● 55 entries

Forensics & IR

$UsnJrnl ($J)The NTFS Update Sequence Number change journal that records every file-system operation, giving forensic investigators a high-resolution timeline of file creation, modification, and deletion.
Amcache.hveA Windows registry hive that records detailed metadata about every executable that has run or been present on a system, including SHA-1 hashes, providing strong execution evidence on modern Windows.
Anti-ForensicsTechniques used by attackers or privacy-conscious actors to obstruct, delay, or defeat digital forensic investigations.
Artifact AnalysisThe examination of digital traces left by operating systems and applications to reconstruct user actions, program execution, and attacker behavior.
AutopsyOpen-source digital-forensics platform developed by Brian Carrier and Basis Technology that provides a graphical front end to The Sleuth Kit and a rich set of analysis modules.
Bulk ExtractorAn open-source, parallelized forensic tool by Simson Garfinkel that streams through disk images, memory dumps, and arbitrary binary blobs to extract structured artifacts — emails, URLs, credit-card numbers, network packets — without first parsing a filesystem.
Cellebrite UFEDA family of mobile-forensics products from Israeli vendor Cellebrite that extract, decode and analyze data from smartphones, drones, SIMs and other devices.
Chain of CustodyThe chronological, documented trail showing every person, location, and action affecting a piece of evidence from seizure through final disposition.
Cloud ForensicsForensic investigation of cloud-hosted infrastructure, applications, and SaaS services, working with provider APIs, audit logs, and ephemeral resources.
dd (Raw Disk Image)A flat, bit-for-bit copy of a storage device produced by the Unix dd utility (or compatible tools), without compression, metadata or per-block hashing.
DFIR (Digital Forensics and Incident Response)A combined discipline that fuses digital forensic investigation with incident response to detect, contain, eradicate, and learn from cyber incidents.
Digital ForensicsThe scientific discipline of identifying, preserving, analysing, and reporting on digital evidence from computers, networks, and devices in a legally defensible way.
Disk ForensicsThe analysis of non-volatile storage media — HDDs, SSDs, USB drives — to recover, examine, and interpret file-system, application, and operating-system artefacts.
E01 (EnCase Evidence) Image FormatA forensic disk image format originally introduced by Guidance Software for EnCase, storing acquired data in compressed, segmented files with embedded metadata and checksums.
EnCaseEnCase is a commercial digital-forensics product family from OpenText (originally Guidance Software) widely used by law-enforcement and corporate investigators since the late 1990s.
Eric Zimmerman's EZ ToolsA free suite of Windows DFIR command-line and GUI tools by Eric Zimmerman for parsing common forensic artifacts and building timelines.
Evidence AcquisitionThe defensible collection of digital evidence from systems, networks, and cloud services, using forensically sound tools and procedures.
File CarvingA forensic technique that recovers files from unallocated space or raw data by recognizing file signatures, headers, and footers without relying on filesystem metadata.
Forensic Hash VerificationThe practice of computing and comparing cryptographic hashes (typically MD5 and SHA-256) of forensic images and source media to prove evidence integrity.
Forensic ImagingCreating a bit-for-bit copy of a storage medium, verified by cryptographic hashes, for use in forensic analysis and as legally admissible evidence.
Forensic ReadinessAn organization's prepared capability to collect, preserve, and analyze digital evidence with minimal disruption when an incident or legal matter arises.
Forensic ToolkitGeneric term for a collection of validated hardware, software and procedures that a digital-forensics examiner uses to acquire, preserve and analyse evidence.
FTKForensic Toolkit (FTK) is a commercial digital-forensics suite developed by AccessData and now owned by Exterro, used to acquire, index and analyse computer evidence.
GrayKeyA dedicated hardware-and-software appliance from Grayshift (now Magnet Forensics) used by law enforcement to unlock and extract data from locked iOS and Android devices.
hiberfil.sysThe compressed Windows hibernation file that stores a near-complete snapshot of physical memory at hibernation time, providing forensic access to RAM contents from a powered-off system.
Incident ResponseThe organised process of preparing for, detecting, analysing, containing, eradicating, and recovering from cyber security incidents, then capturing lessons learned.
Incident Response PlanA documented, approved playbook that defines how an organisation prepares for, detects, contains, eradicates, recovers from, and learns from cyber incidents.
Jump ListsPer-application history files keyed by Windows AppID that record the recent files and tasks a user opened, providing strong evidence of file access tied to a specific program.
KAPE (Kroll Artifact Parser and Extractor)A Windows triage tool from Kroll that collects forensic artifacts from live systems or images and then runs parser modules to produce ready-to-review output.
Log AnalysisThe systematic review of system, application, and security logs to detect, investigate, and reconstruct security-relevant events.
Magnet AXIOMA commercial DFIR platform from Magnet Forensics that ingests disks, mobile and cloud sources, parses artifacts and presents them in a unified review interface.
Malware AnalysisThe structured study of a malicious sample to understand its functionality, origin, indicators of compromise, and impact on affected systems.
Memory ForensicsThe discipline of acquiring and analysing a system's volatile RAM to reveal running processes, network connections, injected code, and in-memory artefacts.
MFT (Master File Table)The core NTFS metadata structure that stores one 1024-byte record per file or directory on a volume, anchoring nearly all Windows file-system forensics.
Mobile ForensicsThe forensic acquisition and analysis of smartphones, tablets, and wearables to extract communications, app data, location, and other artefacts.
Network ForensicsThe capture, recording, and analysis of network traffic and metadata to investigate security events and reconstruct adversary activity.
Order of VolatilityThe acquisition priority defined by RFC 3227 that requires forensic responders to collect the most ephemeral evidence first, before it is overwritten or lost.
pagefile.sysThe Windows virtual-memory swap file on the system volume that can contain fragments of process memory, including credentials, keys, command lines, and decrypted payloads.
PlasoOpen-source Python tool created by Kristinn Gudjonsson that automatically extracts timestamps from many sources to build a 'super timeline' for forensic analysis.
Prefetch FilesWindows .pf files in C:\Windows\Prefetch that record process startup data and provide strong forensic evidence that an executable ran on a system.
Preservation of EvidenceThe forensic discipline of protecting digital evidence from alteration, loss, or contamination so it remains admissible and reliable throughout an investigation.
RegRipperAn open-source Windows registry forensics tool by Harlan Carvey that runs plug-in 'extractors' over registry hives (NTUSER.DAT, SYSTEM, SOFTWARE, SAM, SECURITY) to surface specific artifacts of investigative interest.
Reverse EngineeringThe process of disassembling and analyzing compiled software, firmware, or hardware to recover its design, behavior, and inner workings.
ShellbagsRegistry keys that store per-user Windows Explorer folder-view settings and serve as forensic evidence that a specific user viewed a specific folder, including removable and network paths.
Shimcache (AppCompatCache)A Windows registry value that tracks executable metadata for application-compatibility checks; historically used as execution evidence, with important interpretation caveats.
SteganalysisThe forensic discipline of detecting, and where possible extracting, hidden information embedded within seemingly innocuous files using steganography.
Tabletop ExerciseA discussion-based simulation in which stakeholders walk through a hypothetical cyber incident to test plans, roles, decisions, and communication.
The Sleuth KitAn open-source library and collection of command-line tools for low-level analysis of disk images and file systems, maintained by Brian Carrier.
Timeline AnalysisA forensic technique that reconstructs the chronological sequence of events on a system by correlating timestamps from files, logs, and other artifacts.
VelociraptorAn open-source endpoint-visibility and DFIR platform — originally by Mike Cohen, now Rapid7-stewarded — that uses the VQL query language to hunt, collect artifacts, and respond live across fleets of Windows, Linux, and macOS hosts.
Volatility FrameworkOpen-source memory forensics framework originally created by Aaron Walters and the Volatility Foundation for extracting digital artefacts from volatile memory (RAM) images.
Windows Event Log AnalysisThe DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques.
Windows Registry AnalysisThe forensic examination of Windows Registry hives to recover configuration data, user activity, and evidence of program execution or persistence.
Write BlockerA hardware or software tool that permits read access to a storage device while preventing any write operations that could alter evidence.
X-Ways ForensicsA commercial Windows-based digital forensics suite by X-Ways AG, known for its speed, low system footprint, hex-level visibility, and broad filesystem support — a long-running mainstay of European law-enforcement and corporate DFIR labs.