Digital forensics and incident response (DFIR)¶
Picture this: Your organisation’s server starts moonlighting as a poltergeist—files vanish, logins appear from “DefinitelyNotHackersVPN.biz”, and your firewall’s last message was “lol. reboot me.” Enter DFIR (Digital Forensics & Incident Response), the art of playing cyber-Sherlock while pretending you’re not in a panic.
Hackers leave trails. Your job? Follow their digital banana peels (misconfigured logs, that one unpatched server, or Dave’s “password123” experiment). It is equal parts archaeology (“Why is there a backdoor from 2012?”) and damage control (“No, CEO, the ransomware probably won’t tweet from your account”).
Where to start? Dive into TryHackMe’s DFIR guided learning rooms (easy), Cyber Defenders Realistic investigations (intermediate) or Root-Me challenges (hard).
- Jottings on DFIR techniques
- Playbook development examples
- TryHackMe rooms
- TryHackMe DFIR rooms
- A Windows server
- Organisation X desktop
- Standard Collector Analysis (Redline)
- IOC Search Collector (Redline)
- IOC Search Collector Analysis (Redline)
- Endpoint investigation (Redline)
- Leaking private company data (again) (Autopsy)
- Windows 10 disk image (Autopsy)
- Acceptable Use Policy violation (KAPE)
- BOB! THIS ISN’T A HORSE! (Volatility)
- That Kind of Hurt my Feelings (Volatility)
- Hunt for a nightmare (Volatility)
- Android malware analysis (Pithus and jadx)
- iOS forensics (SQLiteDB)
- Puzzles @Cyberdefenders
- Root-me forensics challenges
(Footnote: 83% of "advanced persistent threats" are just bored teenagers. The rest are Dave.)
Pro tip: Memorise the phrase “It’s always DNS” for instant credibility.
