Resources

A non-exhaustive list of resources worth checking out.

Cheatsheets

PowerShell Incident Response Cheatsheet Quick-reference PowerShell commands for triage and evidence collection during live-response investigations.
Windows Event IDs for Incident Response Windows event IDs of interest during triage, grouped by the investigative question they answer.
PDF SANS Hunt Evil: Lateral Movement Poster Execution artifacts left by common lateral movement techniques on Windows.
PDF SANS Network Forensics Poster Overview of network forensic analysis techniques for IR, threat hunting, and traditional investigations.
PDF SANS Ransomware and Cyber Extortion Poster The ransomware business ecosystem and each phase of a typical extortion attack.
PDF SANS Windows Forensic Analysis Poster The "Evidence of..." artifact-to-question map. Where on Windows to look for execution, file access, account usage, etc.

Applied Incident Response Steve Anson. End-to-end IR framework covering triage, acquisition, log analysis, malware analysis, threat hunting, etc.
The Art of Memory Forensics Ligh, Case, Levy, and Walters. The definitive guide to volatile memory analysis across Windows, Linux, and Mac.
The DFIR Investigative Mindset Brett Shavers. On investigative methodology and how to think like an examiner, regardless of tools.
File System Forensic Analysis Brian Carrier. The definitive reference on volume and file system internals.
Windows Registry Forensics Harlan Carvey. The most in-depth guide to forensic investigations involving Windows Registry.

SIFT Workstation SANS-curated Ubuntu distribution preloaded with open-source incident response and forensic tools.
Sysinternals Microsoft's suite of Windows internals utilities, including Process Explorer, Autoruns, Sysmon, etc.
Velociraptor Endpoint visibility and DFIR platform.
FTK Imager Free disk imaging and evidence preview utility from Exterro.
Arsenal Recon Arsenal Image Mounter and other utilities for mounting forensic images, shadow copies, and accessing registry artifacts.
Magnet Forensics Commercial forensics vendor with a range of free utilities (like Encrypted Disk Detector, RAM capture, etc.) alongside its paid platform.
KAPE Kroll Artifact Parser and Extractor. Targeted collection and parsing of forensic artifacts, built on Eric Zimmerman's tools.
Eric Zimmerman's Tools Windows artifact parsing at scale (Registry, Prefetch, Jump Lists, etc.).
Plaso Python backend behind log2timeline for building super timelines from many artifact sources.
Chainsaw Fast Windows event log hunting using Sigma rules and built-in detection signatures.
Hayabusa Windows event log fast-forensics and threat hunting tool with Sigma rule support.
Didier Stevens Suite Python tools for analyzing PDFs, Office documents, OLE streams, shellcode, and suspicious binaries.

The DFIR Report Detailed intrusion case studies with full attack chains, TTPs, and artifacts observed in the wild.
Palo Alto Unit 42 Threat research covering APT reporting, ransomware analysis, and novel vulnerabilities.
CISA Known Exploited Vulnerabilities Authoritative catalog of vulnerabilities known to be actively exploited in the wild.
LOTL LOLBAS Windows binaries, scripts, and libraries that attackers abuse for living-off-the-land techniques.
LOTL GTFOBins Unix binaries that can be abused to bypass local security restrictions, escalate privileges, or spawn shells.
LOTL LOOBins macOS counterpart to LOLBAS, cataloging built-in binaries attackers use for stealthy operations.
LOTL LOTS Project Catalog of legitimate trusted sites abused for C2, phishing, exfiltration, and payload hosting.

Windows Incident Response Harlan Carvey's long-running blog on Windows incident response, registry forensics, and analyst methodology.
OSDFIR Open source DFIR tooling updates and guidance, covering Plaso, Timesketch, GRR, Turbinia, and related projects.
Brett Shavers' Blog Commentary on investigative methodology, digital forensics practice, and career development from the author of several DFIR books.
DFIR Philosophy Posts on investigative mindset, analyst development, and the craft of DFIR.
Forensic IT Guy Tony Lambert's blog on malware analysis, reverse engineering, and threat research.