# DFIR-Notes ## Windows Forensics - [windows Memory Forensics](https://mahmoud-shaker.gitbook.io/dfir-notes/windows-memory-forensics.md): windows Memory forensics plays a vital role in incident response and digital forensics. Here are the primary purposes and benefits - [Windows Registry Forensics](https://mahmoud-shaker.gitbook.io/dfir-notes/windows-registry-forensics.md): IN this Section I am going to talk about the important aspects of Windows Registry - [Windows Registry Forensics with RegRipper](https://mahmoud-shaker.gitbook.io/dfir-notes/windows-registry-forensics-with-regripper.md) - [Windows Powershell Forensics](https://mahmoud-shaker.gitbook.io/dfir-notes/windows-powershell-forensics.md) - [Incident Response Eventhoods](https://mahmoud-shaker.gitbook.io/dfir-notes/incident-response-eventhoods.md) - [Incident Response splunk filters](https://mahmoud-shaker.gitbook.io/dfir-notes/incident-response-splunk-filters.md) - [LNK Files (Shortcut Files) Forensics](https://mahmoud-shaker.gitbook.io/dfir-notes/lnk-files-shortcut-files-forensics.md) - [Jump List Forensics](https://mahmoud-shaker.gitbook.io/dfir-notes/jump-list-forensics.md): jump Lists are Windows artifacts that track recently or frequently accessed files and applications - [Prefetch Files Forensics](https://mahmoud-shaker.gitbook.io/dfir-notes/prefetch-files-forensics.md) - [Living off the Land Binaries (LOLBins)](https://mahmoud-shaker.gitbook.io/dfir-notes/living-off-the-land-binaries-lolbins.md) - [COM (Component Object Model)](https://mahmoud-shaker.gitbook.io/dfir-notes/com-component-object-model.md) - [Key Email Headers for SOC Analysts and DFIR](https://mahmoud-shaker.gitbook.io/dfir-notes/key-email-headers-for-soc-analysts-and-dfir.md) - [Distributed Component Object Model (DCOM)](https://mahmoud-shaker.gitbook.io/dfir-notes/distributed-component-object-model-dcom.md) - [legitimate Windows processes](https://mahmoud-shaker.gitbook.io/dfir-notes/legitimate-windows-processes.md): Here is a list of legitimate Windows processes, their typical paths, purposes, and why attackers might target them. This overview simplifies the information for better understanding. - [UserAssist Keys](https://mahmoud-shaker.gitbook.io/dfir-notes/userassist-keys.md): The UserAssist key contains information about the executable files and links that you open frequently. - [Application Compatibility Cache (Shim Cache)](https://mahmoud-shaker.gitbook.io/dfir-notes/application-compatibility-cache-shim-cache.md): The Shim Cache tracks executables that require compatibility settings to run properly. It's stored in memory and only written to the cache during system shutdown. - [CIDSizeMRU](https://mahmoud-shaker.gitbook.io/dfir-notes/cidsizemru.md): The CIDSizeMRU registry key tracks the size and position of the File Explorer screen. - [Start Menu Run MRUs](https://mahmoud-shaker.gitbook.io/dfir-notes/start-menu-run-mrus.md): The RunMRUs registry key tracks the applications that have been previously executed through the Start menu. - [MUI Cache](https://mahmoud-shaker.gitbook.io/dfir-notes/mui-cache.md): The MUI (Multilingual User Interface) Cache is used by Windows to store metadata about programs, specifically the names of executables and their associated paths, to display them in the user interface - [BAM (Background Activity Moderator)](https://mahmoud-shaker.gitbook.io/dfir-notes/bam-background-activity-moderator.md): The Background Activity Moderator (BAM) is a Windows service introduced in Windows 10. BAM tracks the activity of background applications and provides valuable forensic data. - [SRUM (System Resource Usage Monitor)](https://mahmoud-shaker.gitbook.io/dfir-notes/srum-system-resource-usage-monitor.md) - [Master File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics](https://mahmoud-shaker.gitbook.io/dfir-notes/master-file-table-mft-ntfs-usdlogfile-and-usdusnjrnl-forensics.md) - [🔹 Windows System Processes](https://mahmoud-shaker.gitbook.io/dfir-notes/windows-system-processes.md): Understanding parent-child process relationships is crucial for system monitoring, malware analysis, and forensic investigations. Here are some important processes and their typical parent-child ## Linux Forensics - [Linux Memory Forensics](https://mahmoud-shaker.gitbook.io/dfir-notes/linux-forensics/linux-memory-forensics.md): Linux memory forensics plays a vital role in incident response and digital forensics. Here are the primary purposes and benefits - [Linux Forensics Logs](https://mahmoud-shaker.gitbook.io/dfir-notes/linux-forensics/linux-forensics-logs.md): Investigating Linux logs can help you to find the threat and incident response as well therefore Here are the main logs for Linux - [Linux Forensics dirs](https://mahmoud-shaker.gitbook.io/dfir-notes/linux-forensics/linux-forensics-logs/linux-forensics-dirs.md): Linux directories are organized in a hierarchical structure, starting from the root directory /. Each directory serves a specific purpose and is essential for the operating system's functionality. Her - [Linux Forensics Commands](https://mahmoud-shaker.gitbook.io/dfir-notes/linux-forensics/linux-forensics-commands.md) - [Linux Forensics Tools](https://mahmoud-shaker.gitbook.io/dfir-notes/linux-forensics/linux-forensics-tools.md) ## AWS Cloud Forensics - [AWS Log Forensics](https://mahmoud-shaker.gitbook.io/dfir-notes/aws-cloud-forensics/aws-log-forensics.md): AWS provides a wide range of logs to assist in forensic investigations. Each log type captures specific details about activities, resources, and configurations in your AWS environment. Here is a break ## Network Forensics - [Network Forensics with wireshark](https://mahmoud-shaker.gitbook.io/dfir-notes/network-forensics/network-forensics-with-wireshark.md) - [Network Forensics with Brim (zui)](https://mahmoud-shaker.gitbook.io/dfir-notes/network-forensics/network-forensics-with-brim-zui.md) ## Threat Intelligence - [Threat Intelligence](https://mahmoud-shaker.gitbook.io/dfir-notes/threat-intelligence/threat-intelligence.md) ## Active Directory - [kerberos authentication process](https://mahmoud-shaker.gitbook.io/dfir-notes/active-directory/kerberos-authentication-process.md) - [Understanding LSASS, Kerberos, and NTDS.dit: Key Components in Windows Security](https://mahmoud-shaker.gitbook.io/dfir-notes/active-directory/understanding-lsass-kerberos-and-ntds.dit-key-components-in-windows-security.md) ## Google Cloud Platform (GCP) Forensics - [Google Cloud Platform (GCP) Forensics with GoogleCloudHunt Lab on Cyber Defender](https://mahmoud-shaker.gitbook.io/dfir-notes/google-cloud-platform-gcp-forensics/google-cloud-platform-gcp-forensics-with-googlecloudhunt-lab-on-cyber-defender.md) ## Timestomp Challenge - EG-CTF 2025 Forensics Write- - [Timestomp Challenge - EG-CTF 2025 Forensics Write-up](https://mahmoud-shaker.gitbook.io/dfir-notes/timestomp-challenge-eg-ctf-2025-forensics-write/timestomp-challenge-eg-ctf-2025-forensics-write-up.md) ## TNKR.2 Challenge — EG-CTF 2025 Forensics Write-up - [TNKR.2 Challenge — EG-CTF 2025 Forensics Write-up](https://mahmoud-shaker.gitbook.io/dfir-notes/tnkr.2-challenge-eg-ctf-2025-forensics-write-up/tnkr.2-challenge-eg-ctf-2025-forensics-write-up.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on a page URL with the `ask` query parameter: ``` GET https://mahmoud-shaker.gitbook.io/dfir-notes/windows-memory-forensics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.