b00010111

Linux Notes: ls and Timestamps – Righteous IT Confused about timestamp options and output with the Linux ls command? Here are some of my favorite tips!

"Linux Notes: ls and Timestamps"
Some nice hints in there to ease usage of ls.
#linux
righteousit.com/2026/03/06/l...

#stayinvictus #cloudincidentresponse #google #gws | Invictus Incident Response We have had some questions asked around our Google Cloud/Workspace IR training and excited to share with you that we're making good progress. Keep following this page for updates and the official release date! In the meantime a 'little' overview of Google Workspace Audit logging. Let us know in the comments which log is in your Top 3 for Incident Response #stayInvictus #CloudIncidentResponse #Google #GWS

Overview on Google workspace audit logs by invictus IR: www.linkedin.com/posts/invict...
#DFIR #Blueteam

Trust Me, I’m a Shortcut Windows’ primary mechanism for shortcuts, LNK files, is frequently abused by threat actors for payload delivery and persistence. This blog post introduces several new LNK file flaws that, amongst other things, allow attackers to fully spoof an LNK’s target. It also introduces lnk-it-up, a tool suite that can generate such deceptive LNK files, as well as detect anomalous ones.

"Trust Me, I’m a Shortcut", nice blog about windows .LNK files. www.wietzebeukema.nl/blog/trust-m... #DFIR #Blueteam

OpenSourceMalware.com - Community Threat Intelligence Security professionals sharing intelligence on malicious packages, repositories, and CDNs to protect the open source ecosystem.

A community database, API and collaboration platform to help identify and protect against open-source malware -> opensourcemalware.com #DFIR #blueteam

Welcome to Samplepedia

samplepedia.cc
New, free resource for malware samples to experiment and train.
#dfir

Strange, I cannot create a post in bluesky which contains a URL via @openvibe@mastodon.social . Not sure what is causing this.

Test to check if bluesky is still working

Notion A tool that connects everyday work into one space. It gives you and your teams AI tools—search, writing, note-taking—inside an all-in-one, flexible workspace.

An ESXi IR guide, probably worth a read: mikecybersec.notion.site/ESXi-IR-Guid... #DFIR #Blueteam

Adaptive Collections in Velociraptor :: Velociraptor - Digging deeper! Velociraptor Adaptive Collections

Adaptive Collections in Velociraptor:

docs.velociraptor.app/blog/2025/20... #DFIR

Exploring Data Extraction from iOS Devices: What Data You Can Access and How DFIR research

blog.digital-forensics.it/2025/09/expl...

GitHub - olafhartong/BamboozlEDR: A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. - olafhartong/BamboozlEDR

"A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes" #dfir # eventlogs
github.com/olafhartong/...

I wrote up a quick article on the Medusa stealth rootkit on Linux and how to work around and investigate this style of LD_PRELOAD rootkit. | Craig Rowland I wrote up a quick article on the Medusa stealth rootkit on Linux and how to work around and investigate this style of LD_PRELOAD rootkit.

Medusa stealth rootkit on Linux and how to work around and investigate this style of LD_PRELOAD rootkit: www.linkedin.com/posts/craigh... #dfir #linux

signature-base/yara/expl_sharepoint_jul25.yar at master · Neo23x0/signature-base · GitHub YARA signature and IOC database for my scanners and tools - Neo23x0/signature-base

github.com/Neo23x0/sign...
#CVE-2025-53770

Hiding Payloads in Linux Extended File Attributes
isc.sans.edu/diary/Hiding...
#DFIR #linux

shodan@mastodon.shodan.io: "Check out our new Data Status page for an overview of what Shodan crawlers have collected the past day: data-status.shodan.io "

I still in the process to decide which stats do frighten me the most.....

Release v2025.05.30 · Beercow/OneDriveExplorer · GitHub Change Log Fixed ODL bug fix FileUsageSynce bug fix

Something you may not know. OneDriveExplorer also works for the OneDrive sync client for macOS.

github.com/Beercow/OneD...

GitHub - ekky19/Yara-Standalone-Webshell-Scanner: YARA Standalone WSS is an offline webshell scanning tool that uses YARA rules to detect malicious or suspicious files in webroot directories. No installation required — just drop your files, run the scanner, and review the generated HTML and TXT reports. YARA Standalone WSS is an offline webshell scanning tool that uses YARA rules to detect malicious or suspicious files in webroot directories. No installation required — just drop your files, run th...

Offline webshell scanning tool, based on YARA rules github.com/ekky19/Yara-... #DFIR #yara #webshell

Windows Registry Forensics Cheat Sheet 2025 - Cyber Triage Save. This. Post. Our expert staff has compiled an up-to-date and comprehensive Windows Registry forensics cheat sheet, and it might be just what you need

Windows Registry Forensics Cheat Sheet 2025 by Cyber Triage. Potentially worth a look to check your docu against it. www.cybertriage.com/blog/windows... #DFIR #Registry

tools/qelp-ir-triage-esxi at master · cudeso/tools · GitHub Different tools, koen.vanimpe@cudeso.be . Contribute to cudeso/tools development by creating an account on GitHub.

Tool for triage & analysis of ESXi logs:
- Combined timeline of Bash activity, logons and user activity
- Timeline of logon events by type, along with a user/IP logon timeline
- Summary of Bash history, network-tool usage and newly created users

github.com/cudeso/tools... #DFIR #Logs #esxi

iOS Unified Logs: The Myth of 30 Days Retention In this article, I explain how to use the log stats command to quickly learn more about a .logarchive and the unified logs it contains. I show how to read the main statistics using the command log stats, what TTL (Time To Live) really means, and why it’s so important for digital forensics. I also highlight a few inconsistencies in how Apple presents these statistics, and how to work around them.

"iOS Unified Logs: The Myth of 30 Days Retention - Analysis of TTLs and log stats Command" ->
www.ios-unifiedlogs.com/post/ios-uni... #DFIR #iOS #logs

Scouting a Threat Actor

Censys on C2 server called the “SCOUT PROJECT,” censys.com/blog/scoutin... #DFIR

The Impact of Microsoft’s ReFS on DFIR | by Mat Cyb3rF0x Fuchs | Apr, 2025 | Medium A New File System, New Forensic Challenges

"The Impact of Microsoft’s ReFS on DFIR" -> comparing NTFS evidences with ReFS. What stays, what changes and what will be gone. Recommended read! medium.com/@mathias.fuc... #DFIR #ReFS #NTFS #FileSystems

Waiting Thread Hijacking: A Stealthier Version of Thread Execution Hijacking - Check Point Research Research by: hasherezade Key Points Introduction Process injection is one of the important techniques used by attackers. We can find its variants implemented in almost every malware. It serves purpose...

My new blog for CPR: introducing Waiting Thread Hijacking - a remote process injection technique targeting waiting threads: research.checkpoint.com/2025/waiting... #ProcessInjection

Daily Blog #805: Mount That Thing! | Hacking Exposed Computer Forensics Blog A hacking exposed blog about computer and digital forensics and techniques, exposed dfir incident response file systems journaling by David Cowen

Sounds very handy:
"Mounting disk images (E01 or raw)
Handling LVM volumes
Automatically identifying and mounting partitions
...
All mount operations are performed read-only, with noexec and other conservative options to preserve evidence integrity."

www.hecfblog.com/2025/04/dail... #DFIR #Linux

Next noteworthy #breach incoming? Reading some chatter that there are claims of #checkpoint being breached by #coreinjection .
#dfir #threatintel

The 2024 Volatility Plugin Contest results are in! Results from the 12th Annual Volatility Plugin Contest are in! We received 6 submissions, from 6 different countries, that included 7 plugins, a Linux profile generation tool, and 9 supporti…

We are excited to announce that the @volatilityfoundation.org #PluginContest First Place winner is:

Valentin Obst for btf2json

Read the full Contest Results:
volatilityfoundation.org/the-2024-vol...

Congrats to all winners & thank you to all participants!
#DFIR #memoryforensics

Detect suspicious foci token logins:
The in cluded description includes an explanation what foci tokens are and why a hunt might be useful. Nice work!

https://github.com/HybridBrothers/Hunting-Queries-Detection-Rules/blob/main/Entra%20ID/DetectSuspiciousFociTokenLogins.md
#DFIR #BlueTeam #KQL

Detecting Bincrypter Linux Malware Obfuscation
https://www.linkedin.com/pulse/detecting-bincrypter-linux-malware-obfuscation-craig-rowland-dzewc #DFIR #Linux #BlueTeam

MALoney (It's in the name): OneDrive Microsoft.FileUsageSync.db I recently started to look into the Microsoft.FileUsageSync.db . The database can be found in %localappdat...

I started exploring OneDrive’s FileUsageSync.bd. There is some useful information on files shared via email, Teams, etc… that may not be in the user’s OneDrive.

https://malwaremaloney.blogspot.com/2025/02/onedrive-microsoftfileusagesyncdb.html

I just came across email information in one of the OneDrive databases. Sender, recipients, subject, mailbox, attachments, etc…
Pretty much everything except the body. More to come. 🤔 #DFIR