Basically, all of the artefacts that are listed in the Investigation section fall under the category “user activity” one way or another. Even if some process spawned some other process, somewhere in the past the user interaction was still required. That’s why I find it so hard to find the perfect categorization. I’ve decided to devote this section to common strategies of how one would investigate user activity and which artefacts they would use at what point in time.
This section is under question. Probably need to sort all between different artefacts. Hard to use currently.
In order to detect and response to incidents in a short time, there are playbooks which are basically guidelines. Some IR frameworks have these included in order to ease the process.
This all about searching for the information publicly available.
I will be collecting some random stuff I’ve noticed about people’s usage of IT systems.