AnyDesk is a commonly abused, but legitimate RMM tool. Learn about the artifacts left behind and how to investigate AnyDesk abuse.

Investigate BITS jobs and identify the event logs and database associated with this!

Learn about the various artifacts created to help investigate lateral movement via RDP on both the source and target system

Identify the important Windows Event logs to hunt RDP lateral movement, both from the source and target system.

Investigate the puzzle pieces of RDP bitmap cache and how to stitch these together to get the (sorta) full picture.

What are the Windows Defender MP logs? What information do they contain and how can we use them in an investigation?

Learn what the SUM UAL database is and how it can help make or break DFIR analysis.

Learn how to take a triage image of a *nix based system using the UAC tool.

Learn how to respond and investigate a compromised Google Workspace user.

Learn some quick wins to minimize malicious script execution.

Learn the mystery of the Amcache artifact and how to use it in your DFIR cases

Learn what Shimcache is, how to analyze it, and why it's misunderstood.

Learn how to investigate a compromised web server and the logs that exist to assist in your analysis.

Learn how to identify what programs were executed during an incident with the Prefetch artifact

During an Incident Response (IR) engagement, I'm often asked what artifacts I look at for analysis. Sure, Event Logs are fantastic, the...

Learn the basics of AWS investigations and the logs that exist.

Learn why visibility is everything when responding to an incident.

We've all heard of "Link" or "LNK" files, right? You want a faster way to open your favorite game, document or application without need...