DFIR Questions, How-Tos

Not long ago, I finished up the content of my latest book, Investigating Windows Systems, and got it all shipped off to the publisher.  The purpose of this book is to go beyond my previous books; rather than listing artifacts and mentioning ways they can be used, I wanted to walk through examinations, using CTF and forensic challenge images that are available online.

A short-coming of this approach is that it leaves a lot of topics not addressed, or perhaps not as fully addressed as they could be.  For example, of the images I used in writing my book, there were no business email compromises, and little in the way of lateral movement, etc.  There was some analysis of user activity, but for the most part, it was limited.

Back in July 2013, I had some time available, and I wrote up about a dozen “How To” blog posts covering various Windows DFIR topics.  What I’ve thought might be of value to the community is to go back to those “How To” posts, expand and extend them a bit, add coverage for Windows 10, and include them in a book.

My question to the community at large is this…what are some of the topics that should be addressed, beyond those I blogged about almost 5 years ago? 

Now, when considering these questions, or opportunities for “How To” chapters, please understand that I may not be able to address all of them.  For example, I’ve never conducted a business email compromise (BEC) investigation…as I’ve pointed out before, even in just over two decades of DFIR consulting, I haven’t seen everything, and I don’t know everything.  I also do not have access to an AD environment. 

Even so, I’d still appreciate your input, because some of the answers and thoughts I can provide may serve as building blocks for larger solutions. 

So, again…what are some DFIR analysis topics, specific to Windows systems, that provide good opportunities for “just in time” training via “How To” articles or documents?


Article Link: http://windowsir.blogspot.com/2018/03/dfir-questions-how-tos.html