You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Newer users are often confused about what artifacts to use in which scenarios.
Let come up with a set of playbooks - what to do when aimed at newer users or users who do not necessarily have a lot of DFIR experience.
Let me kick off a few:
I am an administrator suspecting a compromise. I am about to call on a professional DFIR expert but fear the suspicious machine will be destroyed or go off line. Steps: Preserve as much as possible with Kapefiles.Targers on the basic collection setting, sqlitehunter, registry hunter, and hayabusa rules with the all rules filter. The DFIR people will obviously look at a lot more but this is a good start just in case the machine goes off line.
I suspect a drive by download. Steps: ads hunter looking for mark of the web, sqlitehunter looking for download histories.
I suspect malicious process is running - possibly injected. Steps: Collect handles, vad and pstree looking for injected threads
Please add more examples here - lets build this into something to add to the website as an easy introduction for new users.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Newer users are often confused about what artifacts to use in which scenarios.
Let come up with a set of playbooks - what to do when aimed at newer users or users who do not necessarily have a lot of DFIR experience.
Let me kick off a few:
Please add more examples here - lets build this into something to add to the website as an easy introduction for new users.
Beta Was this translation helpful? Give feedback.
All reactions