![rootuser24's tweet photo. Today, I Completed the Hosted Hypervisors room on TryHackMe, focusing on Type 2 Hypervisor forensics for both VirtualBox and VMware Workstation. I learnt that Hosted Hypervisors are virtualization technologies that operate on top of an existing operating system rather than directly interfacing with the underlying hardware.
I also learnt how to detect hypervisor presence through network adapter artifacts, then moved into memory forensics using Volatility to analyze a real memory dump. Using windows.pstree, I identified VBoxSVC.exe with PID 6052, confirming that VirtualBox was active at the time of capture. I then used windows.netstat to identify the VirtualBox virtual network adapter IP address, 192[.]168[.]182[.]139, showing active outbound connections through VirtualBoxVM.exe.
On the VMware side, I hunted a THM flag hidden within a VMware MSI installer log using the PowerShell Select-String command. The key lesson I learnt was that installer logs are valuable during forensic investigations and how hypervisors leave clear traces across both memory and disk.
https://t.co/x6jvp7y7Tm
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #DFIR #LearninginPublic](https://pbs.twimg.com/media/HK4QqVjX0AAmY0S.jpg)
![rootuser24's tweet photo. Today, I Completed the Hosted Hypervisors room on TryHackMe, focusing on Type 2 Hypervisor forensics for both VirtualBox and VMware Workstation. I learnt that Hosted Hypervisors are virtualization technologies that operate on top of an existing operating system rather than directly interfacing with the underlying hardware.
I also learnt how to detect hypervisor presence through network adapter artifacts, then moved into memory forensics using Volatility to analyze a real memory dump. Using windows.pstree, I identified VBoxSVC.exe with PID 6052, confirming that VirtualBox was active at the time of capture. I then used windows.netstat to identify the VirtualBox virtual network adapter IP address, 192[.]168[.]182[.]139, showing active outbound connections through VirtualBoxVM.exe.
On the VMware side, I hunted a THM flag hidden within a VMware MSI installer log using the PowerShell Select-String command. The key lesson I learnt was that installer logs are valuable during forensic investigations and how hypervisors leave clear traces across both memory and disk.
https://t.co/x6jvp7y7Tm
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #DFIR #LearninginPublic](https://pbs.twimg.com/media/HK4QqVhW8AAMoYq.jpg)
![rootuser24's tweet photo. Today, I Completed the Hosted Hypervisors room on TryHackMe, focusing on Type 2 Hypervisor forensics for both VirtualBox and VMware Workstation. I learnt that Hosted Hypervisors are virtualization technologies that operate on top of an existing operating system rather than directly interfacing with the underlying hardware.
I also learnt how to detect hypervisor presence through network adapter artifacts, then moved into memory forensics using Volatility to analyze a real memory dump. Using windows.pstree, I identified VBoxSVC.exe with PID 6052, confirming that VirtualBox was active at the time of capture. I then used windows.netstat to identify the VirtualBox virtual network adapter IP address, 192[.]168[.]182[.]139, showing active outbound connections through VirtualBoxVM.exe.
On the VMware side, I hunted a THM flag hidden within a VMware MSI installer log using the PowerShell Select-String command. The key lesson I learnt was that installer logs are valuable during forensic investigations and how hypervisors leave clear traces across both memory and disk.
https://t.co/x6jvp7y7Tm
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #DFIR #LearninginPublic](https://pbs.twimg.com/media/HK4QqVfX0AA5Bf4.jpg)
Olivia
Online
Victor
@rootuser24
DFIR Aspirant.
Root
Joined October 2025
75 Following
124 Followers
354 Posts
Today was a long day, but I managed to complete the MBR and GPT analysis room on TryHackMe, where I learnt what happens before the OS even loads.
I explored the boot process, which follows the sequence: Power-On → POST check → Locate bootable device → Read MBR/GPT → Load bootloader → Load OS. I learnt that the MBR (Master Boot Record) and GPT (GUID Partition Table) are among the first structures a system reads during the boot process, making them critical attack surfaces on any machine. I also covered the differences between BIOS and UEFI boot mechanisms and how attackers can exploit these structures through bootkits, ransomware, and wiper malware.
For the MBR practical, I opened a corrupted disk image in HxD and identified two bytes that had been modified by malware. After manually restoring the original values, I verified the repair in FTK Imager and watched an unreadable disk become accessible again.
For the GPT practical, I examined a GPT file structure in HxD, where I analyzed the GPT Header fields, extracted the GUID information, and located the partitions using LBA addresses straight from raw hexadecimal data.
In the final challenge, I identified a bootkit hiding an encoded string inside a tampered UEFI bootloader file. I retrieved the string in HxD and decoded it using CyberChef to reveal the hidden message.
https://t.co/h7F2nYjWtq
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #DFIR #LearninginPublic
I completed the FAT32 Analysis room on TryHackMe today, where I learnt that FAT32 (File Allocation Table 32-bit) is a filesystem commonly found on USB drives and embedded devices. It has no permission system, no journaling, no change tracking, and that’s exactly why attackers love to abuse it, because it’s easy to hide files, delete evidence, and manipulate timestamps without leaving obvious traces.
I also covered the full structure of a FAT32 filesystem, which consists of the Boot Sector that stores partition metadata, the File Allocation Table (FAT) that tracks every cluster allocation and file storage chains, and the Data Area where files and directories are stored and can be examined in hexadecimal form.
I did a hands-on challenge, where I analyzed a compromised FAT32 image as a forensic analyst. I discovered a hidden directory called Exfiltrated_data containing a zipped archive the attacker tried to conceal. I also recovered a deleted Python reverse shell script called https://t.co/TBKfb41zNR. Since FAT32 only marks deleted files with 0xE5, the file contents remained recoverable from disk.
I also identified timestomping on Legal_Affairs_Notes.txt using the Timeline Editor in Autopsy, where the file was accessed before it was created. This inconsistency is commonly associated with attacker attempts to manipulate forensic timelines and evade detection.
It was a tough room, but I was able to strengthen my understanding of FAT32 internals, deleted file recovery, hidden artifact discovery, and timeline analysis techniques used in digital forensics investigations.
https://t.co/0ZirQqTrJT
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #DFIR #LearninginPublic
@_DeejustDee Amen 🙏
I completed the FAT32 Analysis room on TryHackMe today, where I learnt that FAT32 (File Allocation Table 32-bit) is a filesystem commonly found on USB drives and embedded devices. It has no permission system, no journaling, no change tracking, and that’s exactly why attackers love to abuse it, because it’s easy to hide files, delete evidence, and manipulate timestamps without leaving obvious traces.
I also covered the full structure of a FAT32 filesystem, which consists of the Boot Sector that stores partition metadata, the File Allocation Table (FAT) that tracks every cluster allocation and file storage chains, and the Data Area where files and directories are stored and can be examined in hexadecimal form.
I did a hands-on challenge, where I analyzed a compromised FAT32 image as a forensic analyst. I discovered a hidden directory called Exfiltrated_data containing a zipped archive the attacker tried to conceal. I also recovered a deleted Python reverse shell script called https://t.co/TBKfb41zNR. Since FAT32 only marks deleted files with 0xE5, the file contents remained recoverable from disk.
I also identified timestomping on Legal_Affairs_Notes.txt using the Timeline Editor in Autopsy, where the file was accessed before it was created. This inconsistency is commonly associated with attacker attempts to manipulate forensic timelines and evade detection.
It was a tough room, but I was able to strengthen my understanding of FAT32 internals, deleted file recovery, hidden artifact discovery, and timeline analysis techniques used in digital forensics investigations.
https://t.co/0ZirQqTrJT
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #DFIR #LearninginPublic
Today, I Completed the Hosted Hypervisors room on TryHackMe, focusing on Type 2 Hypervisor forensics for both VirtualBox and VMware Workstation. I learnt that Hosted Hypervisors are virtualization technologies that operate on top of an existing operating system rather than directly interfacing with the underlying hardware.
I also learnt how to detect hypervisor presence through network adapter artifacts, then moved into memory forensics using Volatility to analyze a real memory dump. Using windows.pstree, I identified VBoxSVC.exe with PID 6052, confirming that VirtualBox was active at the time of capture. I then used windows.netstat to identify the VirtualBox virtual network adapter IP address, 192[.]168[.]182[.]139, showing active outbound connections through VirtualBoxVM.exe.
On the VMware side, I hunted a THM flag hidden within a VMware MSI installer log using the PowerShell Select-String command. The key lesson I learnt was that installer logs are valuable during forensic investigations and how hypervisors leave clear traces across both memory and disk.
https://t.co/x6jvp7y7Tm
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #DFIR #LearninginPublic
![rootuser24's tweet photo. Today, I Completed the Hosted Hypervisors room on TryHackMe, focusing on Type 2 Hypervisor forensics for both VirtualBox and VMware Workstation. I learnt that Hosted Hypervisors are virtualization technologies that operate on top of an existing operating system rather than directly interfacing with the underlying hardware.
I also learnt how to detect hypervisor presence through network adapter artifacts, then moved into memory forensics using Volatility to analyze a real memory dump. Using windows.pstree, I identified VBoxSVC.exe with PID 6052, confirming that VirtualBox was active at the time of capture. I then used windows.netstat to identify the VirtualBox virtual network adapter IP address, 192[.]168[.]182[.]139, showing active outbound connections through VirtualBoxVM.exe.
On the VMware side, I hunted a THM flag hidden within a VMware MSI installer log using the PowerShell Select-String command. The key lesson I learnt was that installer logs are valuable during forensic investigations and how hypervisors leave clear traces across both memory and disk.
https://t.co/x6jvp7y7Tm
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #DFIR #LearninginPublic](https://pbs.twimg.com/media/HK4QqVmW4AAyYJe.jpg)
Today, I Completed the Hosted Hypervisors room on TryHackMe, focusing on Type 2 Hypervisor forensics for both VirtualBox and VMware Workstation. I learnt that Hosted Hypervisors are virtualization technologies that operate on top of an existing operating system rather than directly interfacing with the underlying hardware.
I also learnt how to detect hypervisor presence through network adapter artifacts, then moved into memory forensics using Volatility to analyze a real memory dump. Using windows.pstree, I identified VBoxSVC.exe with PID 6052, confirming that VirtualBox was active at the time of capture. I then used windows.netstat to identify the VirtualBox virtual network adapter IP address, 192[.]168[.]182[.]139, showing active outbound connections through VirtualBoxVM.exe.
On the VMware side, I hunted a THM flag hidden within a VMware MSI installer log using the PowerShell Select-String command. The key lesson I learnt was that installer logs are valuable during forensic investigations and how hypervisors leave clear traces across both memory and disk.
https://t.co/x6jvp7y7Tm
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #DFIR #LearninginPublic
Today, I completed the Digital Forensics Case B4DM755 room on TryHackMe. I learnt about FTK Imager (Forensic Toolkit Imager), a tool used by forensic analysts to create exact copies of digital storage devices without altering the original evidence, ensuring it’s admissible in court.
I used FTK Imager in a full end-to-end DFIR investigation, following proper evidence handling procedures from crime scene to court. I imaged a suspect’s flash drive, verified evidence integrity using MD5 and SHA1 hashes, and used ExifTool to identify a JPG disguised as a PDF.
I also recovered deleted files, cracked a password-protected zip archive hidden inside a fake xlsx file, and uncovered GPS meetup coordinates, stolen HFT (High-Frequency Trading) source code from SwiftSpend Financial, dark web credentials, and a trust document naming Mr. Giovanni Vittorio DeVentura as the principal beneficiary.
Finally, I learnt about the four phases of a real investigation: Pre-search, Search, Post-search, and Trial. This room gave me practical experience in handling digital evidence and showed me what it takes to build a forensic case that is admissible in court.
https://t.co/3x5lawj8mv
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #DFIR #LearninginPublic
Today, I completed the Digital Forensics Case B4DM755 room on TryHackMe. I learnt about FTK Imager (Forensic Toolkit Imager), a tool used by forensic analysts to create exact copies of digital storage devices without altering the original evidence, ensuring it’s admissible in court.
I used FTK Imager in a full end-to-end DFIR investigation, following proper evidence handling procedures from crime scene to court. I imaged a suspect’s flash drive, verified evidence integrity using MD5 and SHA1 hashes, and used ExifTool to identify a JPG disguised as a PDF.
I also recovered deleted files, cracked a password-protected zip archive hidden inside a fake xlsx file, and uncovered GPS meetup coordinates, stolen HFT (High-Frequency Trading) source code from SwiftSpend Financial, dark web credentials, and a trust document naming Mr. Giovanni Vittorio DeVentura as the principal beneficiary.
Finally, I learnt about the four phases of a real investigation: Pre-search, Search, Post-search, and Trial. This room gave me practical experience in handling digital evidence and showed me what it takes to build a forensic case that is admissible in court.
https://t.co/3x5lawj8mv
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #DFIR #LearninginPublic
I completed the KAPE room on TryHackMe today, where I learnt that KAPE (Kroll Artifact Parser and Extractor) is a forensic triage tool used to parse and extract Windows forensics artifacts. Instead of manually searching for artifacts, you define what to collect using Targets and how to process the collected data using Modules. Once a source drive is specified, KAPE automates the collection and parsing process. I explored KAPE both through its GUI and CLI interfaces and learnt how both can be used to perform forensic triage efficiently.
I did a hands-on exercise, where I investigated a user who violated their company’s AUP (Acceptable Use Policy) by connecting unauthorized USB devices, installing software from a network drive, and connecting to unknown networks. Using KapeTriage together with !EZParser, I collected and parsed the system’s artifacts, then analyzed the resulting CSV files in EZViewer to answer the questions.
https://t.co/xXXaVJ3OQP
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic
I completed the KAPE room on TryHackMe today, where I learnt that KAPE (Kroll Artifact Parser and Extractor) is a forensic triage tool used to parse and extract Windows forensics artifacts. Instead of manually searching for artifacts, you define what to collect using Targets and how to process the collected data using Modules. Once a source drive is specified, KAPE automates the collection and parsing process. I explored KAPE both through its GUI and CLI interfaces and learnt how both can be used to perform forensic triage efficiently.
I did a hands-on exercise, where I investigated a user who violated their company’s AUP (Acceptable Use Policy) by connecting unauthorized USB devices, installing software from a network drive, and connecting to unknown networks. Using KapeTriage together with !EZParser, I collected and parsed the system’s artifacts, then analyzed the resulting CSV files in EZViewer to answer the questions.
https://t.co/xXXaVJ3OQP
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic
Today, I completed the Forensic Imaging room on TryHackMe.
I learnt that forensic imaging is the process of creating an exact bit-by-bit copy of digital storage media, capturing everything including deleted files, hidden files, and unallocated space. The copy must be verifiable and admissible in court, which means maintaining chain of custody throughout. I also covered write-blockers, which prevent any modifications to the original evidence during acquisition.
I did a practical hands-on exercise, where I was tasked to create an image of a 1GB loop device and generated the MD5 hash of the image to verify the integrity. I then mounted the image and extracted the flag from the file flag.txt, which confirms the file system was accessible and the image could be successfully examined.
https://t.co/WZNYOlDcGF
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic
Today, I completed the Forensic Imaging room on TryHackMe.
I learnt that forensic imaging is the process of creating an exact bit-by-bit copy of digital storage media, capturing everything including deleted files, hidden files, and unallocated space. The copy must be verifiable and admissible in court, which means maintaining chain of custody throughout. I also covered write-blockers, which prevent any modifications to the original evidence during acquisition.
I did a practical hands-on exercise, where I was tasked to create an image of a 1GB loop device and generated the MD5 hash of the image to verify the integrity. I then mounted the image and extracted the flag from the file flag.txt, which confirms the file system was accessible and the image could be successfully examined.
https://t.co/WZNYOlDcGF
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic
I completed the Intro to Cold System Forensics room on TryHackMe today.
I learnt how DFIR teams examine powered-off or dormant systems and the key differences between cold system forensics and live system forensics. I covered important concepts such as the order of volatility, disk imaging with write blockers, and chain of custody practices used to preserve evidence integrity.
I also explored key tools used in acquisition like dd/dc3dd, Guymager, and FTK Imager, as well as analysis tools like The Sleuth Kit, Autopsy, EnCase, and Magnet AXIOM.
Finally, I completed an exercise where I arranged forensic data by volatility order and filled out a proper chain of custody record to capture a disk image from a breached web server.
https://t.co/zsUqetZgrm
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic
I completed the Intro to Cold System Forensics room on TryHackMe today.
I learnt how DFIR teams examine powered-off or dormant systems and the key differences between cold system forensics and live system forensics. I covered important concepts such as the order of volatility, disk imaging with write blockers, and chain of custody practices used to preserve evidence integrity.
I also explored key tools used in acquisition like dd/dc3dd, Guymager, and FTK Imager, as well as analysis tools like The Sleuth Kit, Autopsy, EnCase, and Magnet AXIOM.
Finally, I completed an exercise where I arranged forensic data by volatility order and filled out a proper chain of custody record to capture a disk image from a breached web server.
https://t.co/zsUqetZgrm
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic
Today, I completed the Legal Considerations in DFIR room on TryHackMe.
I covered ethical decision-making, legal compliance frameworks (SOX, CFAA), rules of evidence across different jurisdictions, and what makes digital evidence admissible in court.
I also investigated a corporate fraud incident at SwiftSpend Finance, where a CFO’s credit card was used in an unauthorized $9k transaction. I traced the attack through Outlook emails, identified the person of interest (POI), and analyzed Exchange Server IIS logs to find unauthorized remote logins from a Linux machine using Firefox.
Finally, I examined the actual log files, identified the anomalous IP address, and confirmed the compromised account. I then performed Chain of Custody procedures by retrieving the verified SHA1 hashes of the IIS log files and the POI’s OST file to prove evidence integrity.
https://t.co/gJ8kqZwV6F
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic
@Iyanuoluwa_Pat I think it’s a free room
Thou I paid for subscription
Today, I completed the Legal Considerations in DFIR room on TryHackMe.
I covered ethical decision-making, legal compliance frameworks (SOX, CFAA), rules of evidence across different jurisdictions, and what makes digital evidence admissible in court.
I also investigated a corporate fraud incident at SwiftSpend Finance, where a CFO’s credit card was used in an unauthorized $9k transaction. I traced the attack through Outlook emails, identified the person of interest (POI), and analyzed Exchange Server IIS logs to find unauthorized remote logins from a Linux machine using Firefox.
Finally, I examined the actual log files, identified the anomalous IP address, and confirmed the compromised account. I then performed Chain of Custody procedures by retrieving the verified SHA1 hashes of the IIS log files and the POI’s OST file to prove evidence integrity.
https://t.co/gJ8kqZwV6F
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic
Throughout the weekend, I rested and revised the previous week’s work.
Today, I read chapters 3 and 4 of the Digital Forensics Handbook by Lucas Mahler.
Chapter 3 covers The DFIR Toolkit, where I learnt that every forensic examiner needs the right operating system and tools. Linux-based distributions like CAINE and Parrot OS are built for forensic work, and help preserve evidence integrity by mounting drives as read-only by default. Also I covered key tools like The Sleuth Kit for file system forensics, Volatility for memory analysis, dcfldd/dc3dd for forensic imaging, Xplico for PCAP/network analysis, and dd as the classic disk utility.
Chapter 4 covers Investigation Checklist. I learnt that a proper DFIR examination follows a strict process: verify legal authority first, document everything, maintain chain of custody, and never make assumptions. Your report must be reproducible by anyone who picks it up.
Another important rule I learnt is that: “If it wasn’t documented, it didn’t happen”.
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic
@Ibroheeeem Sent it
Throughout the weekend, I rested and revised the previous week’s work.
Today, I read chapters 3 and 4 of the Digital Forensics Handbook by Lucas Mahler.
Chapter 3 covers The DFIR Toolkit, where I learnt that every forensic examiner needs the right operating system and tools. Linux-based distributions like CAINE and Parrot OS are built for forensic work, and help preserve evidence integrity by mounting drives as read-only by default. Also I covered key tools like The Sleuth Kit for file system forensics, Volatility for memory analysis, dcfldd/dc3dd for forensic imaging, Xplico for PCAP/network analysis, and dd as the classic disk utility.
Chapter 4 covers Investigation Checklist. I learnt that a proper DFIR examination follows a strict process: verify legal authority first, document everything, maintain chain of custody, and never make assumptions. Your report must be reproducible by anyone who picks it up.
Another important rule I learnt is that: “If it wasn’t documented, it didn’t happen”.
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic
Today I’m still going through the fundamentals of Digital Forensics and Incident Response (DFIR). I completed the DFIR: An Introduction room on TryHackMe.
I covered what DFIR is, core concepts like artifacts, evidence preservation, chain of custody, order of volatility, and timeline creation. I learnt about key tools used in the field which include, Eric Zimmermans tools, Autopsy, Volatility, KAPE, Velociraptor, and Redline.
Also I learnt about the incident response lifecycle which consist of Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned and also how it maps to the NIST and SANS incident response frameworks.
https://t.co/wUQNy8oLhW
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic
@mrphilghana Okay
I’ve sent it
@mrphilghana Alright bro
Where will I send it?
@phillmoore Can you recommend a good pathway for someone trying to breakout in DFIR field.
@preciousebuka6 Thank you
Over the last few days, I was able to complete the SOC L1 learning path on TryHackMe, and earned the certificate.
It was a great opportunity to strengthen my understanding of how Security Operations Centers (SOC) identify, investigate, and respond to security incidents. On to the next one.
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic
Today I’m still going through the fundamentals of Digital Forensics and Incident Response (DFIR). I completed the DFIR: An Introduction room on TryHackMe.
I covered what DFIR is, core concepts like artifacts, evidence preservation, chain of custody, order of volatility, and timeline creation. I learnt about key tools used in the field which include, Eric Zimmermans tools, Autopsy, Volatility, KAPE, Velociraptor, and Redline.
Also I learnt about the incident response lifecycle which consist of Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned and also how it maps to the NIST and SANS incident response frameworks.
https://t.co/wUQNy8oLhW
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic
Today, I completed the TryHackMe Intro to Digital Forensics room. I learnt that digital forensics is the application of computer science to investigate digital evidence for a legal purpose. I also learnt how digital forensics applies to both public-sector (law enforcement) and private-sector (corporate) investigations, and why proper evidence handling, such as establishing a chain of custody, creating forensic copies, and using validated tools matter a lot in this field.
I did a practical exercise where I used pdfinfo to extract PDF metadata and identified the document author. Then I also used exiftool on a JPEG to pull embedded EXIF (Exchangeable Image File Format) metadata which includes GPS coordinates and camera model.
https://t.co/VeEztL0AcY
@ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic
@smbclient1 I’ll like to order one of these
Can you send a dm, I can’t text you.
Last Seen Users on Sotwe
Most Popular Users
Elon Musk 
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.5M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.2M followers
Taylor Swift
@taylorswift13
81M followers
Lady Gaga
@ladygaga
72.6M followers
Kim Kardashian
@kimkardashian
69.6M followers
Virat Kohli
@imvkohli
69.2M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.9M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.3M followers