DFIR field manual. Digital forensics and incident response. Command and syntax reference for active work.
01 Concepts
foundations, tooling, attacker tradecraft awareness
02 Acquisition
evidence collection, imaging, hashing, write blockers
03 Recovery
deleted data, file carving, slack space, stego Steganography Tools
04 Windows
registry, MFT, prefetch, event logs, artefacts WMIC | RegRipper | Sysmon Filters
05 Linux
ext4, /var/log, journal, audit, mount images
06 Memory
memory dumps, volatile data, anti-forensics, rootkits
07 Malware
static + dynamic analysis, RE, YARA x86 Assembly
08 Network
pcap, NetFlow, traffic analysis, protocols tshark | Arkime CLI
09 Remediation
hardening, response actions, configuration changes
10 Reporting
incident response report templates and structure
99 Appendix
reference data, no commands tmux