Mastodawn

Volume grafting mounts a disk image's APFS contents as a subdirectory of an existing volume. This is the mechanism behind Cryptexes, RSRs, and system extensions.

New post on the lifecycle, constraints, and on-disk metadata:

https://jtsylve.blog/post/2026/06/11/APFS-Grafting

#dfir #apfs

Volume Grafting

Volume grafting is a mechanism introduced in macOS 13 that mounts a disk image’s APFS contents as a subdirectory of an existing volume. This is the technology behind Cryptexes, the cryptographically sealed, graftable disk images used for Rapid Security Responses and system extensions. This post covers the graft lifecycle, constraints, and on-disk metadata.

Joe T. Sylve, Ph.D.

RDP Snitch 6h ago

2026-06-10 RDP #Honeypot IOCs - 252 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
172.234.84.213 - 81
159.223.238.255 - 30
193.169.194.14 - 27

Top ASNs:
AS63949 - 87
AS14061 - 42
AS396982 - 36

Top Accounts:
hello - 111
(empty) - 39
Administr - 27

Top ISPs:
Akamai Technologies, Inc. - 87
DigitalOcean, LLC - 42
Google LLC - 36

Top Clients:
Unknown - 252

Top Software:
Unknown - 252

Top Keyboards:
Unknown - 252

Top IP Classification:
hosting - 171
Unknown - 81

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch 6h ago

2026-06-10 RDP #Honeypot IOCs - 168 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
172.234.84.213 - 54
159.223.238.255 - 20
193.169.194.14 - 18

Top ASNs:
AS63949 - 58
AS14061 - 28
AS396982 - 24

Top Accounts:
hello - 74
(empty) - 26
Administr - 18

Top ISPs:
Akamai Technologies, Inc. - 58
DigitalOcean, LLC - 28
Google LLC - 24

Top Clients:
Unknown - 168

Top Software:
Unknown - 168

Top Keyboards:
Unknown - 168

Top IP Classification:
hosting - 114
Unknown - 54

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch 6h ago

2026-06-10 RDP #Honeypot IOCs - 84 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
172.234.84.213 - 27
159.223.238.255 - 10
193.169.194.14 - 9

Top ASNs:
AS63949 - 29
AS14061 - 14
AS396982 - 12

Top Accounts:
hello - 37
(empty) - 13
Administr - 9

Top ISPs:
Akamai Technologies, Inc. - 29
DigitalOcean, LLC - 14
Google LLC - 12

Top Clients:
Unknown - 84

Top Software:
Unknown - 84

Top Keyboards:
Unknown - 84

Top IP Classification:
hosting - 57
Unknown - 27

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

Forensic Focus 15h ago

Read the latest DFIR news – SANS’ AI framework for DFIR, psychological risks for analysts, AI-generated CSAM in U.S. courts, Perceptor’s open-source investigation platform, and more. https://www.forensicfocus.com/news/digital-forensics-round-up-june-10-2026/ #DigitalForensics #DFIR

Forensic Focus 16h ago

Join Cellebrite live on 17 June to see Genesis in action — agentic AI built to help investigators cut through digital evidence overload and surface leads faster. https://www.forensicfocus.com/news/upcoming-webinar-meet-cellebrite-genesis-from-digital-overload-to-investigative-clarity/ #Cellebrite #CellebriteGenesis #DigitalForensics #DFIR

UPCOMING WEBINAR - Meet Cellebrite Genesis: From Digital Overload To Investigative Clarity - Forensic Focus

Join Cellebrite live on 17 June to see Genesis in action — agentic AI built to help investigators cut through digital evidence overload and surface leads faster.

Forensic Focus

FIRST.org 21h ago

Want to support one of the community's most practitioner-focused events? https://www.coldincidentresponse.no/

The 2026 FIRST TC: #ColdIncidentResponse takes place 13–15 October in Oslo, Norway. We're looking for sponsors to help fund food, refreshments, and the community dinner for 400 attendees.

No sponsor stands. No paid talks. Just community.

📩 [email protected]

#DFIR #CyberSecurity #IncidentResponse

FIRST TC Oslo: Cold Incident Response

FIRST TC Oslo: Cold Incident Response is an annual conference organized by the Norwegian FIRST community, focusing on security monitoring and incident response. This website provides information on the current conference.

ColdIncidentResponse

Joe Sylve

1d ago

Today's post covers APFS encryption rolling, the background process that encrypts, decrypts, or re-keys an entire volume’s data while the system continues operating.

https://jtsylve.blog/post/2026/06/10/APFS-Encryption-Rolling

#apfs #dfir

Encryption Rolling

In our posts on Keybags, Wrapped Keys, and Decryption, we covered the static encryption architecture of APFS: how keys are stored, unwrapped, and used to decrypt data. This post covers encryption rolling, the background process that encrypts, decrypts, or re-keys an entire volume’s data while the system continues operating.

Joe T. Sylve, Ph.D.

RDP Snitch 1d ago

2026-06-09 RDP #Honeypot IOCs - 2097 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
159.223.36.55 - 1512
67.205.169.121 - 495
193.169.194.14 - 24

Top ASNs:
AS14061 - 2007
AS396982 - 27
AS214576 - 24

Top Accounts:
hello - 2007
(empty) - 27
Test - 15

Top ISPs:
DigitalOcean, LLC - 2007
Google LLC - 27
Berdiev Ruslan Mukhabatovich - 24

Top Clients:
Unknown - 2097

Top Software:
Unknown - 2097

Top Keyboards:
Unknown - 2097

Top IP Classification:
hosting - 2040
Unknown - 51
proxy - 6

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch 1d ago

2026-06-09 RDP #Honeypot IOCs - 1398 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
159.223.36.55 - 1008
67.205.169.121 - 330
193.169.194.14 - 16

Top ASNs:
AS14061 - 1338
AS396982 - 18
AS214576 - 16

Top Accounts:
hello - 1338
(empty) - 18
Test - 10

Top ISPs:
DigitalOcean, LLC - 1338
Google LLC - 18
Berdiev Ruslan Mukhabatovich - 16

Top Clients:
Unknown - 1398

Top Software:
Unknown - 1398

Top Keyboards:
Unknown - 1398

Top IP Classification:
hosting - 1360
Unknown - 34
proxy - 4

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security