Announcing the DFIR Labs Digital Forensics Challenge - Enterprise Edition! This isn't another textbook simulation. We're giving your team exclusive access to a brand-new, unreleased case from a real incident.

When: August 30, 2025 (14:00 – 18:00 UTC)
Choose your SIEM: Azure Log Analytics, Elastic, or Splunk.
Your Squad: Form a team of 2-3 analysts.
The Glory: Solve the case, claim bragging rights, and win prizes for the top team!

Spaces are limited. Assemble your elite team and register now to secure your spot!

Register Here: https://dfirlabs.thedfirreport.com/dfirchallenge-enterprise-edition

Understanding tool limitations is just as important and knowing tool capabilities especially when what you need to find is not there and you expected it to be.

Understanding tool limitations is just as important and knowing tool capabilities especially when what you need to find is not there and you expected it to be.

Sometimes you have to align it just right...

I am trying to learn Rust, any good practical tutorial, book, anything possibly with stuff forensics or malware related? I need some practicals along with the theory ...

There's some cool sounding training on its way from @circl

CIRCL - Virtual Summer School (VSS) 2025

https://www.circl.lu/pub/vss-2025/

And now a classic of the genre.

Yup. Go figure.

Friday fun Linux DFIR challenge!

I'm processing a bunch of data with the following shell code:

for file in *.zip; do
targetdir=$(echo $file | sed 's,-C.*,,')
echo ===== $targetdir
mkdir -p working
cd working
unzip -qq ../$file
tar zxf uploads/file/*.tar.gz
mv '[root]/var/lib/jenkins/logs/slaves' ../../dirs/$targetdir
cd ..
rm -rf working
done

What does this code do?

Can you identify the tool(s) that produced the input files I'm working with?

How would you improve this code?

Hope everybody has a great weekend!

My previous intro post was a few years old, so behold, new intro post:

Mike. Live in the Seattle area having grown up in the UK as a full blown British. Have a wife (incredible), child (boy), and three dogs (golden retriver/cream retriver/fuck knows).

I work in information security, something I have done for about 20 years. By day I run corporate security, enterprise IT and various other bits and pieces for an EV charging startup. I am big into EV's and currently drive one that is not a Tesla. I want an electric motorbike, so if anyone has a spare one please send it.

I also have a company of my own, Secure Being (https://securebeing.com), which does pen testing and digital forensic work - it's my way of staying super hands on while still doing the management bits on the career path.

I have written books about information security things. Five of them. Two are non-fiction textbooks, and three are fiction based on real world #infosec things. Check out https://infosecdiaries.com and your local bookstore to find them, just search for my name. I have been trying to write more stuff, but always seem to find myself distracted by other things, such as work. linktr.ee/secureowl has some mini stories I've written.

I love radio and everything RF. I have lots of antennas and various scanners and radios on my desk. I love intercepting and decoding things, like digital radio protocols.

I am a big aviation nerd. I always wanted to be a commercial pilot. I gained my private pilots license in the UK at 17, all self funded by my employment at the local Safeway/Morrisons store. I did the sim test and commercial assessments, but for some reason, at 18, I was unable to find the £100k needed to complete the commercial training, so I did computers. But do not worry, because those computers and love of aviation and radio/RF combined, and I run a project called ACARS Drama. https://acarsdrama.com has all the details.

I play guitar and am a big guitar/audio nerd as well. I record music under the moniker Operation: Anxiety, https://operationanxiety.com - the music is on all the normal places.

Finally, I am a massive fan of motorsport. I believe I have watched every F1 race for the last 30 years, maybe 25. I also follow F2, FE, Indycar and MotoGP closely. I average around 18 hours of Le Mans 24 hour racing watching per year.

So there you have it. If you are looking for a thought leader on the topics mentioned above, you've come to the wrong place - because this is where I shitpost, and shitposting is cheap therapy.

New release: FlowIntel 1.6.0 — an open-source case management tool — now with extended support for importing MISP events as cases, a timeline view for attributes, a new templating system for notes, and many other new features!

https://github.com/flowintel/flowintel/releases/tag/1.6.0
https://github.com/flowintel/flowintel

@misp @circl

#opensource #threatintel #threatintel #dfir #cti #misp #flowintel

Thanks to @davcru for the continuous work on the project and all the new contributors.

Linux systems unable to reach out to internet behind pfsense while Windows work fine.

I am trying to set up my #homelab for #forensics and I have encountered a very weird issue. I am running an internal pfsense #firewall for my environment. On this firewall there are 3 interfaces: WAN and two Isolated Labs.

On the "WAN" interface, both #linux and windows systems are able to access the internet without any problems.

But on the other two lans - named Infrastructure and Lab - the Linux systems are not able to connect to the internet after booting, while the systems are able to communicate with each other. In order to get them working I need to go the respective interface and make any change there and save the page, practically refreshing the settings on the interface. After this all currently online linux systems on that interface are working as expected and connectivity is restored. As you can imagine this is a huge pain, especially when I am testing things and I need to turn on various systems at different times. If i put the systems on the WAN interface they face no issue at all, so what could be the solution here for fixing connectivity for linux systems on the other interfaces?

edit: it issue is both on pfsense 2.7.2 and 2.8.0

@homelab
@pfSense

#ALEAPP update, new parsers for DuckDuckGo:

Bookmarks
Favorite Sites
Web Browser History
Open Tabs
Updates to Tab Thumbnails

Big thanks to Damien Attoe for the contributions! #DFIR

Download : https://github.com/abrignoni/ALEAPP

Ein weiteres Tool, das ich nutze, ist #NetworkMiner

Es ist ein leistungsstarkes Open-Source-Tool für #NetworkForensics, das mir die Extraktion von Artefakten wie Dateien, Bildern, E-Mails und Passwörtern aus PCAP-Dateien ermöglicht. NetworkMiner kann auch live Netzwerkverkehr erfassen und detaillierte Informationen über jede IP-Adresse aggregieren, was für passive Asset-Discovery und Übersichten über kommunizierende Geräte nützlich ist.

Seit 2007 hat sich NetworkMiner zu einem beliebten Tool für Incident-Response-Teams und Strafverfolgungsbehörden entwickelt und wird weltweit eingesetzt.

Für mich ein unverzichtbares Werkzeug, um Netzwerkdaten effizient und präzise zu analysieren.

Just noticed CVE-2025-1829 an RCE in the mtkhnatEnable parameter of /cgi-bin/cstecgi.cgi on TOTOLINK devices being actively exploited.

Exploitation started since 23/03 though which is ~3 weeks after the vuln became public?

Techno Security & Digital Forensics Conference 2025 is done!

What a great week of learning, networking, and fun. Till next year!

"The remote endpoints it attempted to contact included several TryCloudflare domains as well as direct IP addresses.

The logic would rotate through the various servers until an online host was found. The malware in this case took 15 minutes to establish a successful connection to an online endpoint at hxxp://bristol-weed-martin-know[.]trycloudflare[.]com/init1234."

The above is from a recent Private Threat Brief: "Interlock-Linked Threat Actor Gains Access via Fake Teams ClickFix Lure"

Interested in receiving reports like this one? Contact us for a demo or pricing - https://thedfirreport.com/contact/