A few months of behind-the-scenes work is now ready to share with the world! The official EZ Tools Manuals are now available to the public! Grab the book - leanpub.com/eztoolsmanuals Check out the source code for the book - github.com/EZToolsManuals/EZ… #eztoolsmanuals #dfir #eztools

🎉 A new 13Cubed episode is up! This time we're exploring the USN Journal on a live system. How can we view it while Windows is actively running, and does the reality match the common explanations? Let's find out! youtube.com/watch?v=eSLHyqZl… #DFIR #DigitalForensics

Really enjoyed this interview by @elijahwoodward9 with @bunsofwrath12 on Team Cymru’s “Future of Threat Intelligence” A lot of good DFIR points in there that often get ignored in enterprise envs: - why default Win event log sizes are a forensic disaster - why Sysmon deployments are often stale or incomplete - the forensic value of Volume Shadow Copies and the $J USN Journal - why EDR alone is not enough - how true positives get buried in alert fatigue - using AI as a force multiplier for parsing logs and writing one-off tooling, while still not treating it as forensic ground truth Also liked the practical angle throughout the whole discussion. Felt very experience-driven, not theoretical. Worth watching youtu.be/4KF9jkoM0V4?is=8SMf…

All EZ Tools have been updated! New version is 2026.5.0 across the board. Nuget updates, control updates, bug fixes and general refreshing of everything. Enjoy!! #dfir

We are pleased to announce the release of macos-collector v1.6.0! 🚀 Notification Center Database File Collection, Paste Protection, and XProtect Version Check added. Happy macOS Threat Hunting! github.com/LETHAL-FORENSICS/…

New t-shirt designs are now in stock at shop.13cubed.com. This one is our favorite! 😍

GOLDEN 🥇🇺🇸

A New #DFIR Peer-reviewed article has been published on @DFIRReview by "Is that Windows Notepad window really empty?" by Christopher Eng. #WindowsForensics #DigitalForensics dfir.pubpub.org/pub/wmhy8t6v…

🚨OPEN NOW! The @EricRZimmerman #EZToolChallenge at #DFIRCON is accepting submissions! Got a #DFIR tool idea? 🛠️ Submit it by 8/29. Eric will unveil the winner during his keynote! 👉 Submit: sans.org/u/1CrZ 🔎 DFIRCON: sans.org/u/1Cs4

I just backed Digital Forensics Discord Challenge Coin on @Kickstarter kickstarter.com/projects/off…

We just issued our 500th 13Cubed certification! 🎉 Learn more at 13cubed.com/certs. All Windows, Linux, and macOS courses include certification attempts at no extra cost, allowing you to demonstrate real-world practical application of forensic investigative techniques. 🏅

Windows forensics is essential—but don’t overlook Linux or macOS. These platforms are steadily gaining ground in enterprise environments. Make sure you have the skills you need to investigate them too! youtube.com/watch?v=_D6oHm-3…

We analyzed the top 500 most successful THOR rules – “successful” meaning: they detected samples that were either ignored or missed by nearly all AV engines on VirusTotal. Some rules detect clear malware. Others reveal dual-use tools, renamed hacktools, misused admin binaries, or forensic leftovers. Most of these samples showed 0 AV detections, the rest only minimal hits. Not all threats are payloads. Not all detections are flashy. But these rules consistently light up the blind spots in AV and EDR coverage – where attackers hide comfortably. THOR doesn’t replace existing tools. It shows you what they forgot to tell you. nextron-systems.com/2025/06/…

🎉 Big news! Investigating macOS Endpoints is now live—plus our new *NIX Bundle and XPlat Bundle Complete (all 13Cubed courses in one package). Thanks for patiently waiting! Dive in now 👉 training.13cubed.com #DFIR #macOS #Linux

I recommend this if you’re tired of doomscrolling X or chasing updates across a dozen security slacks If you’re into good old RSS feeds or just want a weekly blog-style summary of what happened in DFIR, check out "This Week in 4n6" by @phillmoore & @hexplates a human-curated, no-BS roundup: thisweekin4n6.com/

🎉 Happy Friday! Two quick updates: Investigating macOS Endpoints and related bundles are now open for waitlisting! 👉 13cubed.com 13Cubed Merch Store is LIVE with fresh designs and premium shirts! 👉 shop.13cubed.com

Introducing 🚀Eventlog Compendium 🚀 A new Streamlit app, that aims to be the go-to resource for understanding and playing with Windows Event Logs. Explore it 👉 eventlog-compendium.streamli… Includes the following utilities and docs ⚙️ Build your own Advanced Audit Policy based on different data points making your policy data driven. 🧭EventID to Audit Policy mapping as well MITRE ATT&CK to Event ID explorer 📊Leveraging the EVTX-ETW-Resources project, you can explore the different ETW providers by build, version and filter down on key message strings. 📄 EVTX Baseline Search & Match - Explore the evtx-baseline project in a visual way. Where you can paste logs and check if they match in real time 🧮Event Field Decoder - Decode common Windows Security Event fields such as Logon Types, Access Masks, Active Directory GUIDs and SIDs 🔒Built-in SACL Explorer - leveraging SACL Scanner from Alexander DeMine, you can explore the built-in SACLs on a windows system. And much more to come. Stay tuned

It's time for a new 13Cubed episode covering a very obscure evidence of execution artifact. youtube.com/watch?v=edJa_SLV… Enjoy! #DFIR

Good news, The Hitchhiker's Guide to DFIR book v1.5 has been released, thanks to Eli Woodward for contributing Chapter 15, "2023 from a Cyber Threat Intelligence Perspective". Grab a copy of the book at the link below, it's free! #DFIR leanpub.com/TheHitchhikersGu…

Do you like EZTools? Do you like up to date runtimes? Well I have news for you... All EZ Tools are now available as net9 executables! Get-ZimmermanTools has been updated to support this, but net6 is still the default to give people time to transition. Within a few months, net9 will be the default and the net6 versions will be no more. I also added documentation on how to build self-contained executables, so you do not even need the runtime installed at all. ericzimmermanstools.com/ Enjoy!

Happy Friday the 13th! 🎉 We’re thrilled to share that our next 13Cubed course—Investigating macOS Endpoints—is officially in the works. This highly requested training is now our top priority, with a target launch by mid-2025. We'll keep you updated along the way! #DFIR