Your platform for Information Security

Defencia — knowledge, DFIR guides and talks

An internet resource for educating the future of digital investigators. Practical guides, governance templates and talks from a career in information security, digital forensics and incident response.

DFIR Open Source Gratis materiale Governance
00

Welcome

Welcome to defencia.dk. This site is dedicated to the teaching and outreach work I do in my spare time. I hope you find it a source of inspiration for your daily work in infosec.

My intention is to share these resources so they reach the right audience. If you are enrolled in one of my courses, you will of course receive all the relevant material, which you are welcome to use within your company.

I have added a good deal of content on the governance side. Consider it a helping hand for the SMBs that struggle to get a grip on their governance. Use the templates as needed and adapt them to your business.

Note: The opinions and reflections here are entirely my own and personal, and do not represent any other person or organisation. A few pages are still in Danish — work in progress.

If something is missing, or you have feedback, feel free to write to me. Have fun!

01

Guides & workflows

One-page guides to the tools and workflows I use in DFIR and threat-intel work. Each guide is self-contained, copyable and built for quick reference.

Forensics & incident response
Forensics

Autopsy

Graphical forensics platform built on The Sleuth Kit. Analyse disk images, build timelines, search keywords, carve deleted files and run automated artifact modules in a case-oriented interface.

Åbn guide
Endpoint DFIR

Velociraptor

Open-source endpoint monitoring and digital forensics. Collect artifacts, hunt threats and run live response across thousands of machines via VQL — Velociraptor Query Language.

Åbn guide
Triage

KAPE

Kroll Artifact Parser and Extractor. Collects and parses the most relevant artifacts from a live or mounted Windows system in minutes — built for fast triage when time is critical.

Åbn guide
Reference

ClamAV & YARA

A comprehensive function and command reference for both tools — tailored to Linux (Zorin / Ubuntu). Click a code example to copy it.

Åbn reference
Analysis environments & infrastructure
Sandbox

Kasm Workspaces

Stream containerised desktops and apps in the browser. Each session is a disposable environment reset on logout — ideal for suspicious links, malware detonation and phishing analysis without touching your own machine.

Åbn guide
Runtime

Docker

Container runtime and the foundation under nearly every self-hosted service. Package an application with all its dependencies into an isolated, reproducible image and run it identically on any Linux host.

Åbn guide
Automatisering

n8n

Self-hosted workflow automation with a visual node editor. Connect APIs, databases and services into pipelines — run as a Docker Compose stack with PostgreSQL behind it.

Åbn guide
Threat intelligence & news
CVE monitoring

OpenCVE

Self-hosted platform to monitor CVEs and get notified when vulnerabilities hit the products and technologies you subscribe to. The trigger source for your enrichment pipeline via webhooks.

Åbn guide
Workflow

CVE-berigelse

An n8n workflow that receives a webhook from OpenCVE, enriches the CVE with data from NVD and EPSS, and writes a combined record to your dashboard database. A reference pattern with importable JSON.

Åbn workflow
RSS-motor

Miniflux

A minimalist, fast RSS reader in Go — one binary, low resource use. Perfect as the feed engine behind automation via its REST and Fever APIs.

Åbn guide
Workflow

Nyheds-screening

An n8n workflow that fetches unread articles from Miniflux, lets a Mistral model decide relevance, enriches the relevant ones into short threat-intel summaries, and marks everything as read. Importable JSON.

Åbn workflow
02

Knowledge base

The full body of DFIR, forensics and governance material from defencia.dk — condensed into short, focused topic pages. Originally course material taught at KEA.

Incident response & process

Emergency Handling & DFIR

Readiness, war room, write-blocking and the digital toolbox.

Read

The Phases

The IR lifecycle — preparation through lessons learned (NIST/SANS).

Read

Emergency Management

Knowing your capabilities, preparing for the worst, triage.

Read

Important Questions

Investigative checklist — what, who, where, when and why.

Read

Jump-bag

The grab-and-go DFIR kit — what to pack and why.

Read

Action Cards

Downloadable IR playbooks (CC 4.0).

Read

DFIR Links

Curated references — frameworks, samples and tools.

Read
Forensics & evidence

Forensics & Analysis

Write protection, storage, and the Autopsy framework.

Read

Chain of Custody

Documenting evidence handling for court.

Read

Data Collection

Controlled acquisition, the right questions, integrity.

Read

Hashing

Hash values for integrity and identifying identical files.

Read

Memory Forensics

Volatility 3 — RAM artifacts and worked cases.

Read

USB for Live Forensics

Building a tested live-forensics USB.

Read

Autopsy Plugins

Custom plugins — URLcheck, Pi-hole, MalwareIndicator.

Read
Malware & labs

Malware Analysis

REMnux — static triage and dynamic detonation.

Read

Malware Lab

Self-hosting Assemblyline on Docker.

Read

Labs for Analysis

Forensic/malware lab hardware and ready-made VMs.

Read

Loki

Scan for known YARA rules and hash IOCs.

Read
Governance & law

GDPR

Principles, data subject rights and breach handling.

Read

Paragraphs (DK law)

Danish criminal-law sections on cyber offences.

Read

Templates

Governance document templates (BIA, AUP, NDA…).

Read

Intelligence in Business

Cheap threat intel via RSS monitoring.

Read

Abbreviations

DFIR and governance glossary.

Read
Foundations & learning

Linux

A gentle intro to Linux for DFIR.

Read

Windows CMD

Useful built-in Windows commands.

Read

Software

The DFIR toolset and licensing.

Read

Backup

3-2-1, cloud options and encryption.

Read

Course & Peripherals

Minimum hardware to get started on a budget.

Read

Literature

Course books + the site as an e-book.

Read

Sites for Learning

Practice cases and challenges for self-study.

Read

Study & Productivity

Screen capture and mind-mapping tools.

Read

Santafun Mini CTF

A festive memory-forensics challenge.

Read

About

What Defencia means and who is behind it.

Read
03

Talks & presentations

Material from the talks I have given over the years. Download them freely and (hopefully) be inspired. Where a hash is given, you can verify the file's integrity.

B-sides 2024

PDF
Triage on a NetworkSlides fra B-sides 2024
14.82 MB

Your Data, Your Evidence — B-sides

PDF
Your Data, Your Evidence (B-sides)Creative Commons 4.0SHA-256: 53d95bc8815cddf149d2d1c54e8a9dd381d2c3fb499bb80a683d5d5c4aa69571
6.01 MB
PDF
Your Data, Your EvidenceOne of the best Danish events — well organised and with no sales pitch.SHA-256: d8ba4b2ada5165c79b7c1e64f121cfb7543664f5188bb3722384b1bf19215388
6.65 MB

B-sides 2023 & Cyberskills

PDF
DFIR on a Poor Man's Budget — examples (webinar)KEA Webinar Q4-2023
17.72 MB
PDF
DFIR on a Poor Man's Budget — examplesCyberskills
11.06 MB
PDF
DFIR on a Poor Man's BudgetSlides fra B-sides august 2023
7.36 MB
PDF
FDCA talkForeningen Danske Cyber Alumner (Danish Cyber Alumni) — April 2023
2.98 MB

Vejen til Infosec (The road to infosec) & governance

PDF
Vejen til Infosec (The road to infosec)Getting into the IT-security realm (in Danish)
3.55 MB
PDF
Vejen til Infosec — DSV talkCyberskills, local event
9.82 MB
PDF
Cyberskills — management & governancePresentation for Cyberskills
11.20 MB
PDF
Min rejse 2Cyberskills — lokalt event
4.66 MB

Øvrigt materiale

PDF
ChatGPT Top 10Fun & testing within the DFIR field
242 KB
PDF
Sites for LearningA collection of sites for learning cybersecurity
141 KB
04

Contact

Is something missing, or do you have feedback? Write to info [at] skrivebeskyttet [dot] dk. Your input is greatly appreciated.