Seth Enoka – DFIR

ShellBags and User Navigation: What Windows Remembers About Exploration

Wed, 25 Mar 2026 20:00:00 +0000

ShellBags are often treated as proof of access to a directory, proof of awareness of a file, or proof of intent. None of those claims are defensible on ShellBags alone.

ShellBags are better understood as Windows remembering where the shell has been asked to render a folder view for a user. That can be strong evidence of navigation and exploration. It can also be weak evidence of anything beyond that, depending on how the interaction occurred, what the environment looks like, and what else you can line up around it.

Cybersecurity Career Roadmap

Tue, 10 Mar 2026 00:00:00 +0000

Cybersecurity Career Roadmap (DFIR, Incident Response, and Security Operations)

Most cybersecurity career advice is either too generic or too disconnected from real-world work. This roadmap is designed to solve a more practical problem: given where you are today, what should you do next to move forward in your career?

It focuses on digital forensics, incident response (DFIR), and security operations (SOC); roles where technical depth, decision-making under pressure, and real-world experience matter more than theory. Whether you’re:

Windows Recycle Bin Forensics on Windows 10 and 11

Mon, 16 Feb 2026 22:00:00 +0000

In a surprising number of investigations, the Recycle Bin is the difference between we think something was removed and we can show what was removed, from where, and roughly when. It’s also an artefact that’s easy to misunderstand or misinterpret. The Recycle Bin preserves evidence of a particular class of deletion behaviour: deletions on a given volume, under a given user context, within the limits of configuration and capacity, usually using the Windows shell (but not always).

Windows Artefacts as Evidence

Mon, 16 Feb 2026 00:00:00 +0000

Windows artefacts are one of the most important sources of evidence in digital forensics and incident response (DFIR) investigations. Filesystem metadata, registry entries, execution traces, and application artefacts all leave traces that investigators use to reconstruct activity on Windows systems.

This series focuses on Windows forensic artefacts on Windows 10 and Windows 11, explaining what these artefacts can reliably prove, what they can’t, and how investigators should interpret them during real-world incident response.

Understanding Windows Artefacts as Evidence, Not Indicators

Mon, 19 Jan 2026 23:00:00 +0000

Windows forensic artefacts are one of the core evidence sources used in digital forensics and incident response (DFIR) investigations. On Windows endpoints, artefacts such as Prefetch, ShellBags, Recycle Bin metadata, event logs, and registry traces help investigators reconstruct what happened on a system.

Yet Windows endpoint investigations still tend to fail in predictable ways. Not because analysts can’t extract artefacts. Most junior and mid-career practitioners can acquire an image, parse common sources, and build a timeline. The failure is usually interpretive. An artefact is treated as a deterministic indicator, or as proof of an action, when it’s only a partial trace of a system behaviour. This post is about that gap.

A Roadmap to Earning Your First (or Next) SANS Certification

Sat, 25 Mar 2023 10:50:00 +0000

SANS is widely regarded as one of the leading providers of cybersecurity training. Their courses and GIAC certifications cover everything from early-career security analysts to senior incident responders and digital forensics specialists.

Because their catalogue is large and constantly expanding, a lot of people struggle with the question:

Which SANS certification should I take first, and what should come next?

The official SANS Cybersecurity Skills Roadmap is a useful starting point:

Unlocking the DFIR Job Market: Strategies for Landing Your Dream Role

Sat, 18 Mar 2023 20:54:00 +0000

tl;dr: This blog aims to aggregate what I’ve found meaningful while job hunting in my career, and to be a useful resource to anyone interested in a career in DFIR. If you don’t care what I think, skip to the bottom for people who said it better than me.

I’ve been thinking about and talking to a lot of early-career professionals recently and wanted to document some of the discussions we’ve had. A lot of people seem lost; they want a career in cybersecurity but don’t really know where to start.

Alternate Data Streams

Sat, 18 Mar 2023 03:38:00 +0000

Here’s a quick write‑up on Alternate Data Streams (ADS). An ADS is a file attribute used in NTFS that can provide investigators with valuable evidence that might otherwise be overlooked.

An ADS is an additional named stream of data that a user can attach to a file or folder on Windows systems. It’s effectively hidden data associated with a visible file (or written alongside a regular file) and is not visible in standard file browsers such as File Explorer. The original intent of ADS was to allow files to contain additional metadata or alternate data that’s not part of the primary file content.

Create a Personal Forensics Lab Part 6: The CentOS Workstation

Fri, 03 May 2019 08:00:00 +0000

This (for now anyway) will be the last post in this series, in which we’ll add a CentOS 7 x64 workstation to our lab. At this point, the lab looks a little like this:

There are some slight nuances to adding a CentOS box to a Windows domain, and we’ll go into greater detail below. Similar to the other systems, we want CentOS in a DFIR lab for the opportunity to find artefacts, auth logs, time sources, etc.

Create a Personal Forensics Lab Part 5: The Windows 7 Workstations

Fri, 26 Apr 2019 08:00:00 +0000

By the fifth instalment of the ‘build your own lab’ series, the lab already resembles this network diagram (or should, anyway):

As the title suggests, it’s time to install the Windows 7 workstation(s).

NB: Windows 7 is end-of-life at this point and is included here strictly for [legacy forensics and artefact comparison purposes](/windows-artefacts/).

Workstation Configuration

During the installation, Windows asks for a user name and a computer name. Enter these during setup to save a step later in the process.

Create a Personal Forensics Lab Part 4: The Windows 8.1 Workstation

Fri, 19 Apr 2019 08:00:00 +0000

By this point, part 4 of the series, our lab looks something like this:

In this instalment, it’s time to add the Windows 8.1 workstation to the environment. The issue with this ISO when compared to all the others is that Windows 8.1 doesn’t allow the OS to be installed without a licence key. As a result, some finagling is required (read: an extra step to get the ISO ready before attempting to install the OS).

Create a Personal Forensics Lab Part 3: The Windows 10 Workstation

Fri, 12 Apr 2019 08:00:00 +0000

If you haven’t already, complete parts one and two of this guide on building a personal forensics lab in the cloud, which cover creating the Windows Server 2016 primary domain controller (DC), DHCP and DNS server, and the Windows Server 2012 R2 secondary DC.

At this point, the lab should look like this:

I’ve chosen to put a single Windows 10 x64 workstation in the environment, but there may be value in adding a 32-bit version as well. There are some things that may only work on one or the other, and it could be interesting to see how forensic artefacts might behave differently between the two versions of the same OS (which is why there are two Windows 7 workstations planned).

Create a Personal Forensics Lab Part 2: The Secondary Domain Controller

Fri, 05 Apr 2019 08:00:00 +0000

If you haven’t already completed part one of this series, Creating the Primary Domain Controller, I suggest you visit that page first. If, on the other hand, you have at least the primary DC configured, including DHCP, DNS, and Remote Access (NAT), please continue.

At the end of part one, the lab network looked like this:

The focus of this post is to get a secondary DC up and running in the lab environment, hosted in the cloud. The assumption will be that the base OS installation has been completed per the earlier post.

Create a Personal Forensics Lab Part 1: The Primary Domain Controller

Fri, 29 Mar 2019 08:00:00 +0000

NB: This post was originally written in 2019. Expect that some content may be dated at this point.

One of the major things I recommend to anyone working in DFIR – as well as network or systems administration – is to build a lab in which to test tools, techniques, theories, or anything else you might encounter in day‑to‑day work or personal research. This post is part one of a guide on building a very simple lab in a cloud environment. Readers earlier in their career will probably see more benefit from this series than those near the end, but the principles apply broadly to the industry.

Build Your Own Wireguard VPN Server with Pi-Hole for DNS Level Ad Blocking

Fri, 22 Mar 2019 08:00:00 +0000

NB: this blog was originally posted in 2019, some of the advice may be dated.

Recently, a friend made me aware of an alternative to OpenVPN named Wireguard. It’s designed to be extremely lightweight with a small source code footprint which makes it easily auditable. A whitepaper defining the protocol has been produced and is available here.

WireGuard uses UDP for communication and functions by routing some, or all, traffic through a virtual network interface, allowing for split tunnelling if desired. Traffic is encrypted and unencrypted using private/public key pairs, where each peer has the public key of the other(s). Hence, peers which are part of the same VPN can communicate with each other and roam between networks without much difficulty.

Build Your Own Forensics Go-Bag

Tue, 12 Mar 2019 19:30:00 +0000

Everyone has their own take on the components which make up a basic DFIR go-bag for when that inevitable call from a client comes. I always have a small collection of devices and boot USBs with me which I think are useful in most cases, mostly because I’ve found myself in situations where any of these things would have been really helpful to have at hand. For larger incidents, I’d recommend having a larger case with a few more critical pieces of hardware, but we’ll get to that below.

Vultr and Virtio Part 2 – Creating Your Custom VM

Tue, 15 May 2018 09:06:00 +0000

At this point, you’ve already created your custom Windows ISO and are now ready to use it to deploy a Windows virtual machine on Vultr.

Deploy Your Windows Server

Log in to your Vultr account
From the Servers area, click Deploy New Server
Choose a server location
Under Server Type, select Upload ISO, then choose the custom ISO you uploaded earlier
Select the desired Server Size and any Additional Features as required
Optionally provide a Server Name and Label
Review your configuration and click Deploy Now Vultr will now provision the instance in the background. This can take 15 - 20 minutes. Once complete, you can open the server console and begin the Windows installation.

Install Windows

Once the server is fully deployed, click the ellipsis next to the instance and select View Console

Vultr and Virtio Part 1 – Creating a Custom Windows ISO

Mon, 14 May 2018 10:46:00 +0000

In the past, I’ve had difficulty creating Windows virtual machines with Vultr and other VPS providers that require a custom ISO with VirtIO drivers. This post is primarily a how‑to so I can follow the process again in the future, but hopefully others will find it useful as well.

This is the first in a two‑part series and covers creating and uploading the custom ISO. The follow‑up post will cover using that ISO to create a VM.

About Seth

Mon, 01 Jan 0001 00:00:00 +0000

Seth is a cyber security practitioner specialising in developing and strengthening digital forensics and incident response capability across complex and high-consequence environments.

As Director and Principal Analyst at Lykos Defence, Seth works with organisations across APAC to design, implement, and mature their DFIR programs. This includes strategy and operating model development, playbook design, hands-on training, simulation exercises, and building forensic readiness so teams can respond effectively when an incident occurs.

Career Coaching

Mon, 01 Jan 0001 00:00:00 +0000

Book your coaching session

Get tailored resume, interview, and DFIR progression guidance.

Book a session

In the past I’ve provided tailored mentoring for people either trying to get into cybersecurity, transitioning from another field, or recently working in security and looking to level up. For the near to medium term, I’ll be running a limited number of 30‑minute mentoring calls.

Cybersecurity for Small Networks

Mon, 01 Jan 0001 00:00:00 +0000

Cybersecurity for Small Networks is a straightforward guide to improving network security whether you’re running Linux, Windows, or macOS. – https://nostarch.com/cybersecurity-small-networks

Before writing this book, I wanted to rebuild my home network so that it was more secure and easier to manage. No Starch Press were kind enough to work with me to create this book which aims to lead the reader through doing just that: taking their home or other small network from zero to secure with relative ease.

Presentations

Mon, 01 Jan 0001 00:00:00 +0000

This page is a collection of past presentations, talks, webinars, and other publications. For a complete list, please find me on LinkedIn.

NB: For various reasons, I can only make available material that was created for and presented in public forums (e.g. conferences). I won’t make private or internal sessions available here.

If you’d like me to speak at your conference, corporate event, or elsewhere, please use the speaker request form at the bottom of this page.

Search

Mon, 01 Jan 0001 00:00:00 +0000