Profile avatar
chrissanders88.bsky.social
Digital Forensic Analyst, Researcher, Author Ed.D. Founder Applied Network Defense and Rural Tech Fund Former Mandiant, InGuardians, DoD Author: Intrusion Detection Honeypots, Practical Packet Analysis, Applied NSM
55 posts 678 followers 1 following
Regular Contributor
Active Commenter
Posts 28 Comments 22

Investigation Scenario 🔎 You’ve discovered a Windows system with screenshots of the user’s desktop in the %appdata%\ScreenShot\ directory. What do you look for to investigate whether an incident occurred? #InvestigationPath #DFIR #SOC

submitted 4 hours ago • 0 comments

When you're looking up at the sky tonight thinking, "Wow, I can see all these planets!" just remember that they can see you too.

submitted 3 days ago • 0 comments

"I like threat hunting; I just don't like spending a lot of time filtering data and trying to eliminate known goods from my queries." Bless your heart, you may not actually like threat hunting then.

submitted 3 days ago • 0 comments

Let's take this a bit farther. Given your own ideas and those in the replies, how could you prepare for this scenario? What steps could you take now that would make this investigation easier when it comes up?

submitted 5 days ago • 0 comments

Investigation Scenario 🔎 You retrieved a running process list from a single department of 20 Windows systems. What is your approach to find anomalies in this data set? What do you look for to investigate whether an incident occurred? #InvestigationPath #DFIR #SOC

submitted 7 days ago • 0 comments

In Digital Forensics, "... there is a tendency to limit peer reviews to the examination of reports, rather than extending them to more thorough verification of results and methodologies."

submitted 7 days ago • 1 comment

Investigation Scenario 🔎 Your CFO has returned from another country and they are concerned an untrusted party accessed their Mac laptop. What do you look for to investigate whether an incident occurred? Where do you focus your first few steps? #InvestigationPath #DFIR #SOC

submitted 14 days ago • 1 comment

It's a bit tangential to what I do here, but I've been making some short-form video content focused on Meteorite education. If you're into that sorta thing, you can watch here: Youtube: www.youtube.com/@meteocracy Instagram: www.instagram.com/meteocracy88 TikTok: www.tiktok.com/@meteocracy

submitted 19 days ago • 0 comments

Investigation Scenario 🔎 You discovered a suspicious PDF on a user’s workstation and found this sandbox report referencing it: app.any.run/tasks/e5ac2... What do you look for to investigate whether the system was infected and its extent? #InvestigationPath #DFIR #SOC

submitted 21 days ago • 0 comments

Investigation Scenario 🔎 You receive an alert that a Linux system is experiencing consistently high CPU usage. Running crontab -l for the related user, you see the pictured entry... However, when you check again, the crontab entry is gone.

submitted 28 days ago • 1 comment

One of my favorite maxims for anomaly detection in investigations comes from archaeology... One stone is a stone; two stones are a feature; three stones are a wall.

submitted 33 days ago • 0 comments

Investigation Scenario 🔎 A user workstation executed gpedit.msc for an unknown reason. What do you look for to investigate whether an incident occurred? #InvestigationPath #DFIR #SOC

submitted 35 days ago • 0 comments

Investigation Scenario 🔎 While threat hunting, you’ve discovered a host receiving HTTPS traffic on port TCP/53. What do you look for to investigate whether an incident occurred? #InvestigationPath #DFIR #SOC

submitted 49 days ago • 2 comments

Here are the best books I read in 2024... chrissanders.org/2025/01/my-... What were your favorites from last year?

submitted 53 days ago • 1 comment

Nobody in Georgia knows what to do when it snows, so of course somebody is shooting off fireworks at 8:30 in the morning.

submitted 53 days ago • 1 comment

Investigation Scenario 🔎 A user workstation executed a file named newapp.exe from their AppData/Roaming directory. What do you look for to investigate whether an incident occurred? You don't have access to the file. #InvestigationPath #DFIR #SOC

submitted 56 days ago • 1 comment

Not many better ways to ring in the New Year! One of these days I'm gonna talk them into letting me run the grill for a couple of hours. #WaffleHome

submitted 61 days ago • 0 comments

Today is the LAST DAY to get my courses at their sale price. It's the lowest price you'll get them at all year.

submitted 63 days ago • 1 comment

Investigation Scenario 🔎 You've received an alert from the pictured Sigma rule indicating an account lockout occurred in your Azure environment. What do you look for to investigate whether an incident occurred? #InvestigationPath #DFIR #SOC

submitted 63 days ago • 1 comment

A few favorites from my library... a couple are signed! I'm thinking about the Carters' and their legacy today 💙

submitted 64 days ago • 0 comments

Merry Christmas to those who celebrate! 🎄 A special thanks to the folks working in the SOC who are keeping watch today, those working incidents, and the people supporting them. If you can, drop off something homemade or sweet for them.

submitted 69 days ago • 0 comments

Today is the LAST day to enter to win my Golden Ticket! You can win a free seat in all my courses, $500 to spend on books, and Klein Bottle signed by Cliff Stoll, author of The Cuckoo's Egg. We're almost at our goal, but it's gonna come down to the wire! ruraltechfund.org/goldenticket

submitted 75 days ago • 0 comments

Want to win this Klein Bottle, signed by CLIFF STOLL, author of "The Cuckoo's Egg?" You can enter to win it by donating $20 to the Rural Tech Fund or your local food bank. Here are the instructions: ruraltechfund.org/goldenticket

submitted 77 days ago • 0 comments

Investigation Scenario 🔎 You’ve discovered a 3 year old account named “testuser” on your Windows domain. Nobody knows who created it. What do you look for to investigate whether this account has been used for any malicious activity? #InvestigationPath #DFIR #SOC

submitted 77 days ago • 2 comments

Teaching more of the little ones about space! They got to hold real meteorites in their hand, including pieces of the Moon and Mars! They were surprised that the meteorites were older than even me and their teachers (only by about 4 billion years).

submitted 80 days ago • 0 comments

We're well on our way to our funding goal for @RuralTechFund AND unlocking a second golden ticket to give away. The winner will get a free seat in ALL my online courses, a klein bottle signed by CLIFF STOLL, $500 to spend on books, and more. Details here: ruraltechfund.org/goldenticket

submitted 83 days ago • 0 comments

Investigation Scenario 🔎 An employee was terminated for moonlighting with a competitor. While reviewing their Windows laptop, you find Slack is installed. What do you look for to investigate their Slack use and if an incident occurred? #InvestigationPath #DFIR #SOC

submitted 84 days ago • 0 comments

My friends, the time has come. This holiday season, I'm giving away a golden ticket that grants free entry into ALL my training courses and tons of other amazing prizes.

submitted 90 days ago • 1 comment