Forensics

Forensics Hub

A focused space for digital forensics and incident response (DFIR): workflows, notes, and tooling used for real investigations — from disk imaging and live response to log analysis and timeline reconstruction.

Jump to:
DFIR Basics · Disk & Imaging · Memory & Live Response · Logs & Network · Tools

DFIR Basics

  • Core methodology
    Identification, preservation, collection, analysis and reporting — staying repeatable and defensible.

  • Chain of custody
    Documenting evidence handling, who did what and when.

  • Triage vs. deep-dive
    Knowing when you just need fast answers and when a full lab workflow is required.

Disk & Imaging

  • Live vs. dead acquisition
    When to image powered-off media and when live acquisition is justified.

  • Write-blocking & hashing
    Protecting integrity of evidence with proper tooling and cryptographic hashes.

  • Filesystem artefacts
    Deleted files, timestamps, MFT, journal and volume shadow copies.

Memory & Live Response

  • RAM acquisition
    Capturing volatile memory on endpoints involved in an incident.

  • Process & handle analysis
    Finding suspicious processes, injected code, open sockets and loaded modules.

  • Credential & key material
    Understanding where secrets might exist in memory and how to handle them safely.

Logs & Network

  • Host logs
    Windows Event Logs, Sysmon, Linux audit logs, application logs.

  • Network traces
    PCAPs, flow data, proxy logs and DNS logs.

  • Timeline building
    Correlating host + network + application artefacts into a single incident timeline.

Tools

Forensics Articles

Below is a complete list of forensics-related posts in chronological order.

Forensics Articles & Workflows