A common misconception about threat hunting is that its purpose is to surface adversaries hiding in your environment. That's one possible outcome, and in a healthy program, it's the rarest of the three.
[ read more → ]Parser for the Windows 11 Start Menu's CBS subsystem. Extracts forensic artifacts from the MicrosoftWindows.Client.CBS package: Start Menu search history, cached Bing queries, and application launch counts.
[ read more → ]Quick-reference PowerShell commands for triage and evidence collection during live-response investigations.
[ read more → ]A working reference of the Windows event IDs of interest during triage, grouped by the investigative question they answer.
[ read more → ]Welcome. If you're reading this, I'm online! I'm Andrew Prince, and this is my corner of the internet for writing about digital forensics and incident response. I've been meaning to stand up this blog for a while. Publishing notes privately…
[ read more → ]