Digital Forensic Survival Podcast

Follow Digital Forensic Survival Podcast
Share on
Copy link to clipboard

Listen to talk about computer forensic analysis, techniques, methodology, tool reviews and more.

Digital Forensic Survival Podcast


    • Jun 17, 2025 LATEST EPISODE
    • weekly NEW EPISODES
    • 19m AVG DURATION
    • 486 EPISODES

    Ivy Insights

    The Digital Forensic Survival Podcast is an exceptional resource for anyone looking to gain a better understanding of the field of digital forensics. Hosted by a skilled instructor and concise speaker, the podcast delivers its message with precision, clarity, and depth of expertise that is second-to-none. As an information security professional, I have found this podcast to be an absolute must-listen.

    One of the best aspects of The Digital Forensic Survival Podcast is the knowledge and experience shared by the narrator. It is evident that he has a deep understanding of digital forensics and has honed his skills as an instructor. His delivery is clear and concise, making even complex concepts easy to understand. Additionally, the podcast covers a wide range of topics within digital forensics, providing listeners with a comprehensive overview of the field.

    Another great aspect of this podcast is its practicality. The episodes often provide practical tips and advice that can be applied directly in real-world scenarios. This makes it not only informative but also highly applicable for those working or interested in working in the field of digital forensics.

    In terms of drawbacks, one potential downside is that some episodes may be too advanced for beginners in the field. While the podcast does cover a wide range of topics, including some beginner-level content, there are also episodes that dive deep into more complex subjects. However, this can also be seen as a positive aspect for those who are further along in their digital forensic careers or who want to challenge themselves with more advanced material.

    In conclusion, The Digital Forensic Survival Podcast is an invaluable resource for anyone interested in or working in digital forensics. The expertise and knowledge shared by the narrator are top-notch, making each episode highly informative and engaging. Whether you are just starting out in the field or have years of experience under your belt, this podcast offers something for everyone. I am incredibly grateful to Michael for sharing his experience and knowledge, and I highly recommend this podcast to anyone looking to deepen their understanding of digital forensics.



    Search for episodes from Digital Forensic Survival Podcast with a specific topic:

    Latest episodes from Digital Forensic Survival Podcast

    DFSP # 487 Unmasking Malicious Activity with 4688

    Play Episode Listen Later Jun 17, 2025 13:51


    DFSP # 486 Squid Games

    Play Episode Listen Later Jun 10, 2025 19:35


    DFSP # 485 Certifiably Suspicious

    Play Episode Listen Later Jun 3, 2025 14:00


    DFSP # 485 BAM! Packing Punch

    Play Episode Listen Later May 27, 2025 10:58


    This week, I delve into the Windows BAM artifact, unraveling its forensic significance and exploring how it can unlock critical insights in digital investigations.

    DFSP # 483 Cooking up Forensics with Chef

    Play Episode Listen Later May 20, 2025 14:36


    In this week's episode, I delve into strategies for integrating CHEF into your security investigations, unlocking new avenues for proactive defense and effective incident response.

    DFSP # 482 Unlocking Clues from Bash and Hidden Keys

    Play Episode Listen Later May 13, 2025 20:41


    This week, we're pulling back the curtain on SSH from a digital forensics perspective.

    DFSP # 481 Triage outside the Core

    Play Episode Listen Later May 6, 2025 20:08


    In this week's episode, I dive into rapid triage techniques for non-core Windows executables to uncover signs of malicious activity.

    DFSP # 480 Hidden risks of nested groups

    Play Episode Listen Later Apr 29, 2025 13:59


    This week, I'm talking about nested groups in Windows Active Directory and the security risks they pose. Active Directory allows administrators to attach one group to another—often called nesting. While nesting can simplify account administration and permission management, it can also create real opportunities for attackers if...

    DFSP # 479 Scan, Score, Secure

    Play Episode Listen Later Apr 22, 2025 15:48


    One of the essential skill sets for a DFIR analyst is the ability to understand the impact of vulnerabilities quickly. In many IR scenarios, you may find a newly discovered vulnerability or receive a scan that flags multiple potential weaknesses. To stay efficient, you must...

    DFSP # 478 SRUM

    Play Episode Listen Later Apr 15, 2025 15:48


    This week, we're exploring the System Resource Usage Monitor (SRUM) – a powerful source of forensic data within Windows operating systems. First introduced...

    DFSP # 477 SSH Triage

    Play Episode Listen Later Apr 8, 2025 18:17


    In this episode, our focus is on understanding how attackers achieve lateral movement and persistence through Secure Shell (SSH)—and more importantly, how to spot the forensic traces...

    DFSP # 476 Service Host

    Play Episode Listen Later Apr 1, 2025 22:43


    In this episode, we'll take a focused look at how to triage one of the most commonly targeted Windows processes: svchost.exe. While the methods in this series generally apply to all Windows core processes, svchost is an especially important case because attackers...

    DFSP # 475 - Set the tone

    Play Episode Listen Later Mar 25, 2025 20:08


    Ransomware attacks move quickly, making your initial response crucial in minimizing impact. This episode outlines critical first steps, from isolating infected machines to gathering key information and initiating containment. Whether you're a SOC analyst, incident responder, or the first to notice an attack, this framework is designed to help you regain control. Follow these guidelines to effectively mitigate the damage from the very start.

    DFSP # 474 - Meta Paradise

    Play Episode Listen Later Mar 18, 2025 13:20


    Today's episode explores Apple Spotlight and its extended metadata—a powerful yet often overlooked forensic tool in the Mac ecosystem. Spotlight plays a critical role in uncovering digital evidence on macOS. Both experienced forensic analysts and newcomers will find its capabilities essential. Let's dive into the details.

    DFSP # 473 - Why all the BINs

    Play Episode Listen Later Mar 11, 2025 21:13


    BIN directories (short for binary) store command binaries like CD, PWD, LS, Vi, and CAT. Every platform has multiple BIN directories: two in the root directory and two in each user directory. This episode explains the types of files in these directories and the purpose of each BIN directory. I will also clarify which directories are typically used by users versus those used by the root user.

    DFSP # 472 - Windows Usual Suspects

    Play Episode Listen Later Mar 4, 2025 16:35


    Modern Windows systems use a tightly coordinated sequence of core processes to establish secure system and user environments. DFIR investigators and incident responders must understand the interrelationships between processes such as Idle, SMSS, CSRSS, WININIT, and WINLOGON. Recognizing expected behaviors and anomalies in these steps is crucial for detecting potential system compromises. This episode demystifies the Windows 10/11 process flow and provides context for effective triage and analysis.

    DFSP # 471 Mac Persistence

    Play Episode Listen Later Feb 25, 2025 17:43


    Today we're talking all about MacOS AutoRun locations and how to spot persistence mechanisms. We'll explore the ins and outs of property list files, launch daemons, system integrity protections, and the recent changes in macOS that can impact your forensic examinations...

    DFSP # 470 The Windows Taskhosts

    Play Episode Listen Later Feb 18, 2025 17:33


    This week I'm talking about the three task hosts. These are Windows core files, and they share not only similar names, but similar functionality. Because of this, there is the potential for confusion, which may allow an attacker to leverage these similarities and mask they are malware. My goal in this episode is to demystify the three different task hosts, and provide the necessary insight for proper triage if any of these files come up during your investigations.

    DFSP # 469 Network Blocked Activity

    Play Episode Listen Later Feb 11, 2025 21:59


    Today's episode is all about Windows event logs that record blocked network connections. Blocked network events are interesting because they might signal that an attacker's secondary or tertiary toolset isn't working as intended. That's good news from a security standpoint...

    DFSP # 468 Data Brokers & Ransomware

    Play Episode Listen Later Feb 4, 2025 28:24


    Today I cover an evolving threat in the cybersecurity world: data brokers. From a computer forensics standpoint, this threats pose unique challenges. While breaches capture headlines, data brokers play a major (and sometimes overlooked) role in fueling cybercrime. In this session, we will explore how these threats operate, why they are dangerous, and how computer forensics professionals can combat them.

    DFSP # 467 CVSS in Action

    Play Episode Listen Later Jan 28, 2025 28:31


    The Common Vulnerability Scoring System (CVSS) is a powerful tool for assessing the severity and impact of security vulnerabilities. In digital forensics and incident response, CVSS scores can provide critical context to prioritize investigations and focus on the most significant risks. This episode I will explore how leveraging CVSS scoring enhances vulnerability assessments during incident response, enabling teams to make data-driven decisions. 

    DFSP # 466 Malware Triage for File Types

    Play Episode Listen Later Jan 21, 2025 23:54


    Understanding the behavior and characteristics of common file types used in attacks, such as executables, scripts, and document files, is essential for effective analysis. In this episode, we will explore practical approaches to triage malware, focusing on key indicators and techniques for prioritizing investigations. 

    DFSP # 465 Network Permit Events

    Play Episode Listen Later Jan 14, 2025 23:43


    Windows permit events, often overlooked, offer valuable details about allowed network connections that can reveal patterns of malicious activity. In this episode, we will dive into how analyzing these events can enhance network triage, enabling security teams to detect, scope, and respond to threats more effectively. 

    DFSP # 464 Risk Assessments for DFIR

    Play Episode Listen Later Jan 7, 2025 22:30


    Security risk assessments can be a tool for guiding and prioritizing incident response investigations. By evaluating the potential impact and likelihood of various threats, these assessments provide a structured framework to identify and mitigate risks effectively. This episode will explore how integrating security risk assessments into incident response workflows enhances response strategies.

    DFSP # 463 Prefetch

    Play Episode Listen Later Dec 31, 2024 14:45


    This week, we're focusing on the Windows Prefetch artifact—a cornerstone in Windows forensics, especially for user endpoint investigations. In this episode, I'll break down the Prefetch artifact from an investigative perspective, covering how to effectively leverage its evidence in forensic analysis. I'll also highlight any recent changes to the artifact that may impact its value, ensuring you're aware of everything you need to know for your investigations.

    DFSP # 462 Malware Triage Part 1

    Play Episode Listen Later Dec 24, 2024 29:32


    This week, we're exploring malware triage techniques. Unlike full binary analysis, malware triage is often seen as an essential skill that every digital forensic and incident response professional should master. In this episode, I'll walk you through the core elements of malware triage, helping you understand the various skills needed to meet industry expectations. By the end, any analyst should feel confident in examining a binary and applying these techniques to uncover potential malicious content.

    DFSP # 461 PSEXEC

    Play Episode Listen Later Dec 17, 2024 16:50


    This week, we're diving into how to triage for PSEXEC evidence. PSEXEC leaves traces on both the source and target systems, making it essential to identify artifacts on each to determine whether a system was used as an attacker's tool or was the target of an attack. While PSEXEC has somewhat fallen out of favor due to increased use of PowerShell for similar activities, it remains a commonly abused utility among attackers. In this episode, we'll break down the key artifacts and methodologies for effective triage.

    DFSP # 460 Executing Linux

    Play Episode Listen Later Dec 10, 2024 17:55


    Understanding how to search for executables is a critical skill in computer forensics. There are major differences in how executables are handled between Windows and Linux systems, so techniques that work on Windows won't always translate effectively to Linux. In this episode, I'll break down some triage techniques to help you quickly identify suspicious executables on Linux systems.

    DFSP # 459 listening ports

    Play Episode Listen Later Dec 3, 2024 26:40


    Welcome to today's episode! We're diving into network triage, focusing specifically on listening ports. While we often look for active connections, identifying suspicious services listening on a port can be equally crucial in your investigation. It's essential to gather this information for both current, real-time data and historical analysis, providing a more complete view of network activity.

    DFSP # 458 Shellbags and PCA

    Play Episode Listen Later Nov 26, 2024 18:11


    In this episode, we'll dive into two essential forensic artifacts in Windows: shellbags and the Program Compatibility Assistant (PCA). Shell bags provide valuable evidence of file and folder access, offering insights into user activity and file navigation. We'll also explore PCA, which can reveal important information about file execution history. Together, these artifacts play a crucial role in uncovering key forensic details during investigations.

    DFSP # 457 WSL

    Play Episode Listen Later Nov 19, 2024 25:52


    The Linux subsystem for Windows, create both opportunity and challenges for forensic analysts. It makes Windows an excellent platform for multi platform forensic analysis tasks, allowing it to take advantage of the many Linux tools available. The challenges are foreseeable, you have Linux artifacts, now commingled on a Windows platform, which makes forensic analysis that much more difficult when examining such a system as evidence. This week I'm going to break down the Linux subsystems for forensic investigators

    DFSP # 456 network triage primer

    Play Episode Listen Later Nov 12, 2024 32:05


    In this episode, we'll explore the fundamentals of network triage, focusing on the key aspects of network traffic that are central to many investigations. Additionally, we'll discuss some of the essential tools you can use to analyze and manage network data effectively.

    DFSP # 455 Security Control Circumvention

    Play Episode Listen Later Nov 5, 2024 33:29


    Today, we're going to explore how to handle a critical security event: Unauthorized Modification of Information. This type of event occurs when a user alters information in a system—whether it's an application, database, website, server, or configuration files—without prior authorization. These modifications can range from impersonation and unauthorized system updates to more sophisticated techniques such as SQL injections, privilege escalations, and configuration file tampering.

    DFSP # 454 MFA Bypass Attacks

    Play Episode Listen Later Oct 29, 2024 15:30


    This week I talk about the attack methods being used to bypass MFA. We'll learn about real-world cases where MFA was circumvented, and discover best practices to strengthen defenses against these types of attacks...

    DFSP # 453 Windows Startup Locations

    Play Episode Listen Later Oct 22, 2024 18:19


    In today's episode, we'll focus on startup folders, which are perhaps the easiest to triage among all persistence mechanisms. But before diving in, let's recap the journey so far to underscore the importance of a comprehensive approach rather than a one-off tactic. Each triage area we've covered plays a crucial role in identifying and stopping attacks...

    DFSP # 452 AI and DFIR

    Play Episode Listen Later Oct 15, 2024 22:02


    In 2024, AI has not only revolutionized how we defend against cyber threats but also how those threats are being carried out. We'll explore how AI is enabling faster, more efficient security incident responses, with real-world examples of its application in automated threat detection and response, advanced forensics, and more. But with every technological leap forward, there's a dark side and attackers are harnessing AI to orchestrate sophisticated attacks...

    DFSP # 451 SQL Triage

    Play Episode Listen Later Oct 8, 2024 26:26


    SQL injection poses significant risks by enabling attackers to access sensitive metadata, execute dynamic SQL commands, and alter system parameters. These actions can lead to unauthorized data access and system disruptions, especially if attackers gain elevated privileges. This week I'm talking about SQL attack patterns from a triage point of view to help you detect such activity when doing log analysis...

    DFSP # 450 Secure coding and DFIR

    Play Episode Listen Later Oct 1, 2024 19:34


    I decided to talk this week about the Importance of Secure Coding Knowledge for Security Incident Response Investigations. Knowing secure coding principles helps identify the root causes of vulnerabilities and recognize attack patterns. It facilitates effective communication and collaboration with developers, ensuring accurate incident reports and actionable recommendations. Secure coding knowledge enhances forensic analysis by aiding in code reviews and log analysis to detect anomalies. It also allows responders to suggest mitigation strategies and improve the security posture of applications. Ultimately, this knowledge leads...

    DFSP # 449 Zero-Day or Hero-Day

    Play Episode Listen Later Sep 24, 2024 33:43


    This week, we're covering zero-day vulnerability response from a Digital Forensics and Incident Response professional's perspective. In our roles, we often get involved in various tasks that require a security mindset, and one critical task is responding to zero-day vulnerabilities. To provide a real-world context, we'll integrate the recently disclosed zero-day exploit "Copy2Pwn" (CVE-2024-38213) and discuss the specific forensic artifacts and methods used to achieve the objectives of a DFIR response.

    DFSP # 448 WebShell Forensics

    Play Episode Listen Later Sep 17, 2024 20:14


    Welcome to this week's session, where we'll delve into web shell forensics—an ever-critical topic in incident response investigations and threat-hunting strategies. Today, I'll provide a breakdown that includes the latest developments, detailed triage techniques, and practical examples of what to look for during your investigations:

    DFSP # 447 Linux Root Kits

    Play Episode Listen Later Sep 10, 2024 32:39


    Rootkits are hard to detect because they employ advanced stealth techniques to hide their presence. They can conceal processes, files, and network activities by altering system calls and kernel data structures. The deep system knowledge and specialized tools required for low-level analysis make rootkit detection complex and resource-intensive. Limited visibility of standard security tools further complicates the identification of rootkits. However, This week I'm going to talk about how to identify root kits on a Linux systems using only the command line.  

    DFSP # 446 Registry by EVTX

    Play Episode Listen Later Sep 3, 2024 20:02


    In previous episodes, we covered techniques for examining the Windows Registry, a critical component in identifying persistence mechanisms. We'll explore the registry but shift our focus to registry modification events as reported by Windows event logs

    DFSP # 445 Bash Triage

    Play Episode Listen Later Aug 27, 2024 27:26


    Bash history's forensic value lies in its ability to answer diverse investigative questions, making it a cornerstone artifact for Linux systems. It aids in triaging lateral movement, identifying reconnaissance activities, and detecting attempts at establishing persistence. This underscores the importance of structuring triage tasks around specific investigative questions, facilitating focused analysis amidst potentially extensive Bash history records...

    DFSP # 444 A little assistance

    Play Episode Listen Later Aug 20, 2024 28:41


    The UserAssist key is a Windows Registry artifact that logs details about user activity, such as recently accessed programs and files. It encodes information on the frequency and last access time of items launched via Windows Explorer. This helps investigators understand user behavior and timeline of actions on a system, providing evidence of program execution and file access...

    DFSP # 443 - Standard Actions

    Play Episode Listen Later Aug 13, 2024 38:48


    Every incident response outfit should have a set of guidelines for their team which outlines the standard actions or common considerations for security investigations. In this episode, I highlight some of the key points for security teams with a special focus on initial actions which typically set the tone for success during the subsequent investigation.

    DFSP # 442 - Database Response

    Play Episode Listen Later Aug 6, 2024 31:10


    Understanding the different types of databases is important for security incident response investigations, as databases are often targeted by attackers seeking sensitive information. Each database type—relational, NoSQL, in-memory, and cloud-based—has unique structures, query languages, and security mechanisms. Familiarity with these variations enables investigators to effectively... 

    DFSP # 441 - CIS Benchmarks

    Play Episode Listen Later Jul 30, 2024 26:14


    CIS (Center for Internet Security) Benchmarks provide a comprehensive set of best practices for securing IT systems and data, which are vital for security response investigations. These benchmarks, developed through a consensus-driven process by cybersecurity experts, offer detailed guidelines for configuring operating systems, applications, and network devices to enhance their security posture. In the context of security response investigations, adhering to CIS Benchmarks helps ensure that systems are resilient against common threats and vulnerabilities. By implementing these benchmarks, organizations can better detect, respond to, and recover from security incidents, thereby minimizing potential damage and improving overall cybersecurity hygiene.

    DFSP # 440 - ABCs of BECs

    Play Episode Listen Later Jul 23, 2024 24:44


    Business Email Compromise (BEC) forensics involves the meticulous investigation of cyberattacks where attackers infiltrate email systems to manipulate business communications for financial gain. These attacks often entail phishing, social engineering, and credential theft to impersonate trusted entities within or outside an organization. Forensic analysis of BEC incidents focuses on tracing the attacker's entry point, examining email headers, metadata, and logs to uncover the methods used for unauthorized access. It also involves identifying compromised accounts, understanding the scope of the attack, and preserving evidence for legal proceedings. Effective BEC forensics is crucial for mitigating financial losses, strengthening cybersecurity defenses, and preventing future incidents.

    DFSP # 439 - Remoting Windows

    Play Episode Listen Later Jul 16, 2024 23:48


    Remote Desktop Protocol (RDP) is a crucial artifact in digital forensics due to its extensive use for remote system access. Analyzing RDP activities can uncover vital information about unauthorized access, insider threats, and attacker lateral movement within a network. Forensic examination of RDP logs enables investigators to trace an attacker's steps, identify compromised accounts, and assess the breach's extent. For instance, RDP forensics can detect brute force attacks on login credentials, track the use of stolen credentials, and monitor suspicious reconnection attempts to previously established sessions.

    DFSP # 438 - Old Nix

    Play Episode Listen Later Jul 9, 2024 32:01


    This week, I will be discussing the Linux operating system from a DFIR perspective. It is highly recommended for every examiner to become proficient in Linux, especially with the increasing prevalence of cloud-based infrastructures in enterprise environments. As these platforms become the norm, you can expect to encounter Linux systems frequently during your investigations.

    DFSP # 437 - Windows Autoruns

    Play Episode Listen Later Jul 2, 2024 24:54


    In Windows forensics, understanding the intricacies of autorun functionalities and the Windows Registry is essential for effective incident response and investigation. Autorun mechanisms, which allow programs to execute automatically when the system starts or specific actions are performed, can be exploited by malicious actors to persist on a system. The Windows Registry, a hierarchical database that stores low-level settings for the operating system and applications, plays a crucial role in tracking these autorun entries. Forensic analysis of the Windows Registry can reveal information about auto-starting applications, system configurations, and user activities, providing insights into potential security breaches and unauthorized changes.

    Claim Digital Forensic Survival Podcast

    In order to claim this podcast we'll send an email to with a verification link. Simply click the link and you will be able to edit tags, request a refresh, and other features to take control of your podcast page!

    Claim Cancel