// dfir vocabulary

forensics jargon glossary

the words that mean specific things in dfir. 45 terms with plain definitions and cross-links to playbooks and tools where they show up. no upload. no account. runs locally. don't trust us, verify it.

search terms

45 terms

A

Amcache: a database of recently run programs with their identifiers
amcache parser
amcache vs prefetch conflict detector
anti-forensic tool signature scanner
execution artifact cross-source correlator
forensic imaging tool artifact detector
forensic tool execution artifact detector
live response tool execution artifact detector
artifact: a piece of digital evidence
supply chain case type
supply chain methodology
invoice fraud case type
invoice fraud methodology
prompt injection case type
prompt injection methodology
court kits vertical
file artifacts vertical

B

beaconing: regular check-in communication with an attacker's server
dns query log analyzer
dns over tls and dns over https detector
host-based beaconing detector
ndr c2 beaconing pattern detector
network beaconing detector
beaconing pattern detector
bootkit: malware that loads before the operating system starts
boot & pre-os persistence detector
boot sector modification artifact detector
bootkit mbr vbr deep analyzer
partition table and MBR anomaly detector
secure boot violation and bypass artifact detector

C

C2: command and control — communication with an attacker's server
c2 callback interval analyzer
c2 framework traffic fingerprinter
cobalt strike config extractor
dns over tls and dns over https detector
dns tunneling detector
in-memory malware configuration extractor
irc botnet log analyzer
malware config extractor
carved: recovered data that was previously deleted
unallocated space artifact scanner
CLSID: a unique identifier for a Windows software component
com hijack detector
com object & hijack analyzer
COM: a Windows mechanism for programs to interact with each other
axon evidence com export forensic analyzer
bill com ap audit log forensic analyzer
checkout com payment event forensic analyzer
com hijack detector
com ihijack typelib persistence detector
com object & hijack analyzer
COM object hijack residue detector
dji airdata export forensic analyzer

D

DLL: a shared library file used by Windows programs
amsi patch in memory detector
dll search order hijack detector
dll injection detector
dll injection indicator analyzer
dll sideload detector
dll sideloading via trusted publisher detector
dotnet assembly inspector
known DLL hijack residue detector

E

EDR: endpoint detection software that monitors computers for threats
correlation vertical
carbon black response edr export forensic analyzer
cross edr identity process correlator
cross honeypot edr endpoint correlator
cross itdr edr session correlator
cross ndr edr incident correlator
cross rmm edr incident correlator
edr isolation bypass detector
ELF: the standard file format for Linux programs
binary provenance & build metadata analyzer
binary compiler and language identifier
elf analyzer
elf binary analyzer
go symbol extractor
packer identifier
packer identifier extended
EVTX: Windows event log files
admin share access timeline
admin share access timeline
AMSI bypass artifact detector
anti-analysis and sandbox evasion artifact detector
anti-forensic tool signature scanner
anti-forensic tool identifier
antimalware real-time protection disable detector
AppLocker and WDAC policy disable detector
exfiltration: unauthorized removal of data from a system
insider threat case type
insider threat methodology
prompt injection vertical
ai agent network exfiltration pattern detector
aws cloudtrail forensic deep analyzer
aws cloudtrail log forensic analyzer
browser extension persistence & forensics mapper
casb cloud download anomaly detector

H

hash: a unique mathematical fingerprint of a file
platform vertical
correlation vertical
android qualcomm sahara artifact forensic analyzer
barracuda message archiver export forensic analyzer
forensic case metadata tracker
case report generator
child exploitation case packaging kit
disk image hasher
hibernation file: a file that captures a snapshot of the computer's memory when it enters sleep mode
hibernation file deletion detector

I

IOC: an indicator of compromise — a clue linked to malicious activity
phishing case type
phishing methodology
correlation vertical
breach ioc normalizer
cross email threat intel siem correlator
cross threat feed incident correlator
email ioc campaign cluster detector
eml deep analyzer

K

Kerberos: the Windows system for proving user identity on a network
kerberos golden silver diamond sapphire ticket detector
kerberos traffic analyzer

L

lateral movement: moving from one computer to another inside a network
ransomware case type
ransomware methodology
key leak case type
key leak methodology
account takeover incident kit
aws cloudtrail forensic deep analyzer
credential to lateral movement tracer
deception lateral movement chain correlator
LSASS: the Windows process that stores login credentials
lsass dump artifact analyzer
memory credential theft artifact detector
parent-child process anomaly detector
process name spoofing artifact detector

M

MachO: the standard file format for macOS programs
binary compiler and language identifier
packer identifier
MD5: a type of digital fingerprint used to verify file integrity
checksum verifier
disk image hasher
duplicate file finder
e01 image reader
email attachment hash extractor and analyzer
evidence manifest generator
file integrity verifier
metadata: hidden information embedded within files
doc forgery case type
doc forgery methodology
minor coercion case type
minor coercion methodology
creator safety case type
creator safety methodology
labor trafficking case type
labor trafficking methodology
MFT: the file system's master index
ntfs alternate data stream deep analyzer
timestamp cluster anomaly detector
artifact absence anomaly scoring detector
browser cache clearing burst detector
browser crash report artifact and suppression detector
browser download history correlator
browser extension removal burst detector
browser profile deletion artifact detector
MITRE: a public catalog of known attacker behaviors
attacker tool inventory builder
email threat actor ttp correlator
threat hunt hypothesis generator
mitre att&ck technique mapper
mitre attack navigator generator
sigma rule tester
windows event log attack chain mapper

N

NTFS: the Windows file system format
file artifacts vertical
ntfs alternate data stream deep analyzer
alternate data stream forensic scanner
NTFS compressed file anomaly detector
directory entry slack artifact extractor
NTFS file system tunneling artifact detector
ntfs journal gap analyzer
ntfs file born-time consensus engine
NTLM: an older Windows method for proving user identity
credential artifact scanner
NTLM credential capture and relay artifact detector
ntlm hash calculator
pass-the-hash indicator detector
smb artifact forensic analyzer

P

pagefile: temporary disk space used when the computer's memory is full
memory artifact suppression via large page detector
pagefile artifact suppression detector
pagefile extractor
pagefile timeline reconstructor
PDB: a debug file that can reveal where a program was built
binary provenance & build metadata analyzer
debug symbol extractor
binary development environment fingerprinter
PE: the standard file format for Windows programs
binary provenance & build metadata analyzer
code signing certificate analyzer
compile time timezone analyzer
PE compile timestamp vs filesystem timestamp conflict detector
binary compiler and language identifier
dll injection detector
dotnet assembly inspector
environmental keying and sandbox evasion detector
persistence: methods attackers use to maintain access after reboot
cryptojacking case type
cryptojacking methodology
agent runaway case type
agent runaway methodology
agentic AI vertical
ai agent persistence mechanism detector
autoit script analyzer
BITSAdmin and BITS transfer artifact detector
prefetch: performance files that record program execution
amcache vs prefetch conflict detector
anti-forensic tool signature scanner
anti-forensic tool identifier
artifact absence anomaly scoring detector
counter-investigation behavioral pattern detector
credential harvesting tool artifact detector
disk imaging and acquisition tool execution detector
evidence of evidence deletion detector
privilege escalation: gaining higher-level access than originally granted
linux auditd log deep analyzer
aws cloudtrail forensic deep analyzer
aws cloudtrail log forensic analyzer
cnapp workload privilege escalation detector
database privilege escalation detector
handle table manipulation detector
k8s runtime privilege escalation detector
kubernetes privilege escalation detector

R

ransomware: malicious software that encrypts files and demands payment
ransomware case type
ransomware methodology
ransomware vertical
backup / DR vertical
backup deletion artifact analyzer
ransomware encryption onset timer
windows event log gap analyzer
mass rename detector
registry: Windows's central settings database
file artifacts vertical
Windows Activity History collection suppression detector
aircraft tail number history tracer
anti-forensic tool identifier
antimalware real-time protection disable detector
AppLocker and WDAC policy disable detector
artifact absence anomaly scoring detector
azure container registry audit forensic analyzer
rootkit: malware designed to hide its presence on a system
dkom hidden process detector
linux rootkit artifact scanner
secure boot violation and bypass artifact detector

S

sandbox: an isolated environment used to safely examine suspicious files
anti-analysis and sandbox evasion artifact detector
environmental keying and sandbox evasion detector
forcepoint email security gateway log forensic analyzer
malware sandbox and VM environment evasion detector
mobile app sandbox artifact analyzer
SHA-256: a stronger type of digital fingerprint used to verify file integrity
blockchain timestamp verifier
ci/cd build artifact inspector
ShimCache: Windows's record of programs that were run
anti-forensic tool signature scanner
AppCompatCache / ShimCache gap analyzer
appcompat cache timeline
artifact absence anomaly scoring detector
bam and dam entry absence detector
counter-investigation behavioral pattern detector
disk imaging and acquisition tool execution detector
evidence of evidence deletion detector
SIEM: a system that collects and analyzes security logs
cross email threat intel siem correlator
cross siem identity alert correlator
cross threat feed incident correlator
log forwarding disable detector
log ingestion gap and silent host detector
multi siem incident timeline correlator
siem alert fatigue pattern detector
siem correlation rule change detector
SRUM: Windows's detailed record of application resource usage
application focus timeline reconstructor
execution artifact cross-source correlator
unified login session reconstructor
srum analyzer

T

timestomp: deliberately changing file dates to hide activity
indx slack timestamp inconsistency detector
ios photos.sqlite forensic analyzer
timestamp manipulation detector
timestomp consistency cross-validator
timestomp detector
TTP: tactics, techniques, and procedures used by an attacker
email threat actor ttp correlator
threat hunt hypothesis generator
mitre att&ck technique mapper
ttp consistency analyzer

U

UserAssist: a hidden registry record of programs used by the user
execution artifact cross-source correlator
typedurls typedpaths extractor
UserAssist clearing and gap detector
userassist decoder
userassist vs prefetch execution gap detector

V

volatile memory: the computer's temporary working memory that is lost when power is removed

W

WMI: Windows's built-in remote management interface
fileless malware artifact extractor
full windows persistence map
malware sandbox and VM environment evasion detector
wmi eventconsumer persistence detector
wmi lateral movement detector
wmi repository analyzer

forensics home