An iOS app built for digital forensic analysts, incident responders, and Windows sysadmins working with Windows Event Logs (EVTX). It covers Windows Event IDs (EIDs) across a plethora of EVTX log channels, enriched with MITRE ATT&CK® mapping, detection rules (Sigma, KQL, Splunk) and additional investigation context. The app includes an on-device AI tab, Scenarios, powered by on-device Apple Foundation Models, that presents the user with relevant EIDs based on a provided prompt or attack scenario.

• SwiftUI
• iOS
• DFIR
• MITRE ATT&CK
• EVTX

Related entries (1)

A Python-based CLI that turns obfuscated DFIR payloads (PowerShell, shellcode, encoded payloads) into browser-ready CyberChef recipes. The payload is sent to a local Ollama model, the recipe is sanitized and validated against the CyberChef operation catalog, and the output is a CyberChef URL with the recipe pre-loaded. Samples stay on-device with no cloud API calls. Currently experimental - the system prompt is still being tuned against new obfuscation patterns surfaced from real DFIR samples.

• Python
• LLMs
• CyberChef
• DFIR

Related entries (1)

Configuration, filter, and rule files for ELK Stack deployments, originally published under Burnham Forensics (a prior identity of Zerberos Labs). Includes Logstash pipelines, Sysmon and Winlogbeat configs, and ElastAlert rules, maintained against evolving threats and Elastic Stack updates.

• ELK
• Logstash
• Sysmon
• Winlogbeat
• DFIR

Interpretive, modular DFIR correlation tool for macOS forensic artifacts, built as a college capstone project with Justin Boncaldo and Ben Estes. Automates pattern recognition across mac_apt SQLite output to surface connections between evidence points.

• DFIR
• macOS
• Python
• SQLite
• Capstone

Related entries (1)