In this new series, we'll be diving deep into investigation and forensics within Google Workspace (the Google ecosystem). So tighten your seatbelt—let's go! When diving into cloud forensics—especially in Google Workspace—there’s a lot more to unravel than just user credentials or login timestamps. One of the most overlooked but crucial areas  is how permissions  are managed within the environment. let's break down two key building blocks of Google Workspace that matter a lot

Enough theory. Now let’s actually touch NetFlow data . If you’re doing DFIR, threat hunting, or even basic network investigations, one toolkit you must  be comfortable with is the nfdump suite. This suite gives you three extremely important tools: nfcapd – the collector nfpcapd – the pcap-to-NetFlow converter nfdump – the analysis engine ----------------------------------------------------------------------------------------------------------- nfcapd: The NetFlow Collector (W

Let’s talk about where NetFlow either becomes incredibly powerful… or painfully slow. Most NetFlow analysis are done on GUI: browser-based or thin clients that are basically a browser wrapped with authentication, branding, and access control Nothing wrong with that — in fact, it makes a lot of sense. In most deployments, the GUI or console is hosted close to the storage laye r  or on the same system entirely. That design choice is intentional. When analysts start querying mo

I’ll be honest. For a long time, I never really gave NetFlow  the priority it deserves. PCAP was always the gold standard in my head. If you want to know what really  happened on the network, you go straight to packet capture. End of story. But after reading more, testing more, and actually thinking about scale, cost, and real-world SOC/DFIR constraints, my opinion changed. Today, I want to talk about why NetFlow matters , when it actually makes your job easier, and why full

If you’ve been following my work for a while, you already know this —I’ve written an entire series on SentinelOne. (If you haven’t read it yet, I’ll drop the link below — go check it out.) https://www.cyberengage.org/courses-1/mastering-sentinelone%3A-a-comprehensive-guide-to-deep-visibility%2C-threat-hunting%2C-and-advanced-querying%22 Recently, I also wrote about Dropzone AI  and how AI is changing SOC capabilities, and yes, potentially even affecting SOC jobs. https://www.

By now, if you’ve followed the previous articles in this series, you should be very comfortable with: Creating timelines using Plaso / Log2Timeline Running Plaso on Windows and Ubuntu Creating timelines for Linux systems Understanding how timelines help reconstruct attacker activity If you haven’t read those yet, you can find them here: Creating a Timeline for Linux with fls, mactime, and Plaso (Log2Timeline) https://www.cyberengage.org/post/creating-a-timeline-for-linux-tria

Last Article on Memory analysis using MemProcFS Cached Files in MemProcFS The Windows operating system caches a large number of files in memory. This includes: Frequently used system artifacts such as registry hives, Prefetch files, and the $MFT Memory-mapped files like executables and DLLs Recently accessed user files such as Word documents, PDFs, and log files Files opened from removable media (USB) or even encrypted containers All of these cached items are tracked in memor

One of the most exciting upgrades to MemProcFS is the native integration of YARA signature scanning. By combining the power of YARA-based detection with deep memory inspection, MemProcFS makes it surprisingly easy to detect even highly stealthy malware variants. When enabled, YARA hits are surfaced a t the very top of the FindEvil output, which is exactly where they belong—since these detections often act as the starting point for deeper analysis. Expanded Coverage: Processes

If you’ve been following my Memory Analysis series, you may remember that I previously covered the initial investigation steps in detail in the article: “Step-by-Step Guide to Uncovering Threats with Volatility: A Beginner’s Memory Forensics Walkthrough” https://www.cyberengage.org/post/step-by-step-guide-to-uncovering-threats-with-volatility-a-beginner-s-memory-forensics-walkthrough Volatility is one of my favorite memory forensics tools. I genuinely love working with it—it

Modern Windows rootkits assume that analysts will: enumerate drivers using linked lists trust Windows APIs rely on “normal” system views Volatility 3’s windows.drivermodule plugin was built specifically to break that assumption. What windows.drivermodule Actually Does This plugin performs cross-view analysis for drivers , similar in spirit to: psxview → processes svcdiff → services But focused entirely on kernel drivers . Step 1: Memory Scanning Scans memory for structures as

Drivers are the cleanest way for malware to own a Windows system. Once malicious code executes as a driver: it runs in kernel mode it can hook system calls it can hide processes, files, and registry keys it can tamper with security tools This is why rootkits almost always involve drivers. How Windows Tracks Drivers Windows maintains multiple views of loaded drivers, just like it does with processes. Rootkits exploit this. 1. The Linked List (Normal View) Tracks currently load

If SSDT hooking shows you how rootkits control behavior psxview shows you how they hide existence. This plugin is one of the most important tools for rootkit detection in memory. What psxview Really Does psxview is a compound plugin. It doesn’t invent new data — it compares existing views of processes gathered using different kernel mechanisms . Why this matters: Windows tracks processes in multiple places : linked lists PID tables thread structures user-session data desktop

Now we’re stepping into kernel territory. And once malware gets here, things get serious. One of the biggest wins for kernel malware is SSDT hooking. If you understand this, you understand how rootkits control the entire system. What Is the SSDT The System Service Descriptor Table (SSDT) is basically a lookup table used by the Windows kernel. When a process asks Windows to do something like: open a file read registry data enumerate processes allocate memory …the kernel looks

This plugin is honestly one of the best examples of why Volatility still matters in memory forensics. Why? Because instead of trusting a single data source, ldrmodules does something very smart —it cross-checks multiple memory structures and looks for inconsistencies. And malware absolutely hates consistency. What ldrmodules Is Actually Doing When we’re looking for suspiciously loaded code inside a process, there isn’t just one  place to look. Windows tracks loaded DLLs in mu

Let’s get into Second Plugin windows.malfind  — my favorite plugin when I want to quickly spot weird injected memory in a process. What malfind Actually Does malfind looks for two suspicious things inside process memory: Memory region is executable → PAGE_EXECUTE_READWRITE or similar permissions→ This is already a red flag because legit apps rarely need RWX memory. Memory region is NOT mapped to a file on disk → Meaning the process has code in memory that didn’t come from an

So yeah… I know I already wrote a bunch of blogs on memory forensics — Volatility step‑by‑step, code injection, rootkits, all of that. And you might be wondering: “Bro, why are we still talking about memory forensics?” Well… because some Volatility plugins are actually important , a bit tricky, and very underrated. Everyone knows the basics like psscan , pslist , dlllist , etc. If not — go check my earlier guide, I won’t repeat the boring stuff here. https://www.cyberengage.o

If you look at how cybersecurity has evolved over the past few years, one thing becomes very clear: we finally have the horsepower to see what’s actually happening on our systems in real time. Thanks to cheaper storage, faster processing, and advances in forensics, we can now monitor both live and historical activity like never before. And that visibility isn’t just for show — we can act on it, whether automatically or manually, before attackers get too comfortable. A big par

Now that I’ve shown you investigations from Panther  — I think you can clearly see what Dropzone AI is actually doing behind the scenes. No matter which security tool generates the alert: Dropzone picks it up instantly Investigates it faster than any human Asks all the important questions automatically Pulls evidence from everywhere Checks historical behaviour Compares with analyst verdicts Correlates with MITRE framework And finally gives you a clear conclusion All of this h

In the previous article, I explained the Dropzone AI dashboard and overall features. Now, let’s get into the real action — how Dropzone actually investigates an alert , using Panther  as the example. Let’s begin. How Alerts Flow From Panther → Dropzone Let’s say you’ve integrated: Panther data source Panther alert source This means: Every alert Panther generates will be picked up automatically by Dropzone. No manual work. No need to forward anything. Dropzone grabs the alert

Your SOC, but finally without the headache. In the previous article, I talked about how AI is changing SOC operations forever — especially tools like Dropzone AI  that automate full investigations. If you ask me which tools I enjoy working with the most, I will always say CrowdStrike , SentinelOne , and Forensic tools . But recently, one tool has impressed me so much that I genuinely feel like every SOC team should see it at least once. And that tool is Dropzone AI . This Ar