https://sdp4n6.dev/Recent content on sdp4n6.dev // cyber researchHugoen-usSun, 15 Feb 2026 11:02:00 -0500https://sdp4n6.dev/about/Sun, 15 Feb 2026 11:02:00 -0500https://sdp4n6.dev/about/<p><figure class="article-figure"> <img src="https://sdp4n6.dev/images/avatar.svg" alt="sdp4n6 avatar" loading="lazy"> </figure> </p> <p>I am a Senior Analyst in the domain of Cyber Defense operating across CSIRT and the Security Intelligence Center (SIC) operations, focused on high-fidelity incident response, threat hunting, detection engineering, and intelligence gathering.</p> <p>My day-to-day work involves leading high-severity Cyber Intrusions, Incident Response &amp; Digital Forensic investigations spanning multiple areas such as endpoint, network, and cloud telemetry, with practical depth in triage, containment, digital evidence handling, and post-incident root cause analysis. My background spans SOC operations, malware investigation, and threat hunting across enterprise environments.</p>https://sdp4n6.dev/cheatsheets/dfir/dfir-artifacts-guide/Sun, 15 Feb 2026 11:02:00 -0500https://sdp4n6.dev/cheatsheets/dfir/dfir-artifacts-guide/<h1 id="dfir-artifact-quick-reference">DFIR Artifact Quick Reference</h1> <hr> <blockquote> <p><strong>Audience:</strong> DFIR practitioners conducting Windows-centric incident response and forensic investigations.<br> <strong>Scope:</strong> Windows 10/11, Server 2016–2022 unless noted.<br> <strong>Legend:</strong> <code>[EZ]</code> = Eric Zimmerman tool | <code>[TS]</code> = Triaged from live system | <code>[IMG]</code> = Requires disk image</p> </blockquote> <hr> <h2 id="table-of-contents">Table of Contents</h2> <ol> <li><a href="#1-execution-artifacts">Execution Artifacts</a></li> <li><a href="#2-persistence-mechanisms">Persistence Mechanisms</a></li> <li><a href="#3-account--authentication-activity">Account &amp; Authentication Activity</a></li> <li><a href="#4-lateral-movement-indicators">Lateral Movement Indicators</a></li> <li><a href="#5-file-system--file-activity">File System &amp; File Activity</a></li> <li><a href="#6-network-activity">Network Activity</a></li> <li><a href="#7-anti-forensics--defense-evasion">Anti-Forensics &amp; Defense Evasion</a></li> <li><a href="#8-data-exfiltration-indicators">Data Exfiltration Indicators</a></li> <li><a href="#9-cloud--browser-artifacts">Cloud &amp; Browser Artifacts</a></li> <li><a href="#10-key-event-log-ids-reference">Key Event Log IDs Reference</a></li> <li><a href="#11-critical-registry-keys-reference">Critical Registry Keys Reference</a></li> <li><a href="#12-recommended-toolchain">Recommended Toolchain</a></li> </ol> <hr> <h2 id="1-execution-artifacts">1. Execution Artifacts</h2> <h3 id="prefetch">Prefetch</h3> <table> <thead> <tr> <th>Property</th> <th>Detail</th> </tr> </thead> <tbody> <tr> <td><strong>Path</strong></td> <td><code>C:\Windows\Prefetch\*.pf</code></td> </tr> <tr> <td><strong>Exists on</strong></td> <td>Workstations (enabled by default); Servers (disabled by default)</td> </tr> <tr> <td><strong>Key Data</strong></td> <td>Executable name, run count, last 8 run timestamps, files/dirs referenced</td> </tr> <tr> <td><strong>Tool</strong></td> <td><code>PECmd.exe</code> [EZ]</td> </tr> <tr> <td><strong>Investigative Value</strong></td> <td>Proves execution even if binary is deleted; timestamps survive binary removal</td> </tr> <tr> <td><strong>ATT&amp;CK</strong></td> <td>T1204, T1059</td> </tr> </tbody> </table> <p><strong>Notes:</strong></p>