A personal DFIR blog by Andrew Prince. Notes, research, and lessons learned from a career spent chasing adversaries.https://forensicate.net/enhttps://forensicate.net/posts/cbs-forensic-toolkit/https://forensicate.net/posts/cbs-forensic-toolkit/Parser for the Windows 11 Start Menu's CBS subsystem. Extracts forensic artifacts from the MicrosoftWindows.Client.CBS package: Start Menu search history, cached Bing queries, and application launch counts.Fri, 10 Apr 2026 00:00:00 GMTAndrew Princehttps://forensicate.net/posts/powershell-incident-response-cheatsheet/https://forensicate.net/posts/powershell-incident-response-cheatsheet/Quick-reference PowerShell commands for triage and evidence collection during live-response investigations.Thu, 31 Jul 2025 00:00:00 GMTpowershellincident-responsecheatsheetAndrew Princehttps://forensicate.net/posts/windows-event-ids-for-incident-response/https://forensicate.net/posts/windows-event-ids-for-incident-response/A working reference of the Windows event IDs of interest during triage, grouped by the investigative question they answer.Mon, 17 Mar 2025 00:00:00 GMTwindowsevent-logsincident-responsecheatsheetAndrew Princehttps://forensicate.net/posts/hello-world/https://forensicate.net/posts/hello-world/Mon, 03 Feb 2025 00:00:00 GMTmetaAndrew Prince