@cybertriage profile picture
Cyber Triage @cybertriage

Digital Forensics and incident response software for endpoint investigations. Built by @sleuthkitlabs and Brian Carrier (@carrier4n6).

Joined December 2014
  • Tweets 726
  • Following 388
  • Followers 4,159
256 Photos and videos
Cyber Triage 3.16 is out: Investigate Faster with *Enterprise* Read Brian Carrier’s release blog: cybertriage.com/blog/cyber-t… Interested in trying Enterprise? Contact us: cybertriage.com/contact/

Cyber Triage 3.16: Investigate Faster with Cyber Triage Enterprise

Quickly accessing and analyzing data is essential to effective investigations, yet SOC analysts and IR teams often waste time doing both. The 3.16 release

cybertriage.com
2
3
740
Cyber Triage retweeted
SEKTOR7 Institute
@SEKTOR7net
Jan 12
Kerberoasting and its artifacts. From attack breakdown to behavior detection. A detailed process walk-through by Chris Ray (@cybertriage) Source: cybertriage.com/blog/dfir-br… #redteam #blueteam #maldev #malwaredevelopment

DFIR Breakdown: Kerberoasting

Kerberoasting allows attackers to determine sensitive passwords and the most common place for detecting this attack is on the domain controller. In this

cybertriage.com
27
94
5,007
DFIR is changing fast. How do investigators adapt their approach to stay effective? Today, 11 AM EST, Blake Regan and Brian Carrier debate when and when *not* to use EDR in DFIR, plus provide tools techniques to use in modern investigations. Register: register.gotowebinar.com/reg…
6
1,154
To EDR or not EDR? That’s the investigator’s question. Next Thursday, Blake Regan and Brian Carrier will tackle that and other questions facing SOC and IR teams trying to adapt to emerging threats and evolving tech. Register here: register.gotowebinar.com/reg…
1
3
429
New DFIR Research: Pulseway (RMM) Abuse ⤵ Our team recently observed a threat actor using Pulseway for remote access and gaining full control of a system. Read @MikeWilko's research investigation tips from the case: cybertriage.com/blog/dfir-ne…
3
4
508
85% of attacks use LOTL The Socrates of SOC investigations teaches his best approach⤵ This Thursday, Wade Wells, detection and response expert, shares: → War stories → Investigation approach → Top 3 tips for elite endpoint triage Register: register.gotowebinar.com/reg…
3
4
709
Catch DFIR’s Con Artists Thursday’s RMM masterclass: → Commonly abused RMM tools → DFIR artifacts they leave behind → Insights from those artifacts → How to investigate With Professor Mike Wilkinson Register: attendee.gotowebinar.com/reg…
1
174
Keep your eye on AnyDesk. Learn how to investigate suspicious AnyDesk use from Chris Ray: cybertriage.com/blog/dfir-ne… P.S. Share this post to help other DFIR pros!

DFIR Next Steps: Suspicious AnyDesk Use

Welcome back to the next post in our DFIR Next Steps series on remote monitoring and management (RMM) tools. This post will focus on AnyDesk.  Check out

cybertriage.com
4
16
1,517
RMMs: The Perfect Diguise. And attackers will get away with it, unless you learn to unmask them. Next Thursday, @MikeWilko will teach you just that. Register: attendee.gotowebinar.com/reg…
4
3
574
Free your mind: Automate your DFIR. Tomorrow, join @carrier4n6 and Chris Ray as they demo the new Defender → Cyber Triage automation. Register: attendee.gotowebinar.com/reg…
1
3
370
Our 3 Best DFIR Blogs of 2025 (Ranked by views) ⤵ #1 Registry Forensics Cheat Sheet: cybertriage.com/blog/windows… #2 WMI Malware Forensics Guide: cybertriage.com/blog/wmi-mal… #3 NTUSER.DAT Forensics: cybertriage.com/blog/ntuser-… P.S. Share this post to help other DFIR pros!

Windows Registry Forensics Cheat Sheet 2026

Save. This. Post. Our expert staff has compiled an up-to-date and comprehensive Windows Registry forensics cheat sheet, and it might be just what you need

cybertriage.com
1
5
220
New DFIR Research: Chris Ray’s comprehensive list of LogMeIn artifacts ⤵ → Windows events → Registry keys → Exe names → Domains → Log files → Folders Right here: cybertriage.com/blog/dfir-ne… P.S. Share this post to help other DFIR pros!

DFIR Next Steps: Suspicious LogMeIn Use

Welcome back to the next post in our DFIR Next Steps series on remote monitoring and management (RMM) tools. This post will focus on LogMeIn products.

cybertriage.com
20
45
1,854
New SOC DFIR Automation ⤵ CyberTriage 3.15 can automatically pull analyze Defender data. See it live with @carrier4n6 and Chris Ray on September 11. Register: attendee.gotowebinar.com/reg…
2
169
Learn AI basics in DFIR: → AI LMMs in DFIR overview → When to apply AI to investigations → Live demo of LLM Cyber Triage Join experts @carrier4n6 and @sidprobstein tomorrow! Register: attendee.gotowebinar.com/reg…
1
3
245
Save this DFIR mini series: Jump Lists 2025 ⤵ → What Is a Jump List: cybertriage.com/blog/what-is… → Jump List Forensics: cybertriage.com/blog/jump-li… → Jump Lists Cache: cybertriage.com/blog/what-is… P.S. Share this post to help other DFIR pros!

What Is a Jump List?

What is a jump list? The answer depends on who you are. For general users, they're a way to access recently used files. For investigators, they're a means

cybertriage.com
8
29
1,142
AI in DFIR has “levels” Only one doesn’t involve the investigator: Level 4 The ideal: → Full automation (level 4) for low-risk decisions. → Recommendation (level 3) for higher risk decisions.
7
14
1,397
AI in digital investigations. Learn the basics from these 2 “guys”: → @carrier4n6@sidprobstein Register now: attendee.gotowebinar.com/reg…
3
6
941
Save this DFIR series: Windows Registry Forensics 2025 ⤵ → Registry Forensics 2025: cybertriage.com/blog/windows… → Forensics Cheatsheet: cybertriage.com/blog/windows… → Forensics Tools: cybertriage.com/blog/2025-gu… P.S. Share this post to help other DFIR pros!

Windows Registry Forensics 2026

Key insights for your investigation found in one place! An overview into Windows Registry Forensics and how to leverage data for your investigations. Jump

cybertriage.com
23
70
4,286
Understand investigation automation. @carrier4n6’s framework: cybertriage.com/blog/3-ways-… You can test all 3 automation types with Cyber Triage. Trial copy: cybertriage.com/download-eva…
2
7
857
Philosoraptor’s easiest question yet! And creators, Mike Cohen and Brian Carrier, explain how to this Thursday. With this integration, Velociraptor scans thousands of endpoints, and Cyber Triage dives into ~20 where the attacker was active. To register: register.gotowebinar.com/reg…
2
5
515
Load more