Andrew Rathbun

A few months of behind-the-scenes work is now ready to share with the world! The official EZ Tools Manuals are now available to the public! Grab the book - leanpub.com/eztoolsmanuals Check out the source code for the book - github.com/EZToolsManuals… #eztoolsmanuals #dfir #eztools

GOLDEN 🥇🇺🇸

A New #DFIR Peer-reviewed article has been published on @DFIRReview by "Is that Windows Notepad window really empty?" by Christopher Eng. #WindowsForensics #DigitalForensics dfir.pubpub.org/pub/wmhy8t6v/r…

🚨OPEN NOW! The @EricRZimmerman #EZToolChallenge at #DFIRCON is accepting submissions! Got a #DFIR tool idea? 🛠️ Submit it by 8/29. Eric will unveil the winner during his keynote! 👉 Submit: sans.org/u/1CrZ 🔎 DFIRCON: sans.org/u/1Cs4

I just backed Digital Forensics Discord Challenge Coin on @Kickstarter kickstarter.com/projects/offic…

We just issued our 500th 13Cubed certification! 🎉 Learn more at 13cubed.com/certs. All Windows, Linux, and macOS courses include certification attempts at no extra cost, allowing you to demonstrate real-world practical application of forensic investigative techniques. 🏅

Windows forensics is essential—but don’t overlook Linux or macOS. These platforms are steadily gaining ground in enterprise environments. Make sure you have the skills you need to investigate them too! youtube.com/watch?v=_D6oHm…

We analyzed the top 500 most successful THOR rules – “successful” meaning: they detected samples that were either ignored or missed by nearly all AV engines on VirusTotal. Some rules detect clear malware. Others reveal dual-use tools, renamed hacktools, misused admin binaries, or forensic leftovers. Most of these samples showed 0 AV detections, the rest only minimal hits. Not all threats are payloads. Not all detections are flashy. But these rules consistently light up the blind spots in AV and EDR coverage – where attackers hide comfortably. THOR doesn’t replace existing tools. It shows you what they forgot to tell you. nextron-systems.com/2025/06/18/the…

🎉 Big news! Investigating macOS Endpoints is now live—plus our new *NIX Bundle and XPlat Bundle Complete (all 13Cubed courses in one package). Thanks for patiently waiting! Dive in now 👉 training.13cubed.com #DFIR #macOS #Linux

I recommend this if you’re tired of doomscrolling X or chasing updates across a dozen security slacks If you’re into good old RSS feeds or just want a weekly blog-style summary of what happened in DFIR, check out "This Week in 4n6" by @phillmoore & @hexplates a human-curated, no-BS roundup: thisweekin4n6.com

🎉 Happy Friday! Two quick updates: Investigating macOS Endpoints and related bundles are now open for waitlisting! 👉 13cubed.com 13Cubed Merch Store is LIVE with fresh designs and premium shirts! 👉 shop.13cubed.com

@nas_bench Very much appreciate your work on this to provide a better frontend for the data. I use the repo all the time

@bunsofwrath12 Thanks! Its sad we don't have but I'm planning to make use of the data we have even more and let people filter down and have some amazing stats.

Introducing 🚀Eventlog Compendium 🚀 A new Streamlit app, that aims to be the go-to resource for understanding and playing with Windows Event Logs. Explore it 👉 eventlog-compendium.streamlit.app Includes the following utilities and docs ⚙️ Build your own Advanced Audit Policy based on different data points making your policy data driven. 🧭EventID to Audit Policy mapping as well MITRE ATT&CK to Event ID explorer 📊Leveraging the EVTX-ETW-Resources project, you can explore the different ETW providers by build, version and filter down on key message strings. 📄 EVTX Baseline Search & Match - Explore the evtx-baseline project in a visual way. Where you can paste logs and check if they match in real time 🧮Event Field Decoder - Decode common Windows Security Event fields such as Logon Types, Access Masks, Active Directory GUIDs and SIDs 🔒Built-in SACL Explorer - leveraging SACL Scanner from Alexander DeMine, you can explore the built-in SACLs on a windows system. And much more to come. Stay tuned

@cyb3rops I ran APT Simulator on a bunch of VMs with various AV tools installed for the purpose of artifact generation and shared the images/triage here: github.com/AndrewRathbun/…

Oh, this one’s an old project of mine - but it’s simple to use and might still be useful to some of you - maybe we can update it together?

It's time for a new 13Cubed episode covering a very obscure evidence of execution artifact. youtube.com/watch?v=edJa_S… Enjoy! #DFIR

Good news, The Hitchhiker's Guide to DFIR book v1.5 has been released, thanks to Eli Woodward for contributing Chapter 15, "2023 from a Cyber Threat Intelligence Perspective". Grab a copy of the book at the link below, it's free! #DFIR leanpub.com/TheHitchhikers…

@KevinPagano3 Also, something like EditPad Pro or similar to slice and dice it to something more manageable.

Suggestions on software to open 10+GB CSV files?

@KevinPagano3 @moderncsv is great for this. Also, Timeline Explorer can handle it!

Do you like EZTools? Do you like up to date runtimes? Well I have news for you... All EZ Tools are now available as net9 executables! Get-ZimmermanTools has been updated to support this, but net6 is still the default to give people time to transition. Within a few months, net9 will be the default and the net6 versions will be no more. I also added documentation on how to build self-contained executables, so you do not even need the runtime installed at all. ericzimmermanstools.com Enjoy!

@EricRZimmerman Wings just won their 5th straight 😎

Damn you penguins. How many two goal leads you gonna blow?