# DFIR

- [Common](/dfir/common.md)
- [Image acquisition and mounting](/dfir/common/image_acquisition_and_mounting.md)
- [Memory forensics](/dfir/common/memory_forensics.md)
- [Web logs analysis](/dfir/common/web_logs_analysis.md)
- [Browsers forensics](/dfir/common/browsers_forensics.md)
- [Email forensics](/dfir/common/email_forensics.md)
- [Docker forensics](/dfir/common/docker_forensics.md)
- [Windows](/dfir/windows.md)
- [Artefacts overview](/dfir/windows/_artefacts_overview.md)
- [Amcache](/dfir/windows/_artefacts_overview/amcache.md)
- [EVTX](/dfir/windows/_artefacts_overview/evtx.md)
- [Jumplist](/dfir/windows/_artefacts_overview/jumplist.md)
- [LNKFile](/dfir/windows/_artefacts_overview/lnkfile.md)
- [MFT](/dfir/windows/_artefacts_overview/mft.md)
- [Outlook\_files](/dfir/windows/_artefacts_overview/outlook_files.md)
- [Prefetch](/dfir/windows/_artefacts_overview/prefetch.md)
- [RecentFilecache](/dfir/windows/_artefacts_overview/recentfilecache.md)
- [RecycleBin](/dfir/windows/_artefacts_overview/recyclebin.md)
- [Shellbags](/dfir/windows/_artefacts_overview/shellbags.md)
- [Shimcache](/dfir/windows/_artefacts_overview/shimcache.md)
- [SRUM](/dfir/windows/_artefacts_overview/srum.md)
- [Timestamps](/dfir/windows/_artefacts_overview/timestamps.md)
- [User Access Logging (UAL)](/dfir/windows/_artefacts_overview/user_access_logging.md)
- [UsnJrnl](/dfir/windows/_artefacts_overview/usnjrnl.md)
- [Miscellaneous](/dfir/windows/_artefacts_overview/misc.md)
- [TTPs analysis](/dfir/windows/ttps_analysis.md)
- [Accounts usage](/dfir/windows/ttps_analysis/accounts_usage.md)
- [Local persistence](/dfir/windows/ttps_analysis/local_persistence.md)
- [Lateral movement](/dfir/windows/ttps_analysis/lateral_movement.md)
- [PowerShell activity](/dfir/windows/ttps_analysis/powershell_activity.md)
- [Program execution](/dfir/windows/ttps_analysis/program_execution.md)
- [Timestomping](/dfir/windows/ttps_analysis/timestomping.md)
- [EVTX integrity](/dfir/windows/ttps_analysis/evtx_integrity.md)
- [System uptime](/dfir/windows/ttps_analysis/system_uptime.md)
- [ActiveDirectory replication metadata](/dfir/windows/ttps_analysis/activedirectory_replication_metadata.md)
- [ActiveDirectory persistence](/dfir/windows/ttps_analysis/activedirectory_persistence.md)
- [Linux](/dfir/linux.md)
- [Artefacts overview](/dfir/linux/_artefacts_overview.md)
- [TTPs analysis](/dfir/linux/ttps_analysis.md)
- [Timestomping](/dfir/linux/ttps_analysis/timestomping.md)
- [Cloud](/dfir/cloud.md)
- [Azure](/dfir/cloud/azure.md)
- [AWS](/dfir/cloud/aws.md)
- [Tools](/dfir/tools.md)
- [Velociraptor](/dfir/tools/velociraptor.md)
- [KAPE](/dfir/tools/kape.md)
- [Dissect](/dfir/tools/dissect.md)
- [plaso](/dfir/tools/plaso.md)
- [Splunk usage](/dfir/tools/splunk.md)