🤖

⏳ Two weeks to go until PTP Cyber Fest 2026. Day one starts with a scenario no organisation wants to face, but every organisation needs to be ready for. Our Ken Munro and Joseph Williams will be joined by Nick Holland from @Shoosmiths on our DFIR Panel, looking behind the scenes during a ransomware incident. The panel will cover the technical investigation, legal considerations, and the key decisions organisations need to make under pressure. 📍 The Fox Pub 📅 Tuesday 2nd and Wednesday 3rd June 🔗 View the full agenda and register for free here: events.rantcommunity.com/CyberFest2026#/ #CyberFest2026 #DFIR #Ransomware #IncidentResponse #PenTestPartners #RANTCommunity

AI in DFIR has a confidence problem. In our latest blog post, @jwdfir looks at why investigator judgement matters so much. He covers how easy it is to latch onto the wrong thing early in an investigation, why context is what turns artefacts into evidence, and what it actually takes to build a clear picture of what happened. He also puts AI to the test. Using event logs from a real DFIR challenge, he shows how an LLM produced a confident answer that still got key parts wrong. That is the risk. AI can assist in DFIR, but a confident answer is not the same as a correct one. 📌Read here: pentestpartners.com/security-blog/… #DigitalForensics #IncidentResponse #CyberSecurity #AI

@IntCyberDigest Lol that Cellebrite Touch is about 15 years out of date

🚨 BREAKING: The FBI has successfully extracted deleted Signal messages from a suspect's iPhone via notification storage, the place where all your notifications are stored for up to one month. Notification storage stores data from all messaging apps, it's a big flaw in iOS. But there's a way to turn it off...

@DfirDiva @13CubedDFIR Investigating macOS Endpoints 🖥️

📣 I partnered with @13CubedDFIR for another giveaway! 🎁 🏆 Five winners will receive a 13Cubed course of their choice from the list below + a Forensicator T-Shirt. 13Cubed Courses: - Investigating Windows Endpoints - Investigating Windows Memory - Investigating Linux Devices - Investigating macOS Endpoints Each course comes with a Certificate of Completion as well as Certification attempts! On April 25th, entries across social media platforms will be combined, and the five winners will be selected. To Enter: ✅ Like ✅ Share ✅ Comment which course you want to win the most For more information ⬇️ Link to 13Cubed Training: training.13cubed.com 13Cubed Merch Store: shop.13cubed.com #DFIR #DigitalForensics #IncidentResponse

@DfirDiva @13CubedDFIR Investigating macOS endpoints!

📣 I partnered with @13CubedDFIR for a Valentine's Day Giveaway! 🎁 🏆 1 Grand Prize winner will receive one course of their choice from the list below + a 13Cubed Investigator T-Shirt. Courses: - Investigating Windows Endpoints - Investigating Windows Memory - Investigating macOS Endpoints - Investigating Linux Devices Each course comes with a Certificate of Completion as well as Certification attempts. 👕 5 winners will receive 13Cubed Investigator T-Shirts. To Enter: ✅ Like ✅ Comment with the name of the course you want to win ✅ Repost On Valentine's Day (February 14th, 2026) entries from across three social media platforms will be combined and winners will be selected. For more info check out: 13Cubed Courses: training.13cubed.com Certification Information: training.13cubed.com/certifications T-Shirts: shop.13cubed.com #DFIR #DigitalForensics #IncidentResponse

We investigated a macOS infostealer variant that, at the time, had not been recorded in the wild. Delivered via a single copy and paste terminal command disguised as a Homebrew installer, the malware harvested credentials, staged user data, and attempted exfiltration using only native macOS tooling. Network egress controls prevented data loss and contained the incident to one host. This case shows how quickly modern infostealers can operate without noisy tooling or exploits. Read the full breakdown of the fastest growing malware category in 2025 here: 📌 pentestpartners.com/security-blog/… #CyberSecurity #DFIR #ThreatResearch #MalwareAnalysis #macOSSecurity

@T3chFalcon The AI slop is strong with this one

Renaming a file is not OPSEC. Windows keeps a permanent diary called Amcache. It doesn't just trust the filename you typed. It extracts metadata from the binary's Version Resource (VS_VERSIONINFO). Rename payload.exe to homework.pdf.exe if you want. If the developer didn't strip the metadata, Windows logs the Original Filename anyway. But it gets worse. Amcache is the ultimate backup: Ghost Execution: You deleted the file? We still have the SHA1 Hash. We know exactly what malware ran even if the disk is clean. Anti-Forensics Trap: Cleared your Prefetch? Almost nobody wipes the Amcache hive. An empty Prefetch + full Amcache = Proof of Intent. The Time Machine: It logs the exact second of First Execution and the Compile Date. Location: C:\Windows\AppCompat\Programs\Amcache.hve You changed the name. Windows kept the identity. 💀

The remote desktop puzzle. DFIR techniques for dealing with RDP Bitmap Cache | Pen Test Partners share.google/K3jmbXM9bm5vY8…

@T3chFalcon I wrote about this a few months ago: The remote desktop puzzle. DFIR techniques for dealing with RDP Bitmap Cache | Pen Test Partners share.google/K3jmbXM9bm5vY8…

Let me blow your mind real quick: When you use Remote Desktop (RDP), Windows secretly takes screenshots of what you are doing. It’s called the RDP Bitmap Cache. To make the connection faster, Windows saves small tiles (images) of the remote screen to your hard drive in a bin file. Even if the session is over and the remote server is destroyed... your laptop still holds the cache files. Forensics teams use tools like BMCViewer to stitch those tiles back together. They won't just see logs but the literal email, document, or picture you were looking at. 💀

@DfirDiva @13CubedDFIR Amazing prize!

📢 I partnered with @13CubedDFIR for another giveaway! 🎁 🏆 1 winner will receive a 13Cubed Investigator T-Shirt + the XPlat Bundle Complete which includes the following four courses: - Investigating Windows Endpoints - Investigating Windows Memory - Investigating macOS Endpoints - Investigating Linux Devices Each course comes with a Certificate of Completion as well as Certification attempts. 👕 5 winners will receive 13Cubed Investigator T-Shirts The T-shirts have the 13Cubed logo on the front and "Digital Forensics Investigator" on the back. To Enter: Like, Comment, and Repost On December 7th, entries from across three social media platforms will be combined and winners will be selected. For more info check out: XPlat Bundle Complete: training.13cubed.com/xplat-bundle-c… Certification Information: training.13cubed.com/certifications T-Shirts: shop.13cubed.com #DFIR #DigitalForensics #IncidentResponse

Finding your path into DFIR can be tough, but the community makes all the difference. Our Joseph Williams shares his journey into Digital Forensics and Incident Response, with practical guidance for anyone looking to follow a similar route. 📌Read here to start your journey: pentestpartners.com/security-blog/… #DFIR #DigitalForensics #IncidentResponse #CyberSecurity #InfoSec #CareerDevelopment

Attackers abuse Discord webhooks for lightweight C2, but what does the cache leave behind? In our latest blog post, Joseph Williams shows that a simple PowerShell beacon can send files and exfiltrate data to a Discord channel. But what's in the cache? Attachments, thumbnails, and webhook URLs? We have released a Discord Forensic Suite with a CLI parser and a GUI tool. It builds HTML and CSV timelines to reconstruct Discord activity after messages and files are deleted. 📌 Read here: pentestpartners.com/security-blog/… #DFIR #DFIRTools #DigitalForensics #DiscordSecurity #WebhookAbuse #C2 #Cybersecurity

A threat actor installed Huntress. ... a hysterical mistake on their part, giving us first-hand insight to their tooling, workflow & routine. Phishing infra, stealer logs, Telegram+dark web sites, AI... Hilarious goldmine of cybercrime deets with a front row seat: huntress.com/blog/rare-look…

@wh1t3h4ts X-Ways Forensics

Guess the cybersecurity tool

Windows 👍 Thumbcache 👍can reveal deleted or hidden images 🖼. This well-known forensic artifact can uncover user activity and insider threats. We show how DFIR analysts can use Thumbcache to reconstruct activity through cached thumbnails, even when files are ‘gone’. 📌 Read the blog post here: pentestpartners.com/security-blog/… #DFIR #Thumcache #DigitalForensics #CyberSecurity

Deleted a folder? Shellbags is the accessory you need... They’re one of the most valuable forensic artifacts for tracing user activity in Windows, even if the folders are gone. This blog post by our @jwdfir walks through how Shellbags work, how to analyse them with tools like ShellBags Explorer, and what they reveal about user navigation through local, external, and network locations. If you're in DFIR, this is one artifact you don't want to miss. 📌 Read the blog: pentestpartners.com/security-blog/… #DFIR #DigitalForensics #WindowsForensics #IncidentResponse #Shellbags #CyberSecurity #ForensicAnalysis

A critical vulnerability in old Telerik software gave an attacker remote code execution on an SFTP-only Windows server. That meant they didn’t need credentials, antivirus didn’t trigger, and default log sizes meant almost nothing useful was captured. From there? PowerShell exclusions, admin account created, RDP tunnelled in via Ngrok, ransomware deployed. They even opened Pornhub either to cover traffic or celebrate the moment. Who knows? This attack wasn’t subtle. But it worked because basic controls were missing. 📌pentestpartners.com/security-blog/… We’ve broken down the incident. Plus, recommendations you can act on now to prevent the same thing. #CyberSecurity #IncidentResponse #Ransomware #ThreatDetection #DigitalForensics #InfoSec

@DfirDiva @13CubedDFIR Been looking forward to this!

📢 I partnered with @13CubedDFIR for another giveaway! 🎁 Their Investigating macOS Endpoints course just launched, and one person from X will win the new course! Course content includes: - Introduction to macOS - macOS Logs - macOS File Systems - macOS Core Forensic Artifacts - Persistence Mechanisms - Evidence Collection - Timelining - Analyzing a Compromised System Certification attempts are also included! To Enter: Like, Repost, and Leave a Comment A winner will be chosen June 22nd, 2025! Link to the course: training.13cubed.com/investigating-… #DFIR #DigitalForensics #IncidentResponse

Our latest blog post looks at a recent investigation where a threat actor used RDP to access a file server, steal data, and delete key logs to hide what they had done. But they missed one thing, the bitmap cache... Over 8,000 screen fragments were pulled and put back together, showing what was on screen, including open tools, folders, usernames and even passwords. Joseph Williams explains how analysts use the bitmap cache, BMC Tools and RDP Cache Stitcher to rebuild activity and find evidence when other sources are gone. Read here: pentestpartners.com/security-blog/… #digitalforensics #incidentresponse #rdpforensics #antiforensics #dfir #cybersecurity