Chris Sanders πŸ”Ž 🧠

@[email protected]
1.9K Followers
375 Following
1,028 Posts

Security Analyst, Author, and Instructor, Ed.D.

Studying the intersection of security investigation doctrine, cognitive psychology, and education.

Founder of Applied Network Defense and Rural Tech Fund

Books:
🍯 Intrusion Detection Honeypots
🦈 Practical Packet Analysis
🌐 Applied Network Security Monitoring

Former: Mandiant, InGuardians, Dept of Defense, Roadside Fruit Vendor.

A question well stated is a problem half-solved. #InvestigationTheory

https://chrissanders.org/links/

Bloghttps://chrissanders.org/
Training Courseshttp://networkdefense.co/courses/
Twitterhttps://twitter.com/chrissanders88
Bookshttps://chrissanders.org/publications
More Linkshttps://chrissanders.org/links/
Chris Sanders πŸ”Ž 🧠3h ago
Go go go Artemis!!! πŸš€
Show threadChris Sanders πŸ”Ž 🧠1d ago

If you like these scenarios, you'll love my Investigation Theory course. We go through many of them, I give you individualized feedback on your responses, and share strategies for approaching them based on reliable investigative doctrine.

https://www.networkdefense.co/courses/investigationtheory/

Investigation Theory β€” Applied Network Defense

Applied Network Defense
Chris Sanders πŸ”Ž 🧠1d ago

Investigation Scenario πŸ”Ž

A user reports their hard drive is full, but they don't know why. While investigating, you find a series of large, password-protected RAR files that the user knows nothing about.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Show threadChris Sanders πŸ”Ž 🧠2d ago
Most people don't need to understand the full history of psych or computing, or the nuances of field ontology. However, most WILL benefit from understanding field epistemology, limitations, and interactions that meet the world they experience daily.
Chris Sanders πŸ”Ž 🧠2d ago
This article is about intro psych courses, but it highlights a common problem across many fields at universities, including tech-related. Introductory courses are designed to prepare students for further study in a field, yet in reality, may be their only exposure to it.
Show threadChris Sanders πŸ”Ž 🧠2d ago
A course that prepares someone to see through a field's lens will look fundamentally different than a course that prepares someone to be a practitioner within that field. Applied Field 101 vs. Field 101 for Practitioners.
Chris Sanders πŸ”Ž 🧠Mar 24

Investigation Scenario πŸ”Ž

You've discovered a host with multiple instances of Chrome running the --hidden option.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders πŸ”Ž 🧠Mar 17

Investigation Scenario πŸ”Ž

Browser history for an HR user shows repeated visits to chat.openai[.]com, followed by creation of C:\Users\chris\AppData\Local\Temp\cleanup[.]ps1. The file is not available, and the hash shows no matches in OSINT resources.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Show threadChris Sanders πŸ”Ž 🧠Mar 10
I post these scenarios every Tuesday! We're up to 135 of them so far! If you enjoy them, you'll probably like my Investigation Theory class where I work with folks directly on improving their investigative skills leverage principles from cognitive science: https://www.networkdefense.co/courses/
Courses β€” Applied Network Defense

Applied Network Defense
Chris Sanders πŸ”Ž 🧠Mar 10

Investigation Scenario πŸ”Ž

A host on your network executed the command β€œnetsh wlan show profile” for the first time.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC