Send us a text Unlock the secrets behind digital forensic investigations into AI chat platforms like ChatGPT, Claude, and Google's Gemini in this insightful episode. Learn the precise methods for discovering, extracting, and interpreting digital evidence across Windows, Mac, and Linux environments, whether it's browser caches, memory forensics, network logs, or cloud-based data exports. From identifying subtle signs of malicious AI usage and attempts to evade security controls, to piecing tog...
All content for TLP - The Digital Forensics Podcast is the property of Clint Marsden and is served directly from their servers
with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.
Send us a text Unlock the secrets behind digital forensic investigations into AI chat platforms like ChatGPT, Claude, and Google's Gemini in this insightful episode. Learn the precise methods for discovering, extracting, and interpreting digital evidence across Windows, Mac, and Linux environments, whether it's browser caches, memory forensics, network logs, or cloud-based data exports. From identifying subtle signs of malicious AI usage and attempts to evade security controls, to piecing tog...
Send us a text Clint Marsden breaks down a critical cybersecurity report from intelligence agencies including the CSA, NSA, and FBI about the growing threat of AI data poisoning. Learn how malicious actors can hijack AI systems for as little as $60, turning machine learning models against their intended purpose by corrupting training data. Clint explains the technical concept of data poisoning in accessible terms, comparing it to teaching a child the wrong labels for objects. He walks t...
Send us a text This episode features the complete narration of my ebook: Mastering Sysmon – Deploying, Configuring, and Tuning in 10 Easy Steps, providing a step-by-step guide to getting Sysmon up and running for better threat detection and incident response. If you’re in security operations, digital forensics, or incident response, this episode will help you: Deploy Sysmon efficiently.Tune Sysmon logs for maximum insight while reducing noise.Use Sysmon for investigations—from process creatio...
Send us a text So You Want to Build Your Own DFIR CTF? Ever wanted to build your own Digital Forensics and Incident Response (DFIR) Capture the Flag (CTF) challenge but weren’t sure where to start? In this episode of Traffic Light Protocol, we share the how-to of CTF builders, making it easy for anyone—no pentesting skills required! Today's episode includes: Choosing Your CTF Theme – Using MITRE ATT&CK and APT tracking to craft a realistic attack scenario.Setting Up the Lab – S...
Send us a text Kicking off 2025, we're getting back to basics with something every cyber investigator needs to master—starting an investigation the right way. Too often, investigations get derailed because the right questions weren’t asked at the outset, evidence wasn’t properly handled, or reporting lacked clarity. In this episode, we cover how to build an investigation plan that keeps you on track, ensures consistency, and leads to better results. We talk about evidence volatility, log rete...
Send us a text Key Takeaways: Introduction to Hayabusa: Hayabusa is an open-source Windows Event Log Analysis Tool used for processing EVTX logs to detect suspicious activities in Windows environments.Critical Alerts Detection: The tool is capable of detecting a variety of suspicious activities, including WannaCry ransomware and unauthorized Active Directory replication.Efficient Incident Response: Hayabusa is ideal for incident response workflows, enabling teams to quickly triage and analyze...
Send us a text In this episode of Traffic Light Protocol, Clint Marsden is joined by Jonathan Thompson, a developer and AI enthusiast currently studying at Macquarie University. Together, they dive into how artificial intelligence (AI) is transforming the cybersecurity landscape and discuss Jon’s insights into AI’s potential applications in digital forensics, incident response, and everyday IT operations. The conversation touches on ethical considerations, potential job impacts, and how A...
Send us a text Episode 13 is another giant episode with a focus on what its like be in the mud working on real life forensic investigations. Jacob and Clint talk about ELK EDR, using Sysmon. Sandbox Environments: Jacob discusses the creation of a sandbox environment using an ELK stack combined with Sysmon, enabling in-depth malware analysis by capturing and analyzing detailed system activity. Automation in Investigations: Jacob emphasizes the importance of automating repetitive tasks, such a...
Send us a text Quotes: “In the fast-paced world of DFIR, you are a mission critical system. Your job isn’t just to uncover what happened during an incident, but to do so in a way that gets results fast.”“Specialists bring expertise that pushes the entire industry forward, while generalists offer versatility and adaptability in the ever-changing landscape of cybersecurity.”“The choice between specializing and generalizing doesn’t always need to be a conscious decision. Often, you just fall int...
Send us a text In this episode of Traffic Light Protocol, we sit down with Myles, a cybersecurity veteran with over 15 years of Cyber experience and background as a Combat Engineer in the Army. Myles brings his unique perspective on integrating automation and cloud technologies into cybersecurity infrastructure deployment (Used specifically when deploying Velciraptor- an advanced open-source endpoint monitoring, digital forensic and cyber response platform). We delve into his journey ...
Send us a text Quotes: "Phishing targets the human element, the 'wetware,' often the weakest link in any security chain." - Clint Marsden "Phishing isn't just about poorly spelled emails anymore; it's about sophisticated campaigns that even cyber-aware individuals can fall victim to." - Clint Marsden "Effective defense against phishing involves not just technology but ongoing education and a culture of security awareness." - Clint Marsden Key Takeaways: Phishing attacks continue to ...
Send us a text Episode Title: "Unmasking APT40: Tactics, Challenges, and Defense Strategies" Key Takeaways: APT40 is a sophisticated Chinese state-sponsored cyber espionage group active since 2009. They target various sectors including academia, aerospace, defense, healthcare, and maritime industries. APT40 uses advanced tactics such as spear phishing, watering hole attacks, and living off the land binaries (LOLBINS). Digital forensics faces challenges in detecting APT40 due to their use of ...
Send us a text In this episode, Clint Marsden goes straight into 4 practical strategies that enable better forensics and stop data exfiltration, no matter the size of your budget. Clint covers deploying Sysmon for enhanced monitoring, and using Group Policy to tighten print and USB security. Event log cleared: Event ID 1102 ACSC Sysmon: https://github.com/AustralianCyberSecurityCentre/windows_event_logging Swift on security Sysmon: https://github.com/SwiftOnSecurity/sysmon-config Print...
Send us a text In todays episode of TLP - Traffic Light Protocol, Clint Marsden talks about Defending Against Scattered Spider: Understanding Their Tactics, Techniques, and Procedures. Key Takeaways Understanding Scattered Spider: Scattered Spider, also known as Roasted Octopus or Octo Tempest, utilizes various legitimate tools for malicious purposes. Common Tools and Techniques: They employ tools for reconnaissance (PingCastle, ADRecon), credential dumping (Mimikatz, Lazagne),...
Send us a text In this episode, we speak with Phil Ngo, a Primary Investigator in Accenture's global cyber response team. As a primary investigator, he is responsible for helping clients recover from major incidents as well as delivering proactive cyber services, such as threat hunting and tabletop exercises. Philip started his career as a high school teacher, before moving into IT support and eventually into cyber security six years ago. Philip has a worked across multiple indus...
Send us a text This is the biggest episode from a content perspective so far. I'm excited to share it with you. Episode Highlights: How to run post-incident debriefs and post-mortems.Involving external teamsUsing lessons learned to form actionable insights.Key questions to address in incident analysis.Effective report writing strategies, including timelines and executive summaries.Evaluating and improving incident response procedures and tools preparation.Engaging broader teams in the ...
Send us a text Show Notes: Episode on Containment, Eradication, and Recovery In this episode of Traffic Light Protocol, Clint Marsden explores the containment, eradication, and recovery phases of the NIST SP 800-61 framework for computer security incident handling. Key Topics Covered: Containment Strategies: Choosing appropriate containment methods based on the incident type, potential damage, service availability, and evidence preservation. Examples include power disconnect...
Send us a text In this conclusion of the Detection phase, Clint wraps up Incident Prioritisation. This includes Functional impacts of the incident, information impact of the incident and the recoverability of the incident. Not all of these are needed, or relevant when tracking your incident and Clint explains when to categorise incidents using these factors. To finish off, Clint discusses incident notification - Who are the stakeholders that need to be informed and included in your incident...
Send us a text In this 45 minute episode Clint covers a lot of ground based on the Detection phase of NIST 800-61. Attack vectors for digital security incidents, including insider threats and weaponized USBs. Cybersecurity incident response and detection, including NIST guidelines and Sysmon logging augmentation The importance of following temporal linearity in Forensic Investigations, expanding analysis to 5-10 minutes prior to and after events, particularly in Internet History and Me...
Send us a text In this Episode Clint Marsden talks about the first phase of Computer Security Incident Handling according to NIST. Listen to real world examples of how to get prepared before a Cyber Security Incident arrives. Show notes: Link to NIST SP 800-61 PDF https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf Bro has been renamed to Zeek. https://zeek.org/ Rita is Real Intelligence Threat Analytics. Created by Active Countermeasures - Available from h...
Send us a text In this first episode we kick off with Clint Marsden, the host of Traffic Light Protocol (TLP) where he talks about what its like to work in DFIR, how to get started with Cyber training, what to expect in future episodes, and of course a light touch on AI Forensics! Join us for the first episode. The next episodes coming up talk about the NIST SP 800-61 where we break down Preparation, Detection, Eradication and Recovery. Highlights: Current trends and best practices in digi...
Send us a text Unlock the secrets behind digital forensic investigations into AI chat platforms like ChatGPT, Claude, and Google's Gemini in this insightful episode. Learn the precise methods for discovering, extracting, and interpreting digital evidence across Windows, Mac, and Linux environments, whether it's browser caches, memory forensics, network logs, or cloud-based data exports. From identifying subtle signs of malicious AI usage and attempts to evade security controls, to piecing tog...
