#DFIR Automation Series

I use 4 levels of automation ranging from none to fully automated.

I think an ideal solution is to use full automation for low risk decisions. And recommendations for higher risk.

We use recommendations in Cyber Triage by scoring each artifact. You ultimately decide.

Digital forensics has always relied on automation and "push buttons". What's changed is how many things we automate and the technologies used.

No one ever chose to manually parse FAT12 floppy drives with a hex editor when they could have a tool list out the file names.

Webinar Tomorrow - Automation and AI in DFIR and the SOC.

Myself, Sentinel1, and CompassMSP will talk about pros/cons of automating DFIR and SOC tasks.

Come tell us we're wrong!

May 8. 11AM Eastern.

register.gotowebinar.com/register/672...

EDR Evasion 101 - Blocking

Data needs to get to the EDR server to be analyzed for attacks. Blocking techniques prevent data from getting to the server.

Example: Network filter to block packets destined to the server.

www.cybertriage.com/edr_evasion

EDR Evasion 101
Types of Evasion Tactics

1) Blinding - prevent agent from seeing
2) Blocking - prevent data from analysis
3) Hiding - prevent detections

www.cybertriage.com/blog/how-edr...

Learn from 4 IR experts on how they do Endpoint Triage.

Apr 17.

I'll MC and you'll hear from @keydet89.bsky.social (Huntress), Kai Thomsen (Dragos), @dfirmike.bsky.social (Sleuth Kit Labs) and Quinnlan Varcoe (Blueberry Security).

See you there!

register.gotowebinar.com/register/600...

3 places to automate #DFIR Endpoint Triage. Which do you do?

The 3 themes we focus on for #DFIR endpoint triage. What are yours?

Endpoint triage allows you to prioritize your response after an EDR alert.

Webinar: Tomorrow at 11 - Vendor Agnostic
register.gotowebinar.com/register/142...

Endpoint Triage: What you do after you validate the EDR alert to understand the impact.

#DFIR Webinar Thu @ 11.

register.gotowebinar.com/register/142...