CBS Forensic Toolkit
Parser for the Windows 11 Start Menu's CBS subsystem. Extracts forensic artifacts from the MicrosoftWindows.Client.CBS package: Start Menu search history, cached Bing queries, and application launch counts.
[ read more → ]PowerShell Incident Response Cheatsheet
Quick-reference PowerShell commands for triage and evidence collection during live-response investigations.
[ read more → ]Windows Event IDs for Incident Response
A working reference of the Windows event IDs of interest during triage, grouped by the investigative question they answer.
[ read more → ]Hello, world
Welcome. If you're reading this, I'm online! I'm Andrew Prince, and this is my corner of the internet for writing about digital forensics and incident response. I've been meaning to stand up this blog for a while. Publishing notes privately…
[ read more → ]