r/CyberAdvice

▲ 6 r/CyberAdvice+4 crossposts

AI in DFIR is broken and We need to rethink how we use AI in digital forensics .

The forensics community has a massive AI problem. Everyone is rushing to plug language models into their workflows to automate triage. But forensics requires absolute certainty. A language model is built to predict text, not to preserve a chain of custody. When you use a standard AI tool to analyze an endpoint, you are trusting a black box. If it hallucinates a single finding, your entire investigation is compromised.

We need to stop treating AI as an oracle that gives us the final answer. Instead, we must treat it as a heavily restricted junior analyst. It should do the heavy lifting of correlating massive datasets, but it must be mathematically forced to prove its work.

If we want to use AI responsibly in an investigation, we have to change the entire methodology:

Kill the Chat Window: A chat log is flat, unpredictable, and loses context rapidly. We need to use visual, node based workspaces where you can see exactly how a piece of evidence led to a specific conclusion.

Enforce Evidence Anchoring: The AI must be completely sandboxed. It should be programmatically blocked from generating any narrative unless that narrative maps directly back to the raw artifact row, like a specific registry key or Master File Table entry.

Immutable Auditing: Every time the AI touches the evidence, it needs to be cryptographically hashed. We need a permanent paper trail of exactly what the model saw and what it suggested, ensuring the whole process is court defensible.

This philosophy is exactly why we built the Narrative Map in the new 0.12.0 update for Crow Eye. We stepped back from just adding basic AI features and built a shared workspace. The AI is physically unable to mark a claim as proven without citing the exact underlying artifact. Every action is logged in a tamper evident chain. It shifts the power entirely back to the human investigator. The AI accelerates the deep parsing and correlation, but you hold the evidence and make the final call.

I want to know how the rest of the community is handling this. Are you trusting the output of commercial AI tools, or are you demanding to see the raw data behind their conclusions?

You can check out our approach and grab the open source release here: Website:https://croweye.com/

Code:https://github.com/GhassanElsman/CrowEye

Good hunting.

reddit.com
u/Ghassan_- — 11 hours ago
▲ 1 r/CyberAdvice+1 crossposts

Cyber Security

I’m starting a cyber security company and I’m having trouble connecting my cameras to my own app I created . Can anybody give me a hand or some advice .

reddit.com
u/HorseOk6373 — 16 hours ago
▲ 6 r/CyberAdvice+1 crossposts

Regarding a Cyber crime complaint

Hello,

I'm a medical student studying abroad(Georgia), here usually what happens is if anyone wants INR to USD or Georgian Lari we exchange from someone or withdraw from Niyo Global card or if someone has Niyo global card they give for exchange. The thing is same way I withdrawed for someone and gave and they took around 4000USD for 4-5 days but later after some 2 days I got a message from my cybercrime saying my account is Lien marked due to suspicious activity, I had no idea where the money came from and didnt even know those people, I had posted on the group that I can withdraw n give and they contacted me and that is how it happened, I even asked them when they came to collect the cash they said its for tuition fee so I didnt feel suspicious coz we students usually exchange money for tuition fee. Now my account is been lien marked since 2 months and someone has complained and they found this as transaction trial and blocked my account. Recently I spoke to one of the officer who is taking care of this case, he said if we repay the victim then he can provide us the NOC which I can provide my bank but I didnt use that money I just withdrawed n gave them, and whatever transaction they did everything is lien marked and I cant pay whole of 4000USD, if it is not removed my account will remain lien marked and dont know for how long. If anyone has any idea about this please tell me what I can do. I want to unlien my bank account, I dont have money to pay the victim neither I have use that money. Please tell me if there is any other way.

reddit.com
u/Feisty-Review9561 — 7 days ago

[Cyber] Threat hunter

Hello everyone. I am a newcomer to this field, so please excuse me if I have misunderstood anything.

I recently discovered a case involving a U.S. citizen who signed a contract with a company for an ITAR-controlled project. The individual used a VPN IP address based at a residential location in the USA. Later, while traveling abroad, he continued to work (as recorded in the activity logs) by routing data through that residential address to connect to the company in the USA. I believe this constitutes a violation of data export regulations. Should I report this?

reddit.com
u/Affectionate-Cost920 — 5 days ago
▲ 223 r/CyberAdvice+2 crossposts

Real Life Case Example 2: How to Catch an Infostealer in 4 Minutes: A Real SOC Investigation of a Fake GTA 6 Installer I did yesterday as a Threat Analyst (Technical Post )

Real Life Case Example Part 2:

Thank you for giving so much love on my previous post, I am thinking of starting a weekly series where I breakdown real case studies which I solve at work as a Threat Analyst.

Just caught something wild at work yesterday. GTA 6 is gonna launch sometime soon, but one our client wanted early access.

A user (Ryan) downloaded what looked like a "free GTA 6 crack" from firefox, file was named "GTA6_Setup_Crack_2026.exe", unsigned, 84.7 MB. Executed it at 10:13 AM. The next 3 minutes were brutal. The installer spawned PowerShell with hidden windows, dropped an unsigned binary (vcruntime_update.exe) into AppData, created a registry Run key named "RockstarGameUpdater", and set up a scheduled task for persistence on login.

Then it got worse, vcruntime_update.exe went straight for the browser credential stores. Chrome login data, Edge login data, Firefox logins.json, all accessed within seconds. Created a ZIP archive in Temp (syscache_4931.zip) and attempted a 2.3 MB upload to panelgtasupport[.]top on port 8080 before we blocked it.

DNS queries to four suspicious domains, all gaming themed: cdnrockstarupdate[.]com, apigta6launcher[.]xyz, panelgtasupport[.]top, rawcdngamepatch[.]site. All resolved to infrastructure that basically were C2.

Timeline from execution to EDR kill: 3 minutes, 57 seconds.

This is textbook infostealer and RAT behavior delivered through a game crack. The naming masquerade (RockstarGameUpdater, vcruntime_update) is it. The browser credential access is the payload. The persistence ensures it survives a reboot.

For anyone job hunting in SOC, this is exactly the kind of chain you need to recognize in 30 seconds during a real investigation. The red flags stack, unsigned binary, masqueraded process names, AppData execution, browser credential access, suspicious domains, persistence setup.

Any of you seen similar patterns? How do you typically investigate these in your environments?

Also, thinking of writing a blog on it on Medium soon, with proper process tree, file details, running process observation and activity timeline stuff.

Image Source: gamepressure

u/makeiteasy_24 — 9 days ago
▲ 9 r/CyberAdvice+1 crossposts

Cybersecurity

Hi everyone,
I’ve been looking into learning cybersecurity, and I wanted to ask if you think it’s still worth pursuing in 2026, 2027, and beyond.
I’m currently learning on my own and have some basic programming knowledge. I know it’s very difficult to land a cybersecurity job without prior experience in software development or IT in general, and I understand that’s common advice.
My main question is: despite that, do you think cybersecurity is still a good career field over the next few years? How do you see the job market?
Also, would you recommend going to a college or university, or continuing to learn on my own through online courses, certifications, hands-on labs, and building a portfolio?
I’m genuinely interested in cybersecurity. It’s not just about making money—I want a better career with long-term opportunities. I’d really appreciate your thoughts and advice. Thanks!

reddit.com
u/Melodic_Ad8586 — 7 days ago

Cyber Security

hi everyone, i’m an upcoming 1st year college for computer engineer. cyber security is my dream job, therefore i wanna aim for a high salary to secure my future. but to do that, i need to give strong foundation for my resume right? but i really don’t know where to start. i know i’m still an upcoming 1st year college, but i’m curious on what i can do to make a strong resume in the future. because i think, it’s better to master and enhance skills needed for the job i want, but i have 0 knowledge on anything.

reddit.com
u/Dull-Conversation326 — 7 days ago
▲ 1 r/CyberAdvice+1 crossposts

I keep getting hacked on everything constantly

Like title says i just keep getting hacked and im not sure why, almost monthly i wake up to my friends telling me via message that i sent them scam stuff in discord or steam and when i go check my emails there are no signs or warnings about new devices login in or password changes. It all happens randomly too and in the span of a few days, this week i got hacked on Twitter, Discord, Steam and Roblox, i always manage to get everything back in order but its getting really annoying and at this point i think i've reinstalled windows more than 5 times this year.

reddit.com
u/BlueSpade756 — 9 days ago
▲ 1 r/CyberAdvice+1 crossposts

Did my security get compromised?

I heard in the news that polymarket made a website called poiymarket to make false advertising about the contracts they had available (this came from WSJ). I wanted to see if this was true so I put it in my search bar. On my MacBook on the university WiFi it blocked the site. I did not realize why at the time. I then searched it on my iPhone using data. The safari security is not private notification displayed and I hit continue. I was then directed to a 404 for the site. I did not type in any info or click anything. I was confused so tried again on my MacBook. I got blocked again but noticed that it gave the reason of malware? Does this mean that my iPhone was compromised since I visited the site? If so what should I do I am stressing a lot over this as I do not want any banking information compromised.

reddit.com
u/Suitable-Age-2189 — 11 days ago
▲ 1 r/CyberAdvice+1 crossposts

Bot Attack on MERN Web App VPS Hosted

We found something different one our website that is MERN based and hosted on VPS. We did some changes but after some time our live url and last deployment have difference. When we compare the code with github code , there is many changes. We checked the server logs and found something strange.

Our various files was changes.

Got server log something -

Jun 23 23:34:54 67 sshd-session[1281284]: userauth_pubkey: signature algorithm ssh-dss not in PubkeyAcceptedAlgorithms [preauth]

When i checked the file change logs

/home/domain/public_html/static/js/213.f4eb4aa8.chunk.js /home/domain/public_html/static/js/213.f4eb4aa8.chunk.js.LICENSE.txt /home/domain/public_html/static/js/239.fd8563bf.chunk.js.map

Is there any Devops or security expert who can share the exact steps to identify and block the issue.

Note:- CI/CD pipeline is not configured yet on the project.

Try to get some help from AI but it is repeating the same things.

reddit.com
u/EfficiencyOne1007 — 11 days ago
▲ 3 r/CyberAdvice+2 crossposts

Worries about GRC role

I got an offer for a GRC/Identity Management role (Associate Security Analyst) at a healthcare product company. HR says it’s semi-technical/process-driven.

But I have background in development where I said that I can use my technical knowledge to do the sika management.

My questions:

Future: Career growth/pay in GRC vs. pure SDE?

Skill Decay: Will my coding skills die if I stay for 2 years?

Pivot: Can I transition to DevSecOps or Security Engineering later?

Verdict: Take it as a fresher or wait for an SDE role?

reddit.com
u/SlightEntertainer360 — 12 days ago