Cyber Triage

DFIR+AI Primer: How to Combat Hallucinations ...and one Claude recently gave me Hallucinations are why GenAI outputs need verification. They happen when you ask them to enrich artifacts and reason about what happened and they don't have the information. You have four options to combat them: - Ignore them and take the risk. - Use another LLM to verify (this works for logic errors, but not if the other LLM has the same knowledge gaps) - Query to make sure artifacts are actually in the case - Manually verify the results The approach you use depends on what your risk level is. Criminal cases have low risk thresholds and should have extensive manual verification. Low impact EDR alerts may have a high risk threshold and have less verification. The upcoming Cyber Triage release allows AI to add "enrichment notes" and score items as suspicious, but they are all clearly identified as "[AI]" so you can review. How do you verify? Manually? Or with another LLM? Blog: https://lnkd.in/gxUJm5t2

DFIR Crash Course: Kerberoasting ⤵ Kerberoasting is a tactic used by threat actors to get credentials to a domain account by exploiting normal Kerberos behavior in a Windows Active Directory (AD) environment. Kerberoasting Basics: → Attacker uses the domain controller to get a “ticket.”  → The ticket data is encrypted using a user’s password hash. → Attacker brute-forces the data offline to learn the password. → Attacker uses that password to log into other systems. → These systems will have no evidence of the attack. Kerberoasting Investigations: → Overview: https://lnkd.in/dwMzxBDY  → Detection: https://lnkd.in/gergHRsj → Mitigation: https://lnkd.in/eU8rbEM9 Kerberoasting Examples: → MITRE ATT@CK: https://lnkd.in/gfqRnuVb  → AD Decoy: https://lnkd.in/g2r7-554 → Ghost SPN: https://lnkd.in/gsg5Fch7 P.S. Share this post to help other DFIR pros!

EDR Telemetry in DFIR: We compared 3 methods ⤵ → EDR console → Excel export → Investigation platform See how they stack up: https://lnkd.in/gFW3GMXP P.S. Share this post to help other DFIR pros!

DFIR pros skeptical of AI: We NEED your AI fails! The DFIR + AI 2026 Challenge has lots of submissions. 95% of them are AI wins. Surely there is more to the story. So give us your tired, your poor, your fumbled AI answers. So the DFIR community can get the full story on AI and investigations. LINKS: → DFIR + AI 2026 blog: https://lnkd.in/gcd2nSXy → Submissions form: https://tally.so/r/vG0rrQ P.S. Share this post to help other DFIR pros!

Over 27,000 enrolled! Brian Carrier’s Intro to DFIR covers: → Systematic approach to intrusion investigations. → 33 lessons, 2.5 hours, and completely free. → Taught by the creator of Autopsy. Register: https://lnkd.in/gu5rtUT7 P.S. Share this post to help other DFIR pros!

AI+DFIR 2026 Challenge: The Good vs The Ugly To enable data-driven discussions about GenAI in investigations, Brian Carrier is organizing a 4-week challenge with a panel of judges (AI advocates and skeptics), public voting, and sharing all of the results. The goal here is not to promote or bash any single product or LLM. It’s to share what currently works and what doesn’t. The basic concept is: You submit SANITIZED screen shots of where GenAI was amazing, where it went bad, and where you’re not sure it helped or hurt. A panel of industry judges will review for the top 5 amazing ones and the top 5 disasters. The public will vote on the final winners. The winners get bragging rights! The judges: Me - Heather Barnhart (SANS) Alexis Brignoni (LEAPPS) Eric Capuano (Digital Defense Institute) Brian Carrier (Sleuth Kit Labs - Organizer) Filip Stojkovski (BlinkOps) Submissions: Submissions are due by May 25, 2026 11:59PM EST. The form is here: https://tally.so/r/vG0rrQ Submission Requirements The goal here is for honest and well intentioned submissions from practitioners using data from:  Actual investigations CTFs Course data sets Realistic test data Vendors can submit results from their own tools, but they need to disclose they are a vendor! Example public data sources include: https://lnkd.in/ekTnj4pg https://ctf.null404.org https://cfreds.nist.gov/ Submissions will include: Context of the data What you prompted Screenshots of the results Why do you think it’s amazing, a disaster, or a snooze-fest? The criteria will include: Clarity: Is it obvious from the screenshot + context what happened? Can someone learn from it without needing a 10-minute explanation? Significance: Did the result provide either a much faster result or a novel finding? Or a really dangerous finding? Realistic: Is the data set realistic or is it a bit esoteric?  Teachability: Would this make someone better at using (or being skeptical of) GenAI in their workflow? Is there a takeaway from it? Requirements to Win Submit all of the info on the form (screen shots, context, etc). Make sure to include your email so that we can verify it’s a real submission. We won’t publish this though and results can be posted anonymously. Schedule May 25: submissions are due June 8: Public voting begins June 15: Public voting ends June 18: Winners are announced If you have any questions, send them to Brian Carrier.

Save this DFIR resource: 2026 Computer Forensics Tools Comparison Chart ⤵ Definitions: → Preservation: Storing the collected data in a format that allows long-term (infinite) storage and verification that the original format is unchanged. → Collection: Transferring digital artifacts from the original source into a format that can be interpreted by analysis tools. → Automated Analysis: The process of identifying significant events from parsed data. → Parsing: The conversion of an artifact to a human-readable or interpretable format. → Identification: The process of determining what needs to be examined. → Manual analysis: A human searching the parsed data for relevant events. → Reporting: Communicating the findings of the investigation. → TC: Targeted collection. → FDI: Full disk imaging. Full breakdown: https://lnkd.in/g6URv4r2

LLM in investigations needs fewer hot takes and more real examples. That’s the idea behind the DFIR + AI Challenge. We’re looking for sanitized screenshots from real investigation workflows where GenAI either: helped in a meaningful way, failed in an interesting way, or landed somewhere in the messy middle. This can be from DFIR, SOC investigations, e-discovery, or similar investigative workflows. The goal is to create a more data-driven conversation around where GenAI actually works in investigations, and where it still breaks down. Thanks to Brian Carrier, for organizing this great initiative. I’m excited to be joining the judging panel alongside: Heather Barnhart, SANS @Alexis B, LEAPPS Eric Capuano Digital Defense Institute How it works: Submit sanitized screenshots showing GenAI being amazing, terrible, or questionable. The judges will review submissions and select the top 5 “amazing” examples and top 5 “disasters.” The public will vote on the final winners. All submissions will be published on GitHub. Winners get bragging rights, which is honestly the best security community currency. Submissions are due May 25, 2026. Full details here: https://lnkd.in/dGnqqqSr

DFIR + AI Primer: Use LLMs in Your Cloud - Not Theirs AWS, Azure, & GCP have cutting edge models. Use them so Anthropic or OpenAI can't see your data. 3 simple steps: - Enable the feature in your cloud and get an API key - Configure a GenAI client on your system to use the key (I used Goose) - Configure the local MCP servers (Autopsy, Cyber Triage, etc.) That's it. You can analyze your DFIR data and it never leaves your control. It's better performing than a local LLM and similar cost as using the vendor subscriptions. Full steps are in the blog: https://lnkd.in/epaK3k42 The other benefit is that you can easily switch out models. I'm going to experiment more with Gemini. What models are you all using?

DFIR + AI primer: 12 Projects You Should Know ⤵ Community: → AIFT: https://lnkd.in/g_wShFnE → RocketIR: https://lnkd.in/gEmziPpa → Autopsy MCP: https://lnkd.in/gD_jN_Fv → Protocol SIFT: https://lnkd.in/gsHi5XgD → Velociraptor MCP: https://lnkd.in/gy7jQHZC → OpenRelik DFIR worker: https://lnkd.in/g-r5jXdA Commercial: → SURGE: https://surge.security/ → Mobasi: https://mobasi.ai/ → CyDelphi: https://cydelphi.com/ → Google TIN: https://lnkd.in/gzmfBzQp → Cyber Triage MCP: https://lnkd.in/gcfWb8da → Cyber Triage MCP (external): https://lnkd.in/gs3hsDjZ P.S. Share this post to help other DFIR pros!