Changelog

Public-facing summary of changes to the DFIR-Field-Manual. Date-grouped, tool-neutral. See git log for per-commit detail.

2026-05-05

Source-precedence audit pass against PPTX + DOCX + image OCR corpora across 5 source areas. Conservative trim of general-DFIR coverage layered onto core entries: Web Log Triage tightened canonical-name shell list; WMIC dropped legacy-host bulk-collection script section; tshark dropped static High-value fields cookbook (Forensic patterns table below already covers same fields in working commands)
Audit script dfir-field-manual-audit: removed deprecated Side-classification check, added inbox-fallback for theory-note resolution
Cover updated: 7 entries in 05_linux chapter

Add Web Log Triage entry (Apache combined-log triage, web-shell URI families, status-code semantics, brute-force success detection)
Add Linux Persistence Hunt entry (account / SSH-key / cron / systemd / shell-config / boot-script families + sudoers / group / setuid / shadow privesc paths)
Add Browser Artefacts entry (Firefox + Chromium artefact paths, SQLite query bank, epoch math)
Extend Log Triage with per-user history file inventory and tampering tells
Extend Mount Disk Images with AD1 logical capture format coverage
Extend Filesystem Metadata with the modify-vs-birth analyst pattern
Drop the Side classification line from every entry and the template

Inline-comment alignment passes across WMIC, tshark, and other entries with wide-variance command blocks

Repository public-rebuild: content redaction pass (5 critical leaks rephrased), maintainer doc relocated out of the repo, fresh repo created under noreply commit identity, Cloudflare Pages reconnected
Ground-up rewrite from source PPTX/DOCX corpora: 15 entries across 5 chapters
Migrate to Quartz v4 + Cloudflare Pages deployment
Custom build-time transformer to strip private theory-bridge wikilinks from public output

See git log for pre-2026-05 history. Repository was rebuilt 2026-05-01 with a single clean initial commit.