Digital Forensic Survival Podcast

Listen to talk about computer forensic analysis, techniques, methodology, tool reviews and more.

DFSP # 480 Hidden risks of nested groups 04/29/2025

DFSP # 480 Hidden risks of nested groups This week, I’m talking about nested groups in Windows Active Directory and the security risks they pose. Active Directory allows administrators to attach one group to another—often called nesting. While nesting can simplify account administration and permission management, it can also create real opportunities for attackers if... /episode/index/show/digitalforensicsurvivalpodcast/id/35585835

DFSP # 479 Scan, Score, Secure 04/22/2025

DFSP # 479 Scan, Score, Secure One of the essential skill sets for a DFIR analyst is the ability to understand the impact of vulnerabilities quickly. In many IR scenarios, you may find a newly discovered vulnerability or receive a scan that flags multiple potential weaknesses. To stay efficient, you must... /episode/index/show/digitalforensicsurvivalpodcast/id/35585830

DFSP # 478 SRUM 04/15/2025

DFSP # 478 SRUM This week, we’re exploring the System Resource Usage Monitor (SRUM) – a powerful source of forensic data within Windows operating systems. First introduced... /episode/index/show/digitalforensicsurvivalpodcast/id/35585820

DFSP # 477 SSH Triage 04/08/2025

DFSP # 477 SSH Triage In this episode, our focus is on understanding how attackers achieve lateral movement and persistence through Secure Shell (SSH)—and more importantly, how to spot the forensic traces... /episode/index/show/digitalforensicsurvivalpodcast/id/35585815

DFSP # 476 Service Host 04/01/2025

DFSP # 476 Service Host In this episode, we’ll take a focused look at how to triage one of the most commonly targeted Windows processes: svchost.exe. While the methods in this series generally apply to all Windows core processes, svchost is an especially important case because attackers... /episode/index/show/digitalforensicsurvivalpodcast/id/35585810

DFSP # 475 - Set the tone 03/25/2025

DFSP # 475 - Set the tone Ransomware attacks move quickly, making your initial response crucial in minimizing impact. This episode outlines critical first steps, from isolating infected machines to gathering key information and initiating containment. Whether you’re a SOC analyst, incident responder, or the first to notice an attack, this framework is designed to help you regain control. Follow these guidelines to effectively mitigate the damage from the very start. /episode/index/show/digitalforensicsurvivalpodcast/id/35300385

DFSP # 474 - Meta Paradise 03/18/2025

DFSP # 474 - Meta Paradise Today’s episode explores Apple Spotlight and its extended metadata—a powerful yet often overlooked forensic tool in the Mac ecosystem. Spotlight plays a critical role in uncovering digital evidence on macOS. Both experienced forensic analysts and newcomers will find its capabilities essential. Let’s dive into the details. /episode/index/show/digitalforensicsurvivalpodcast/id/35300375

DFSP # 473 - Why all the BINs 03/11/2025

DFSP # 473 - Why all the BINs BIN directories (short for binary) store command binaries like CD, PWD, LS, Vi, and CAT. Every platform has multiple BIN directories: two in the root directory and two in each user directory. This episode explains the types of files in these directories and the purpose of each BIN directory. I will also clarify which directories are typically used by users versus those used by the root user. /episode/index/show/digitalforensicsurvivalpodcast/id/35300365

DFSP # 472 - Windows Usual Suspects 03/04/2025

DFSP # 472 - Windows Usual Suspects Modern Windows systems use a tightly coordinated sequence of core processes to establish secure system and user environments. DFIR investigators and incident responders must understand the interrelationships between processes such as Idle, SMSS, CSRSS, WININIT, and WINLOGON. Recognizing expected behaviors and anomalies in these steps is crucial for detecting potential system compromises. This episode demystifies the Windows 10/11 process flow and provides context for effective triage and analysis. /episode/index/show/digitalforensicsurvivalpodcast/id/35300350

DFSP # 471 Mac Persistence 02/25/2025

DFSP # 471 Mac Persistence Today we’re talking all about MacOS AutoRun locations and how to spot persistence mechanisms. We’ll explore the ins and outs of property list files, launch daemons, system integrity protections, and the recent changes in macOS that can impact your forensic examinations... /episode/index/show/digitalforensicsurvivalpodcast/id/34879865

DFSP # 470 The Windows Taskhosts 02/18/2025

DFSP # 470 The Windows Taskhosts This week I'm talking about the three task hosts. These are Windows core files, and they share not only similar names, but similar functionality. Because of this, there is the potential for confusion, which may allow an attacker to leverage these similarities and mask they are malware. My goal in this episode is to demystify the three different task hosts, and provide the necessary insight for proper triage if any of these files come up during your investigations. /episode/index/show/digitalforensicsurvivalpodcast/id/34879840

DFSP # 469 Network Blocked Activity 02/11/2025

DFSP # 469 Network Blocked Activity Today’s episode is all about Windows event logs that record blocked network connections. Blocked network events are interesting because they might signal that an attacker’s secondary or tertiary toolset isn’t working as intended. That’s good news from a security standpoint... /episode/index/show/digitalforensicsurvivalpodcast/id/34879820

DFSP # 468 Data Brokers & Ransomware 02/04/2025

DFSP # 468 Data Brokers & Ransomware Today I cover an evolving threat in the cybersecurity world: data brokers. From a computer forensics standpoint, this threats pose unique challenges. While breaches capture headlines, data brokers play a major (and sometimes overlooked) role in fueling cybercrime. In this session, we will explore how these threats operate, why they are dangerous, and how computer forensics professionals can combat them. /episode/index/show/digitalforensicsurvivalpodcast/id/34879780

DFSP # 467 CVSS in Action 01/28/2025

DFSP # 467 CVSS in Action The Common Vulnerability Scoring System (CVSS) is a powerful tool for assessing the severity and impact of security vulnerabilities. In digital forensics and incident response, CVSS scores can provide critical context to prioritize investigations and focus on the most significant risks. This episode I will explore how leveraging CVSS scoring enhances vulnerability assessments during incident response, enabling teams to make data-driven decisions. /episode/index/show/digitalforensicsurvivalpodcast/id/34348535

DFSP # 466 Malware Triage for File Types 01/21/2025

DFSP # 466 Malware Triage for File Types Understanding the behavior and characteristics of common file types used in attacks, such as executables, scripts, and document files, is essential for effective analysis. In this episode, we will explore practical approaches to triage malware, focusing on key indicators and techniques for prioritizing investigations. /episode/index/show/digitalforensicsurvivalpodcast/id/34348485

DFSP # 465 Network Permit Events 01/14/2025

DFSP # 465 Network Permit Events Windows permit events, often overlooked, offer valuable details about allowed network connections that can reveal patterns of malicious activity. In this episode, we will dive into how analyzing these events can enhance network triage, enabling security teams to detect, scope, and respond to threats more effectively. /episode/index/show/digitalforensicsurvivalpodcast/id/34348400

DFSP # 464 Risk Assessments for DFIR 01/07/2025

DFSP # 464 Risk Assessments for DFIR Security risk assessments can be a tool for guiding and prioritizing incident response investigations. By evaluating the potential impact and likelihood of various threats, these assessments provide a structured framework to identify and mitigate risks effectively. This episode will explore how integrating security risk assessments into incident response workflows enhances response strategies. /episode/index/show/digitalforensicsurvivalpodcast/id/34348340

DFSP # 463 Prefetch 12/31/2024

DFSP # 463 Prefetch This week, we’re focusing on the Windows Prefetch artifact—a cornerstone in Windows forensics, especially for user endpoint investigations. In this episode, I’ll break down the Prefetch artifact from an investigative perspective, covering how to effectively leverage its evidence in forensic analysis. I’ll also highlight any recent changes to the artifact that may impact its value, ensuring you’re aware of everything you need to know for your investigations. /episode/index/show/digitalforensicsurvivalpodcast/id/33773282

DFSP # 462 Malware Triage Part 1 12/24/2024

DFSP # 462 Malware Triage Part 1 This week, we’re exploring malware triage techniques. Unlike full binary analysis, malware triage is often seen as an essential skill that every digital forensic and incident response professional should master. In this episode, I’ll walk you through the core elements of malware triage, helping you understand the various skills needed to meet industry expectations. By the end, any analyst should feel confident in examining a binary and applying these techniques to uncover potential malicious content. /episode/index/show/digitalforensicsurvivalpodcast/id/33773257

DFSP # 461 PSEXEC 12/17/2024

DFSP # 461 PSEXEC This week, we’re diving into how to triage for PSEXEC evidence. PSEXEC leaves traces on both the source and target systems, making it essential to identify artifacts on each to determine whether a system was used as an attacker’s tool or was the target of an attack. While PSEXEC has somewhat fallen out of favor due to increased use of PowerShell for similar activities, it remains a commonly abused utility among attackers. In this episode, we’ll break down the key artifacts and methodologies for effective triage. /episode/index/show/digitalforensicsurvivalpodcast/id/33773222

DFSP # 460 Executing Linux 12/10/2024

DFSP # 460 Executing Linux Understanding how to search for executables is a critical skill in computer forensics. There are major differences in how executables are handled between Windows and Linux systems, so techniques that work on Windows won’t always translate effectively to Linux. In this episode, I’ll break down some triage techniques to help you quickly identify suspicious executables on Linux systems. /episode/index/show/digitalforensicsurvivalpodcast/id/33773182

DFSP # 459 listening ports 12/03/2024

DFSP # 459 listening ports Welcome to today’s episode! We’re diving into network triage, focusing specifically on listening ports. While we often look for active connections, identifying suspicious services listening on a port can be equally crucial in your investigation. It’s essential to gather this information for both current, real-time data and historical analysis, providing a more complete view of network activity. /episode/index/show/digitalforensicsurvivalpodcast/id/33773157

DFSP # 458 Shellbags and PCA 11/26/2024

DFSP # 458 Shellbags and PCA In this episode, we’ll dive into two essential forensic artifacts in Windows: shellbags and the Program Compatibility Assistant (PCA). Shell bags provide valuable evidence of file and folder access, offering insights into user activity and file navigation. We’ll also explore PCA, which can reveal important information about file execution history. Together, these artifacts play a crucial role in uncovering key forensic details during investigations. /episode/index/show/digitalforensicsurvivalpodcast/id/33544512

DFSP # 457 WSL 11/19/2024

DFSP # 457 WSL The Linux subsystem for Windows, create both opportunity and challenges for forensic analysts. It makes Windows an excellent platform for multi platform forensic analysis tasks, allowing it to take advantage of the many Linux tools available. The challenges are foreseeable, you have Linux artifacts, now commingled on a Windows platform, which makes forensic analysis that much more difficult when examining such a system as evidence. This week I'm going to break down the Linux subsystems for forensic investigators /episode/index/show/digitalforensicsurvivalpodcast/id/33544487

DFSP # 456 network triage primer 11/12/2024

DFSP # 456 network triage primer In this episode, we’ll explore the fundamentals of network triage, focusing on the key aspects of network traffic that are central to many investigations. Additionally, we’ll discuss some of the essential tools you can use to analyze and manage network data effectively. /episode/index/show/digitalforensicsurvivalpodcast/id/33544462

DFSP # 455 Security Control Circumvention 11/05/2024

DFSP # 455 Security Control Circumvention Today, we’re going to explore how to handle a critical security event: Unauthorized Modification of Information. This type of event occurs when a user alters information in a system—whether it’s an application, database, website, server, or configuration files—without prior authorization. These modifications can range from impersonation and unauthorized system updates to more sophisticated techniques such as SQL injections, privilege escalations, and configuration file tampering. /episode/index/show/digitalforensicsurvivalpodcast/id/33544422

DFSP # 454 MFA Bypass Attacks 10/29/2024

DFSP # 454 MFA Bypass Attacks This week I talk about the attack methods being used to bypass MFA. We'll learn about real-world cases where MFA was circumvented, and discover best practices to strengthen defenses against these types of attacks... /episode/index/show/digitalforensicsurvivalpodcast/id/32941212

DFSP # 453 Windows Startup Locations 10/22/2024

DFSP # 453 Windows Startup Locations In today’s episode, we’ll focus on startup folders, which are perhaps the easiest to triage among all persistence mechanisms. But before diving in, let’s recap the journey so far to underscore the importance of a comprehensive approach rather than a one-off tactic. Each triage area we've covered plays a crucial role in identifying and stopping attacks... /episode/index/show/digitalforensicsurvivalpodcast/id/32941187

DFSP # 452 AI and DFIR 10/15/2024

DFSP # 452 AI and DFIR In 2024, AI has not only revolutionized how we defend against cyber threats but also how those threats are being carried out. We'll explore how AI is enabling faster, more efficient security incident responses, with real-world examples of its application in automated threat detection and response, advanced forensics, and more. But with every technological leap forward, there's a dark side and attackers are harnessing AI to orchestrate sophisticated attacks... /episode/index/show/digitalforensicsurvivalpodcast/id/32941167

DFSP # 451 SQL Triage 10/08/2024

DFSP # 451 SQL Triage SQL injection poses significant risks by enabling attackers to access sensitive metadata, execute dynamic SQL commands, and alter system parameters. These actions can lead to unauthorized data access and system disruptions, especially if attackers gain elevated privileges. This week I'm talking about SQL attack patterns from a triage point of view to help you detect such activity when doing log analysis... /episode/index/show/digitalforensicsurvivalpodcast/id/32941142

Digital Forensic Survival Podcast

TOPICS