# This is a minimal example file of the real knowledgebase in ./src/data/tools.yaml - name: Rapid Incident Response Triage on macOS icon: 📋 type: method description: >- Spezialisierte Methodik für die schnelle Incident Response auf macOS-Systemen mit Fokus auf die Sammlung kritischer forensischer Artefakte in unter einer Stunde. Adressiert die Lücke zwischen Windows-zentrierten IR-Prozessen und macOS-spezifischen Sicherheitsarchitekturen. Nutzt Tools wie Aftermath für effiziente Datensammlung ohne zeitaufwändige Full-Disk-Images. Besonders wertvoll für Unternehmensumgebungen mit gemischten Betriebssystem-Landschaften. domains: - incident-response - static-investigations - malware-analysis phases: - data-collection - examination platforms: [] related_concepts: null domain-agnostic-software: null skillLevel: intermediate accessType: null url: >- https://www.sans.org/white-papers/rapid-incident-response-on-macos-actionable-insights-under-hour/ projectUrl: null license: null knowledgebase: null tags: - macos - rapid-response - triage - incident-response - aftermath - enterprise - methodology - apple - name: Aftermath icon: 📦 type: software description: >- Jamf's Open-Source-Tool für die schnelle Sammlung forensischer Artefakte auf macOS-Systemen. Sammelt kritische Daten wie Prozessinformationen, Netzwerkverbindungen, Dateisystem-Metadaten und Systemkonfigurationen ohne Full-Disk-Imaging. Speziell entwickelt für die Rapid-Response-Triage in Enterprise-Umgebungen mit macOS-Geräten. Normalisiert Zeitstempel und erstellt durchsuchbare Ausgabeformate für effiziente Analyse. domains: - incident-response - static-investigations - malware-analysis phases: - data-collection - examination platforms: - macOS related_concepts: null domain-agnostic-software: null skillLevel: intermediate accessType: download url: https://github.com/jamf/aftermath/ projectUrl: '' license: Apache 2.0 knowledgebase: false tags: - macos - incident-response - triage - artifact-collection - rapid-response - jamf - enterprise - commandline - name: Regular Expressions (Regex) icon: 🔤 type: concept description: >- Pattern matching language for searching, extracting, and manipulating text. Essential for log analysis, malware signature creation, and data extraction from unstructured sources. Forms the backbone of many forensic tools and custom scripts. domains: - incident-response - malware-analysis - network-forensics - fraud-investigation phases: - examination - analysis platforms: [] related_concepts: null domain-agnostic-software: null skillLevel: intermediate accessType: null url: https://regexr.com/ projectUrl: null license: null knowledgebase: true tags: - pattern-matching - text-processing - log-analysis - string-manipulation - search-algorithms - name: SQL Query Fundamentals icon: 🗃️ type: concept description: >- Structured Query Language for database interrogation and analysis. Critical for examining application databases, SQLite artifacts from mobile devices, and browser history databases. Enables complex correlation and filtering of large datasets. domains: - incident-response - mobile-forensics - fraud-investigation - cloud-forensics phases: - examination - analysis platforms: [] related_concepts: null domain-agnostic-software: null skillLevel: intermediate accessType: null url: https://www.w3schools.com/sql/ projectUrl: null license: null knowledgebase: false tags: - database-analysis - query-language - data-correlation - mobile-artifacts - browser-forensics - name: Hash Functions & Digital Signatures icon: 🔐 type: concept description: >- Cryptographic principles for data integrity verification and authentication. Fundamental for evidence preservation, malware identification, and establishing chain of custody. Understanding of MD5, SHA, and digital signature validation. domains: - incident-response - static-investigations - malware-analysis - cloud-forensics phases: - data-collection - examination platforms: [] related_concepts: null domain-agnostic-software: null skillLevel: advanced accessType: null url: https://en.wikipedia.org/wiki/Cryptographic_hash_function projectUrl: null license: null knowledgebase: false tags: - cryptography - data-integrity - evidence-preservation - malware-identification - chain-of-custody domains: - id: incident-response name: Incident Response & Breach-Untersuchung - id: static-investigations name: Datenträgerforensik & Ermittlungen - id: malware-analysis name: Malware-Analyse & Reverse Engineering - id: fraud-investigation name: Betrugs- & Finanzkriminalität - id: network-forensics name: Netzwerk-Forensik & Traffic-Analyse - id: mobile-forensics name: Mobile Geräte & App-Forensik - id: cloud-forensics name: Cloud & Virtuelle Umgebungen - id: ics-forensics name: Industrielle Kontrollsysteme (ICS/SCADA) phases: - id: data-collection name: Datensammlung description: Imaging, Acquisition, Remote Collection Tools - id: examination name: Auswertung description: Parsing, Extraction, Initial Analysis Tools - id: analysis name: Analyse description: Deep Analysis, Correlation, Visualization Tools - id: reporting name: Bericht & Präsentation description: >- Documentation, Visualization, Presentation Tools (z.B. QGIS für Geodaten, Timeline-Tools) domain-agnostic-software: - id: collaboration-general name: Übergreifend & Kollaboration description: Cross-cutting tools and collaboration platforms - id: specific-os name: Betriebssysteme description: Operating Systems which focus on forensics