Topic: Cybersecurity

S3:E2 // IR Beyond Malware: Investigating Business Email Compromise and Fraud

By

While ransomware grabs headlines, business email compromise (BEC) quietly causes billions in losses every year. For private sector responders, these cases present unique investigative hurdles: social engineering, subtle logins, wire transfers, and abuse of legitimate SaaS features. This presentation dives into the forensic artifacts and investigative playbooks for BEC cases, including Office 365 sign-in logs, forwarding rules, OAuth abuse, and transaction metadata. We’ll explore how to triage compromised accounts, correlate access patterns with financial events, and present findings in a way that supports both containment and legal/regulatory needs. Whether you work in corporate IR, legal, or compliance, this session will equip you with the tools to tackle one of the most common—and costly—forms of corporate compromise.

Windows forensics: Understanding and analyzing Pagefile.sys artifacts

By

By Chad Gish Key insights The Windows pagefile.sys is a fundamental source of evidence in digital forensics investigations and incident response. When live RAM capture is unavailable, either due to a system shutdown, oversight, or other factors, this system-managed file can serve as the last resort for recovering critical memory-related evidence. Some examples of artifacts … Continued

Responding to a cyber incident as a federal employee

By

Federal agencies are frequent targets of sophisticated malicious actors seeking to exploit sensitive data, disrupt critical operations, or undermine public trust. When an incident occurs, identifying the root cause is not merely important—it is essential to understanding the scope of impact and preventing recurrence. Achieving this level of insight often requires a comprehensive forensic examination across multiple platforms, including servers, workstations, and mobile devices. A deep forensic dive enables investigators to reconstruct events, uncover hidden indicators of compromise, and preserve evidence necessary for remediation, reporting, and potential legal action.

Unmasking hidden threats: Rethinking standard DFIR approaches

By

In today’s dynamic cybersecurity landscape, traditional digital forensics and incident response (DFIR) methods often fall short in fully uncovering the scope of cyber threats. This is due not only to the complexity of modern attacks but also to the environments under investigation. This presentation examines the limitations of conventional DFIR, sharing real-world cases where standard techniques failed to reveal the full extent of malicious activity, and detailing the approaches used to expose the true risks. Adversaries now employ increasingly advanced tactics, techniques, and procedures (TTPs), requiring more adaptable investigative strategies. We’re advocating for a shift toward flexible DFIR practices that go beyond traditional constraints, enabling practitioners to identify hidden threats and challenge ingrained assumptions within organizations. Our goal is to equip security professionals with confidence in challenging assumptions and better meet the challenges of modern cyber threats.

Tool proliferation in DFIR: Why our toolkits keep growing (and what that really means)

By

There’s a moment that shows up in almost every investigation; the quiet realization that you’re about to reach for one more tool. Not because you want to. Not because the tools you already have failed. But because the evidence in front of you doesn’t quite fit the workflows you’re holding. Maybe it’s a cloud artifact that didn’t exist the last time you worked a similar case. Maybe mobile data has crept into what used to be a clean-cut investigation. Maybe the logs exist, but only if you know exactly where and how to extract them.