Brian Carrier
@carrier4n6.bsky.social
#DFIR Automation Series
I use 4 levels of automation ranging from none to fully automated.
I think an ideal solution is to use full automation for low risk decisions. And recommendations for higher risk.
We use recommendations in Cyber Triage by scoring each artifact. You ultimately decide.
I use 4 levels of automation ranging from none to fully automated.
I think an ideal solution is to use full automation for low risk decisions. And recommendations for higher risk.
We use recommendations in Cyber Triage by scoring each artifact. You ultimately decide.
August 20, 2025 at 4:10 PM
#DFIR Automation Series
I use 4 levels of automation ranging from none to fully automated.
I think an ideal solution is to use full automation for low risk decisions. And recommendations for higher risk.
We use recommendations in Cyber Triage by scoring each artifact. You ultimately decide.
I use 4 levels of automation ranging from none to fully automated.
I think an ideal solution is to use full automation for low risk decisions. And recommendations for higher risk.
We use recommendations in Cyber Triage by scoring each artifact. You ultimately decide.
Reposted by Brian Carrier
New Forensic Resource
What to do after you find TeamViewer:
→ Log files to find activity details
→ Executables to find installation times
→ Domains to find download source
Learn how to corroborate timelines to investigate suspicious TeamViewer.
www.cybertriage.com/blog/dfir-ne...
What to do after you find TeamViewer:
→ Log files to find activity details
→ Executables to find installation times
→ Domains to find download source
Learn how to corroborate timelines to investigate suspicious TeamViewer.
www.cybertriage.com/blog/dfir-ne...
DFIR Next Steps: Suspicious TeamViewer Use
Welcome to the next post in our DFIR Next Steps series on Remote Monitoring & Management (RMM) tools. This series is designed to help you quickly
www.cybertriage.com
August 14, 2025 at 3:26 PM
New Forensic Resource
What to do after you find TeamViewer:
→ Log files to find activity details
→ Executables to find installation times
→ Domains to find download source
Learn how to corroborate timelines to investigate suspicious TeamViewer.
www.cybertriage.com/blog/dfir-ne...
What to do after you find TeamViewer:
→ Log files to find activity details
→ Executables to find installation times
→ Domains to find download source
Learn how to corroborate timelines to investigate suspicious TeamViewer.
www.cybertriage.com/blog/dfir-ne...
I'm super excited for this webinar. Sid is a super smart AI / LLM guy and it will be a good session to learn how to use AI in #DFIR and what's hype.
We'll also show Cyber Triage hooked up to an LLM so that you can query artifacts.
We'll also show Cyber Triage hooked up to an LLM so that you can query artifacts.
AI+LLMs in Digital Investigation Webinar
Join @carrier4n6.bsky.social and Sid Probstein as they discuss practical uses of AI and LLMs in digital investigations. Come learn from people who thought about these things for years before ChatGPT.
Aug 28 @ 11 AM
attendee.gotowebinar.com/register/243...
Join @carrier4n6.bsky.social and Sid Probstein as they discuss practical uses of AI and LLMs in digital investigations. Come learn from people who thought about these things for years before ChatGPT.
Aug 28 @ 11 AM
attendee.gotowebinar.com/register/243...
attendee.gotowebinar.com
August 13, 2025 at 3:25 PM
I'm super excited for this webinar. Sid is a super smart AI / LLM guy and it will be a good session to learn how to use AI in #DFIR and what's hype.
We'll also show Cyber Triage hooked up to an LLM so that you can query artifacts.
We'll also show Cyber Triage hooked up to an LLM so that you can query artifacts.
Digital forensics has always relied on automation and "push buttons". What's changed is how many things we automate and the technologies used.
No one ever chose to manually parse FAT12 floppy drives with a hex editor when they could have a tool list out the file names.
No one ever chose to manually parse FAT12 floppy drives with a hex editor when they could have a tool list out the file names.
August 13, 2025 at 3:17 PM
Digital forensics has always relied on automation and "push buttons". What's changed is how many things we automate and the technologies used.
No one ever chose to manually parse FAT12 floppy drives with a hex editor when they could have a tool list out the file names.
No one ever chose to manually parse FAT12 floppy drives with a hex editor when they could have a tool list out the file names.
Adding automation to your #DFIR investigations means you have less decisions to make. Get rid of the tedious work! Focus on the fun stuff!
Here are my three thoughts on the most effective ways to add automation and which tools do them.
What are yours?
www.cybertriage.com/blog/3-ways-...
Here are my three thoughts on the most effective ways to add automation and which tools do them.
What are yours?
www.cybertriage.com/blog/3-ways-...
3 Ways to Make Digital Investigations Faster with Automation
Everyone — except for some consultants paid by the hour — wants to skip the tedious work associated with digital investigation. The good news is there are
www.cybertriage.com
August 5, 2025 at 3:29 PM
Adding automation to your #DFIR investigations means you have less decisions to make. Get rid of the tedious work! Focus on the fun stuff!
Here are my three thoughts on the most effective ways to add automation and which tools do them.
What are yours?
www.cybertriage.com/blog/3-ways-...
Here are my three thoughts on the most effective ways to add automation and which tools do them.
What are yours?
www.cybertriage.com/blog/3-ways-...
Reposted by Brian Carrier
This week's Defender Fridays features @carrier4n6.bsky.social, CEO of Sleuth Kit Labs, discussing EDR, DFIR and Endpoint Triage.
Perfect for security professionals at any level looking to enhance their endpoint investigation skills.
Register here: limacharlie.io/defender-fri...
#cybersecurity
Perfect for security professionals at any level looking to enhance their endpoint investigation skills.
Register here: limacharlie.io/defender-fri...
#cybersecurity
June 18, 2025 at 2:11 PM
This week's Defender Fridays features @carrier4n6.bsky.social, CEO of Sleuth Kit Labs, discussing EDR, DFIR and Endpoint Triage.
Perfect for security professionals at any level looking to enhance their endpoint investigation skills.
Register here: limacharlie.io/defender-fri...
#cybersecurity
Perfect for security professionals at any level looking to enhance their endpoint investigation skills.
Register here: limacharlie.io/defender-fri...
#cybersecurity
Webinar Tomorrow - Automation and AI in DFIR and the SOC.
Myself, Sentinel1, and CompassMSP will talk about pros/cons of automating DFIR and SOC tasks.
Come tell us we're wrong!
May 8. 11AM Eastern.
register.gotowebinar.com/register/672...
Myself, Sentinel1, and CompassMSP will talk about pros/cons of automating DFIR and SOC tasks.
Come tell us we're wrong!
May 8. 11AM Eastern.
register.gotowebinar.com/register/672...
May 7, 2025 at 3:51 PM
Webinar Tomorrow - Automation and AI in DFIR and the SOC.
Myself, Sentinel1, and CompassMSP will talk about pros/cons of automating DFIR and SOC tasks.
Come tell us we're wrong!
May 8. 11AM Eastern.
register.gotowebinar.com/register/672...
Myself, Sentinel1, and CompassMSP will talk about pros/cons of automating DFIR and SOC tasks.
Come tell us we're wrong!
May 8. 11AM Eastern.
register.gotowebinar.com/register/672...
New Cyber Triage release with:
* New UIs to give you an overview of the endpoint
* Hyabusa integration
* Baseline
* Public key encryption on collector
* LOTS more....
Blog and Download Link: www.cybertriage.com/blog/3-14-re...
* New UIs to give you an overview of the endpoint
* Hyabusa integration
* Baseline
* Public key encryption on collector
* LOTS more....
Blog and Download Link: www.cybertriage.com/blog/3-14-re...
May 6, 2025 at 2:39 PM
New Cyber Triage release with:
* New UIs to give you an overview of the endpoint
* Hyabusa integration
* Baseline
* Public key encryption on collector
* LOTS more....
Blog and Download Link: www.cybertriage.com/blog/3-14-re...
* New UIs to give you an overview of the endpoint
* Hyabusa integration
* Baseline
* Public key encryption on collector
* LOTS more....
Blog and Download Link: www.cybertriage.com/blog/3-14-re...
EDR Evasion 101 - Blocking
Data needs to get to the EDR server to be analyzed for attacks. Blocking techniques prevent data from getting to the server.
Example: Network filter to block packets destined to the server.
www.cybertriage.com/edr_evasion
Data needs to get to the EDR server to be analyzed for attacks. Blocking techniques prevent data from getting to the server.
Example: Network filter to block packets destined to the server.
www.cybertriage.com/edr_evasion
May 1, 2025 at 3:29 PM
EDR Evasion 101 - Blocking
Data needs to get to the EDR server to be analyzed for attacks. Blocking techniques prevent data from getting to the server.
Example: Network filter to block packets destined to the server.
www.cybertriage.com/edr_evasion
Data needs to get to the EDR server to be analyzed for attacks. Blocking techniques prevent data from getting to the server.
Example: Network filter to block packets destined to the server.
www.cybertriage.com/edr_evasion
EDR Evasion 101
Types of Evasion Tactics
1) Blinding - prevent agent from seeing
2) Blocking - prevent data from analysis
3) Hiding - prevent detections
www.cybertriage.com/blog/how-edr...
Types of Evasion Tactics
1) Blinding - prevent agent from seeing
2) Blocking - prevent data from analysis
3) Hiding - prevent detections
www.cybertriage.com/blog/how-edr...
April 16, 2025 at 5:20 PM
EDR Evasion 101
Types of Evasion Tactics
1) Blinding - prevent agent from seeing
2) Blocking - prevent data from analysis
3) Hiding - prevent detections
www.cybertriage.com/blog/how-edr...
Types of Evasion Tactics
1) Blinding - prevent agent from seeing
2) Blocking - prevent data from analysis
3) Hiding - prevent detections
www.cybertriage.com/blog/how-edr...
Webinar Tomorrow @ 11AM
Endpoint Triage from 4 experts (I get to moderate)
- Harlan Carvey (Huntress)
- Kai Thomsen (Dragos)
- Quinnlan Varcoe (Blueberry Security)
- Mike Wilkinson (Sleuth Kit Labs)
Each presents their top 3!
Hope to see you there: register.gotowebinar.com/register/600...
Endpoint Triage from 4 experts (I get to moderate)
- Harlan Carvey (Huntress)
- Kai Thomsen (Dragos)
- Quinnlan Varcoe (Blueberry Security)
- Mike Wilkinson (Sleuth Kit Labs)
Each presents their top 3!
Hope to see you there: register.gotowebinar.com/register/600...
register.gotowebinar.com
April 16, 2025 at 5:18 PM
Webinar Tomorrow @ 11AM
Endpoint Triage from 4 experts (I get to moderate)
- Harlan Carvey (Huntress)
- Kai Thomsen (Dragos)
- Quinnlan Varcoe (Blueberry Security)
- Mike Wilkinson (Sleuth Kit Labs)
Each presents their top 3!
Hope to see you there: register.gotowebinar.com/register/600...
Endpoint Triage from 4 experts (I get to moderate)
- Harlan Carvey (Huntress)
- Kai Thomsen (Dragos)
- Quinnlan Varcoe (Blueberry Security)
- Mike Wilkinson (Sleuth Kit Labs)
Each presents their top 3!
Hope to see you there: register.gotowebinar.com/register/600...
Learn from 4 IR experts on how they do Endpoint Triage.
Apr 17.
I'll MC and you'll hear from @keydet89.bsky.social (Huntress), Kai Thomsen (Dragos), @dfirmike.bsky.social (Sleuth Kit Labs) and Quinnlan Varcoe (Blueberry Security).
See you there!
register.gotowebinar.com/register/600...
Apr 17.
I'll MC and you'll hear from @keydet89.bsky.social (Huntress), Kai Thomsen (Dragos), @dfirmike.bsky.social (Sleuth Kit Labs) and Quinnlan Varcoe (Blueberry Security).
See you there!
register.gotowebinar.com/register/600...
April 1, 2025 at 4:04 PM
Learn from 4 IR experts on how they do Endpoint Triage.
Apr 17.
I'll MC and you'll hear from @keydet89.bsky.social (Huntress), Kai Thomsen (Dragos), @dfirmike.bsky.social (Sleuth Kit Labs) and Quinnlan Varcoe (Blueberry Security).
See you there!
register.gotowebinar.com/register/600...
Apr 17.
I'll MC and you'll hear from @keydet89.bsky.social (Huntress), Kai Thomsen (Dragos), @dfirmike.bsky.social (Sleuth Kit Labs) and Quinnlan Varcoe (Blueberry Security).
See you there!
register.gotowebinar.com/register/600...
EDRs miss activity! 😲😱.
You should not miss webinar tmrw! 😀
Markus and I will talk about why EDR alerts could be days after an attack started.
We'll talk about how to do endpoint triage to see what else happened beyond the alert!
Mar 27 @ 11 Eastern
register.gotowebinar.com/register/916...
You should not miss webinar tmrw! 😀
Markus and I will talk about why EDR alerts could be days after an attack started.
We'll talk about how to do endpoint triage to see what else happened beyond the alert!
Mar 27 @ 11 Eastern
register.gotowebinar.com/register/916...
register.gotowebinar.com
March 26, 2025 at 2:55 PM
EDRs miss activity! 😲😱.
You should not miss webinar tmrw! 😀
Markus and I will talk about why EDR alerts could be days after an attack started.
We'll talk about how to do endpoint triage to see what else happened beyond the alert!
Mar 27 @ 11 Eastern
register.gotowebinar.com/register/916...
You should not miss webinar tmrw! 😀
Markus and I will talk about why EDR alerts could be days after an attack started.
We'll talk about how to do endpoint triage to see what else happened beyond the alert!
Mar 27 @ 11 Eastern
register.gotowebinar.com/register/916...
For those in the #SOC: Alert Triage vs Endpoint Triage
Blog post that is part of our Endpoint Triage series.
Alert triage focuses on validating and prioritizing the EDR/SIEM alert.
Endpoint triage focuses on prioritizing the host. How bad is it?
www.cybertriage.com/blog/alert-t...
Blog post that is part of our Endpoint Triage series.
Alert triage focuses on validating and prioritizing the EDR/SIEM alert.
Endpoint triage focuses on prioritizing the host. How bad is it?
www.cybertriage.com/blog/alert-t...
Alert Triage vs Endpoint Triage: What SOCs Need to Know
As we talk to corporate security teams about how they respond to incidents and EDR alerts, we find it useful to highlight the Endpoint Triage step in
www.cybertriage.com
March 21, 2025 at 1:38 PM
For those in the #SOC: Alert Triage vs Endpoint Triage
Blog post that is part of our Endpoint Triage series.
Alert triage focuses on validating and prioritizing the EDR/SIEM alert.
Endpoint triage focuses on prioritizing the host. How bad is it?
www.cybertriage.com/blog/alert-t...
Blog post that is part of our Endpoint Triage series.
Alert triage focuses on validating and prioritizing the EDR/SIEM alert.
Endpoint triage focuses on prioritizing the host. How bad is it?
www.cybertriage.com/blog/alert-t...
New Autopsy release is out! 🎉
It's been a minute, but it's out. Notable features are BitLocker support and it can run side-by-side with Cyber Triage. Plus, a bunch of library updates.
Now Cyber Triage and Autopsy can be used on the same case at the same time!
www.autopsy.com/autopsy-4-22...
It's been a minute, but it's out. Notable features are BitLocker support and it can run side-by-side with Cyber Triage. Plus, a bunch of library updates.
Now Cyber Triage and Autopsy can be used on the same case at the same time!
www.autopsy.com/autopsy-4-22...
Autopsy - Autopsy 4.22.0: BitLocker Support, Cyber Triage Sidecar, Library Updates
Autopsy 4.22.0 includes BitLocker support, ability to run alongside Cyber Triage, and updates to lower-level libraries.
www.autopsy.com
March 11, 2025 at 8:36 PM
New Autopsy release is out! 🎉
It's been a minute, but it's out. Notable features are BitLocker support and it can run side-by-side with Cyber Triage. Plus, a bunch of library updates.
Now Cyber Triage and Autopsy can be used on the same case at the same time!
www.autopsy.com/autopsy-4-22...
It's been a minute, but it's out. Notable features are BitLocker support and it can run side-by-side with Cyber Triage. Plus, a bunch of library updates.
Now Cyber Triage and Autopsy can be used on the same case at the same time!
www.autopsy.com/autopsy-4-22...
I'm doing a webinar TMRW on investigation tools for endpoint triage. Basic idea is how to get quick and accurate results after an alert. EDR data plays a role in that, but it's not enough.
Endpoint Triage should be in any security team's process.
attendee.gotowebinar.com/register/281...
Endpoint Triage should be in any security team's process.
attendee.gotowebinar.com/register/281...
attendee.gotowebinar.com
February 25, 2025 at 3:30 PM
I'm doing a webinar TMRW on investigation tools for endpoint triage. Basic idea is how to get quick and accurate results after an alert. EDR data plays a role in that, but it's not enough.
Endpoint Triage should be in any security team's process.
attendee.gotowebinar.com/register/281...
Endpoint Triage should be in any security team's process.
attendee.gotowebinar.com/register/281...
Endpoint triage allows you to prioritize your response after an EDR alert.
Webinar: Tomorrow at 11 - Vendor Agnostic
register.gotowebinar.com/register/142...
Webinar: Tomorrow at 11 - Vendor Agnostic
register.gotowebinar.com/register/142...
January 29, 2025 at 2:28 PM
Endpoint triage allows you to prioritize your response after an EDR alert.
Webinar: Tomorrow at 11 - Vendor Agnostic
register.gotowebinar.com/register/142...
Webinar: Tomorrow at 11 - Vendor Agnostic
register.gotowebinar.com/register/142...
Endpoint Triage: What you do after you validate the EDR alert to understand the impact.
#DFIR Webinar Thu @ 11.
register.gotowebinar.com/register/142...
#DFIR Webinar Thu @ 11.
register.gotowebinar.com/register/142...
January 28, 2025 at 4:14 PM
Endpoint Triage: What you do after you validate the EDR alert to understand the impact.
#DFIR Webinar Thu @ 11.
register.gotowebinar.com/register/142...
#DFIR Webinar Thu @ 11.
register.gotowebinar.com/register/142...
Reposted by Brian Carrier
🌟New report out today!🌟
Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
Analysis & reporting completed by @r3nzsec, @MyDFIR & @MittenSec.
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/01/27/c...
Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
Analysis & reporting completed by @r3nzsec, @MyDFIR & @MittenSec.
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/01/27/c...
Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
Key Takeaways This intrusion began with the download and execution of a Cobalt Strike beacon that impersonated a Windows Media Configuration Utility. The threat actor used Rclone to exfiltrate data…
thedfirreport.com
January 27, 2025 at 12:55 PM
🌟New report out today!🌟
Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
Analysis & reporting completed by @r3nzsec, @MyDFIR & @MittenSec.
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/01/27/c...
Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
Analysis & reporting completed by @r3nzsec, @MyDFIR & @MittenSec.
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/01/27/c...
We're using the term "Information Artifacts" for high-level #DFIR concepts like "Processes" and "Inbound Logins". I think they are easier to train than low-level Prefetch, UserAssist etc. (i.e. Data Artifacts). Those map to an Info Artifact (Prefetch -> Process).
www.cybertriage.com/blog/informa...
www.cybertriage.com/blog/informa...
Information Artifacts: Simplify DFIR Analysis
Do you know the differences between MUICache, ShimCache, AMCache, and PMCache without the help of Google? Did you know that one of them is made up?
www.cybertriage.com
January 27, 2025 at 5:30 PM
We're using the term "Information Artifacts" for high-level #DFIR concepts like "Processes" and "Inbound Logins". I think they are easier to train than low-level Prefetch, UserAssist etc. (i.e. Data Artifacts). Those map to an Info Artifact (Prefetch -> Process).
www.cybertriage.com/blog/informa...
www.cybertriage.com/blog/informa...
Reposted by Brian Carrier
January 13, 2025 at 6:15 AM