dfir
DFIR
Investigate security incidents by analyzing event logs, network captures, and filesystem artifacts. Detect and reconstruct AD attack chains.
Techniques
| Domain | Key Capabilities |
|---|---|
| Windows Event Logs | EVTX parsing, Event ID correlation, logon tracking, privilege enumeration |
| Network Forensics | PCAP analysis, NTLM extraction, LLMNR/NBT-NS poisoning detection, relay identification |
| Filesystem Forensics | MFT parsing, Prefetch analysis, VSS artifact recovery, Linux persistence, timeline reconstruction |
| AD Attack Detection | Kerberoasting, AS-REP roasting, NTDS dump, NTLM relay, credential theft |
| Memory Forensics | Volatility3 analysis: process trees, file extraction, SID resolution, command lines |
| Hash Analysis | NTLMv2 hash construction from pcap, offline cracking validation |
Workflow
- Inventory evidence — List all artifacts (EVTX, pcap, MFT, prefetch, registry)
- Parse structured data — EVTX with
python-evtx, pcap withtshark, MFT withanalyzeMFT
More from transilienceai/communitytools
hackerone
HackerOne bug bounty automation - parses scope CSVs, deploys parallel pentesting agents per asset, validates PoCs, and generates platform-ready submission reports.
58reconnaissance
Domain assessment and web application mapping - subdomain discovery, port scanning, endpoint enumeration, API discovery, and attack surface analysis.
46social-engineering
Social engineering testing - phishing, pretexting, vishing, and physical security assessment techniques.
44ai-threat-testing
Offensive AI security testing and exploitation framework. Systematically tests LLM applications for OWASP Top 10 vulnerabilities including prompt injection, model extraction, data poisoning, and supply chain attacks. Integrates with pentest workflows to discover and exploit AI-specific threats.
43osint
Open-source intelligence gathering - company repository enumeration, secret scanning, git history analysis, employee footprint, and code exposure discovery.
42source-code-scanning
Security-focused source code review and SAST. Scans for vulnerabilities (OWASP Top 10, CWE Top 25), CVEs in third-party dependencies/packages, hardcoded secrets, malicious code, and insecure patterns. Use when given source code, a repo path, or asked to "audit", "scan", "review" code security, or "check dependencies for CVEs".
41