DFIR Journey

Welcome to DFIR Journey — my ongoing lab notebook as I transition into Digital Forensics & Incident Response.

This site documents:

🔬 Hands-on labs: Windows event log hunting, Sysmon telemetry, Chainsaw + Sigma workflows.
🤖 AI-augmented tools: ForenSynth AI, a DFIR report generator I architected and built using “vibe coding” with ChatGPT.
🧪 Simulation tooling: A Random DFIR Noise Simulator to create realistic, safe Windows activity for tuning detections.
📅 DFIR Journey Timeline – full running log of labs, tools, and milestones: View the timeline

I use this space to turn real lab work into public artifacts: write-ups, screenshots, and GitHub repos that show how I think, not just what I’ve read.

ForenSynth run summary, KPIs, and simulator — DFIR Journey

Lab Setup & Telemetry Guide — Sysmon + Chainsaw + Sigma

Goal: A reproducible DFIR lab pipeline: Sysmon emits clean telemetry → Chainsaw hunts EVTX with Sigma → JSON detections flow into ForenSynth AI. 1) Lab Topology (Minimal Viable Setup) Host: Your workstation (analysis + Git operations) Windows 10/11 VM (Target): Generates events, runs Sysmon (Optional) Kali/Ubuntu VM: Auxiliary analysis tools Network: Host-only or NAT. Keep the Windows VM reachable via shared folders for exporting EVTX. 2) Sysmon Installation (SwiftOnSecurity config) Copy Sysmon64.exe and the SwiftOnSecurity config (e.g., sysmonconfig-export.xml) to the Windows VM. Install: Sysmon64.exe -accepteula -i sysmonconfig-export.xml Verify service: Get-Service Sysmon64 Confirm logs are flowing: Windows Event Viewer → Applications and Services Logs → Microsoft → Windows → Sysmon → Operational You should see Event IDs like 1 (Process Creation), 3 (Network), 7 (Image Load), 10 (Process Access), 11 (File Create). Tip: Keep a copy of the exact Sysmon XML you used in your repo for reproducibility. ...

Random DFIR Noise Simulator — Building Realistic Detection Data

Purpose During DFIR analysis, it’s easy to rely on static data. To train and validate detections, I built a PowerShell-based Random DFIR Noise Simulator that produces realistic but safe Windows event activity for hunting and Sigma rule tuning. Evolution of the Simulator During early DFIR lab builds, I wrote a sequence of PowerShell scripts to simulate benign Windows activity and inject lightweight IOC noise into Sysmon and Security logs for Chainsaw and Sigma testing. ...

ForenSynth AI Evolution — From Chainsaw to Visual DFIR Reports

Automation shouldn’t replace judgment; it should buy you time to use it. Problem DFIR analysts burn hours turning raw detections into readable narratives. EVTX hunts surface signals, but write-ups lag behind, delaying remediation and weakening portfolio proof. We need a repeatable way to go from logs → findings → human-ready report without sacrificing accuracy or analyst judgment. Approach Small pipeline: Chainsaw (Sigma EVTX hunting) → SwiftOnSecurity Sysmon config (clean telemetry) → PowerShell simulator (lab noise) → Python LLM summarizer (structured narrative + IOC table). Human stays in the loop for validation and context, not rote drafting. ...

This site documents:#

This site documents: