{"version":1,"pages":[{"id":"PA62hDvcDEqLPxtJpvnU","title":"windows Memory Forensics","pathname":"/dfir-notes","siteSpaceId":"sitesp_5m3b4","description":"windows Memory forensics plays a vital role in incident response and digital forensics. Here are the primary purposes and benefits"},{"id":"mXgICabxu7KPlv5cgHs0","title":"Windows Registry Forensics","pathname":"/dfir-notes/windows-registry-forensics","siteSpaceId":"sitesp_5m3b4","description":"IN this Section I am going to talk about the important aspects of Windows Registry"},{"id":"tFhsR94r4dxo4Akzna39","title":"Windows Registry Forensics with RegRipper","pathname":"/dfir-notes/windows-registry-forensics-with-regripper","siteSpaceId":"sitesp_5m3b4"},{"id":"5KbIJtFJMRr2ZkFRYdV0","title":"Windows Powershell Forensics","pathname":"/dfir-notes/windows-powershell-forensics","siteSpaceId":"sitesp_5m3b4"},{"id":"HYhGpd2jhkuVJBapMyni","title":"Incident Response Eventhoods","pathname":"/dfir-notes/incident-response-eventhoods","siteSpaceId":"sitesp_5m3b4"},{"id":"aZxq5LQ9XBxMot8M7UZL","title":"Incident Response splunk filters","pathname":"/dfir-notes/incident-response-splunk-filters","siteSpaceId":"sitesp_5m3b4"},{"id":"loiy3lXTceZqi71IY3dO","title":"LNK Files (Shortcut Files) Forensics","pathname":"/dfir-notes/lnk-files-shortcut-files-forensics","siteSpaceId":"sitesp_5m3b4","description":""},{"id":"STLMxCXp0ZRBHRWnT3jf","title":"Jump List Forensics","pathname":"/dfir-notes/jump-list-forensics","siteSpaceId":"sitesp_5m3b4","description":"jump Lists are Windows artifacts that track recently or frequently accessed files and applications"},{"id":"EeLXDHypkbYglZRo58Oj","title":"Prefetch Files Forensics","pathname":"/dfir-notes/prefetch-files-forensics","siteSpaceId":"sitesp_5m3b4","description":""},{"id":"dxdCBfHKy4pEitdVtc4X","title":"Living off the Land Binaries (LOLBins)","pathname":"/dfir-notes/living-off-the-land-binaries-lolbins","siteSpaceId":"sitesp_5m3b4"},{"id":"WvjTha2jPLFPELrCkQuT","title":"COM (Component Object Model)","pathname":"/dfir-notes/com-component-object-model","siteSpaceId":"sitesp_5m3b4"},{"id":"lHUokUOcoQQcdSZdzjHe","title":"Key Email Headers for SOC Analysts and DFIR","pathname":"/dfir-notes/key-email-headers-for-soc-analysts-and-dfir","siteSpaceId":"sitesp_5m3b4","description":""},{"id":"WLnpX6p1jIJAYT77elY1","title":"Distributed Component Object Model (DCOM)","pathname":"/dfir-notes/distributed-component-object-model-dcom","siteSpaceId":"sitesp_5m3b4"},{"id":"0ik8QLzSSCVI14n0Bjj9","title":"legitimate Windows processes","pathname":"/dfir-notes/legitimate-windows-processes","siteSpaceId":"sitesp_5m3b4","description":"Here is a list of legitimate Windows processes, their typical paths, purposes, and why attackers might target them. This overview simplifies the information for better understanding."},{"id":"6M8bowaZo8znInpxk3fc","title":"UserAssist Keys","pathname":"/dfir-notes/userassist-keys","siteSpaceId":"sitesp_5m3b4","description":"The UserAssist key contains information about the executable files and links that you open frequently."},{"id":"xvJfg4EE7yuDF3e4hezq","title":"Application Compatibility Cache (Shim Cache)","pathname":"/dfir-notes/application-compatibility-cache-shim-cache","siteSpaceId":"sitesp_5m3b4","description":"The Shim Cache tracks executables that require compatibility settings to run properly. It's stored in memory and only written to the cache during system shutdown."},{"id":"YxF3zJPzytas5LwJ0rzi","title":"CIDSizeMRU","pathname":"/dfir-notes/cidsizemru","siteSpaceId":"sitesp_5m3b4","description":"The CIDSizeMRU registry key tracks the size and position of the File Explorer screen."},{"id":"2iFJ6Fm8cRjfendzzXdF","title":"Start Menu Run MRUs","pathname":"/dfir-notes/start-menu-run-mrus","siteSpaceId":"sitesp_5m3b4","description":"The RunMRUs registry key tracks the applications that have been previously executed through the Start menu."},{"id":"xY3uQ7CbGKdvW0Xhkbn8","title":"MUI Cache","pathname":"/dfir-notes/mui-cache","siteSpaceId":"sitesp_5m3b4","description":"The MUI (Multilingual User Interface) Cache is used by Windows to store metadata about programs, specifically the names of executables and their associated paths, to display them in the user interface"},{"id":"Er3fVXkq3lgeJC0cGzcG","title":"BAM (Background Activity Moderator)","pathname":"/dfir-notes/bam-background-activity-moderator","siteSpaceId":"sitesp_5m3b4","description":"The Background Activity Moderator (BAM) is a Windows service introduced in Windows 10. BAM tracks the activity of background applications and provides valuable forensic data."},{"id":"a2lgSABhFHeNSXUf2SKO","title":"SRUM (System Resource Usage Monitor)","pathname":"/dfir-notes/srum-system-resource-usage-monitor","siteSpaceId":"sitesp_5m3b4"},{"id":"qsGVmYPmRt59pXtNkY7V","title":"Master File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics","pathname":"/dfir-notes/master-file-table-mft-ntfs-usdlogfile-and-usdusnjrnl-forensics","siteSpaceId":"sitesp_5m3b4"},{"id":"bzOzuNAQ1uM7o0f9aX6R","title":"🔹 Windows System Processes","pathname":"/dfir-notes/windows-system-processes","siteSpaceId":"sitesp_5m3b4","description":"Understanding parent-child process relationships is crucial for system monitoring, malware analysis, and forensic investigations. Here are some important processes and their typical parent-child"},{"id":"dSSdAjVxWil2610Ui3Wk","title":"Linux Memory Forensics","pathname":"/dfir-notes/linux-forensics","siteSpaceId":"sitesp_Aw9tw","description":"Linux memory forensics plays a vital role in incident response and digital forensics. Here are the primary purposes and benefits"},{"id":"LCuYiejxzIw3vNLL0E6Q","title":"Linux Forensics Logs","pathname":"/dfir-notes/linux-forensics/linux-forensics-logs","siteSpaceId":"sitesp_Aw9tw","description":"Investigating Linux logs can help you to find the threat and incident response as well therefore Here are the main logs for Linux"},{"id":"ChHoLDAPSYeMjWsiH3EE","title":"Linux Forensics dirs","pathname":"/dfir-notes/linux-forensics/linux-forensics-logs/linux-forensics-dirs","siteSpaceId":"sitesp_Aw9tw","description":"Linux directories are organized in a hierarchical structure, starting from the root directory /. Each directory serves a specific purpose and is essential for the operating system's functionality. Her","breadcrumbs":[{"label":"Linux Forensics Logs"}]},{"id":"5B2dz83fuoM3IBCIbrMB","title":"Linux Forensics Commands","pathname":"/dfir-notes/linux-forensics/linux-forensics-commands","siteSpaceId":"sitesp_Aw9tw"},{"id":"yC1IPPTgEhB2Jr5nUsRK","title":"Linux Forensics Tools","pathname":"/dfir-notes/linux-forensics/linux-forensics-tools","siteSpaceId":"sitesp_Aw9tw"},{"id":"Zceej2Em2li4yxCbt9n3","title":"AWS Log Forensics","pathname":"/dfir-notes/aws-cloud-forensics","siteSpaceId":"sitesp_VP7Of","description":"AWS provides a wide range of logs to assist in forensic investigations. Each log type captures specific details about activities, resources, and configurations in your AWS environment. Here is a break"},{"id":"oL1WE5upWsv30Jre5feV","title":"Network Forensics with wireshark","pathname":"/dfir-notes/network-forensics","siteSpaceId":"sitesp_TFoEh"},{"id":"mciui6kdJDByO5XQFm7c","title":"Network Forensics with Brim (zui)","pathname":"/dfir-notes/network-forensics/network-forensics-with-brim-zui","siteSpaceId":"sitesp_TFoEh","description":""},{"id":"aJU7V9qlIM2SzsUJTk1C","title":"Threat Intelligence","pathname":"/dfir-notes/threat-intelligence","siteSpaceId":"sitesp_UH7Aa"},{"id":"an6vqoPH8sq25sN3EL0k","title":"kerberos authentication process","pathname":"/dfir-notes/active-directory","siteSpaceId":"sitesp_rMo8H","description":""},{"id":"a9tbM9u2Q9YfWdwyopKu","title":"Understanding LSASS, Kerberos, and NTDS.dit: Key Components in Windows Security","pathname":"/dfir-notes/active-directory/understanding-lsass-kerberos-and-ntds.dit-key-components-in-windows-security","siteSpaceId":"sitesp_rMo8H","description":""},{"id":"uFC02LOxEtg9TQj9SnRd","title":"Google Cloud Platform (GCP) Forensics with GoogleCloudHunt Lab on Cyber Defender","pathname":"/dfir-notes/google-cloud-platform-gcp-forensics","siteSpaceId":"sitesp_E7BvA"},{"id":"0TfXlYMi4DFffPqr50bg","title":"Timestomp Challenge - EG-CTF 2025 Forensics Write-up","pathname":"/dfir-notes/timestomp-challenge-eg-ctf-2025-forensics-write","siteSpaceId":"sitesp_gHrbd","description":""},{"id":"u5xThQqIF1dB3AcAZOYl","title":"TNKR.2 Challenge — EG-CTF 2025 Forensics Write-up","pathname":"/dfir-notes/tnkr.2-challenge-eg-ctf-2025-forensics-write-up","siteSpaceId":"sitesp_ofktA"}]}