Those who understand the capabilities of their evidence sources know the bounds of the investigative playing field. Every time you learn something new about an evidence source, the field gets bigger!
The days of getting by on expertise in one type of evidence are over -- you need to understand multiple types or your investigative questioning will suffer. One of the best ways to expand your ability is to dive head first into new evidence sources.
Most of us got started with either a focus on network or disk based evidence. You'll see the biggest gains in your ability by focusing on the realm you have less experience with.
If you want to spend time focusing on the network side, look at packet capture and subsets like flows and @Zeekurity logs.

For the disk side, look at OS logs, methods of proving app execution, file system artifacts, and the Windows registry.

These are just a start.
Remember to be deliberate in your research -- you have a specific goall to increase the type and quality of investigative questions by expanding your evidentiary playing field.
You can follow @chrissanders88.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: