.com/examine-the-cache-cookies-and-history-recorded-in-web-browsers-670db69bbef7
6. Windows File Analysis & 7. Metadata Investigation: https://belcyber.medium.com/windows-forensics-examine-windows-files-and-metadata-f8c3c43ea05a
8. Event Logs Analysis: https://belcyber.medium.com/windows-forensics-event-logs-analysis-e21b08cf1c05
-
Windows Forensics Process from BelCyber.
1. Gathering Volatile Information: https://belcyber.medium.com/windows-forensic-investigation-dd2c0f2d3170
2. Collecting Non-volatile Information: https://belcyber.medium.com/windows-forensic-investigation-2-collecting-non-volatile-information-8dc88d6fb903
3. Memory Analysis: https://belcyber.medium.com/windows-forensic-investigation-3-memory-analysis-e1169b5a842f
4. Registry Analysis: https://belcyber.medium.com/windows-forensic-investigation-4-registry-analysis-3d61a10b463f
5. Cache, Cookies, and History Analysis: https://belcyber.medium.com/examine-the-cache-cookies-and-history-recorded-in-web-browsers-670db69bbef7
6. Windows File Analysis & 7. Metadata Investigation: https://belcyber.medium.com/windows-forensics-examine-windows-files-and-metadata-f8c3c43ea05a
8. Event Logs Analysis: https://belcyber.medium.com/windows-forensics-event-logs-analysis-e21b08cf1c05
-
Windows Forensics Process from BelCyber.
1. Gathering Volatile Information: https://belcyber.medium.com/windows-forensic-investigation-dd2c0f2d3170
2. Collecting Non-volatile Information: https://belcyber.medium.com/windows-forensic-investigation-2-collecting-non-volatile-information-8dc88d6fb903
3. Memory Analysis: https://belcyber.medium.com/windows-forensic-investigation-3-memory-analysis-e1169b5a842f
4. Registry Analysis: https://belcyber.medium.com/windows-forensic-investigation-4-registry-analysis-3d61a10b463f
5. Cache, Cookies, and History Analysis: https://belcyber.medium.com/examine-the-cache-cookies-and-history-recorded-in-web-browsers-670db69bbef7
6. Windows File Analysis & 7. Metadata Investigation: https://belcyber.medium.com/windows-forensics-examine-windows-files-and-metadata-f8c3c43ea05a
8. Event Logs Analysis: https://belcyber.medium.com/windows-forensics-event-logs-analysis-e21b08cf1c05
-
If you've been looking to learn more about Windows Forensics, the new Practical Windows Forensics course on TCM Academy is a great introduction course to get you started.
Learn more here: https://academy.tcm-sec.com/p/practical-windows-forensics
#forensics #windows #microsoft #windowsforensics #cybersecurity
🐦🔗: https://twitter.com/TCMSecurity/status/1545090348803825665