Hello. I've shared feedback and blog posts before —some of you may remember-. For some time now, I've been developing a project related to the industry (CS & DFIR/IR), and thanks to the valuable feedback I've gathered from you, I've made significant progress.

I'm now in the phase of pre-MVP validation and gathering expert opinions. Thank you in advance, and I apologize if I've caused any inconvenience.

Question: The artifact is generated from existing security records and public fixture data. It includes source summaries, reliability reasons, limitation statements, manifests, hash lists, and package verification output.

Scope boundaries:

• it does not claim legal admissibility;
• it does not prove original source truth;
• it is not a SIEM, DFIR lab tool, threat detector, or forensic acquisition tool;
• it focuses on ingestion-onward integrity and handoff clarity.

The question is not "would you buy this product?" The question is whether this kind of package would help during IR, audit, insurance, legal, or internal investigation handoff.

Specific feedback I am looking for:

1. Are source reliability and limitations clear enough?
2. Does the artifact separate package integrity from upstream source trust?
3. What uncertainty is still hidden?
4. What would make this misleading or unusable in practice?

Artifact repo: https://github.com/tracehound/tracehound-pre-mvp-feedback-artifact Virustotal: https://www.virustotal.com/gui/url/dbdbf56e71c39fcfd158babdbb11b57037fa53b333efa27de619ce919278e66e?nocache=1

Hey everyone - I built a DFIR tool called RDPuzzle and would really appreciate feedback from people who have worked with RDP bitmap cache artifacts.

It is a local, browser-based workspace for reconstructing 64x64 RDP cache tiles into larger readable images.

The main thing it adds is neural-assisted reconstruction: instead of only manually placing tiles, RDPuzzle ranks likely neighboring tiles and can auto-stitch regions using edge-similarity scoring plus a local ONNX edge-matching model.

Main features:

• Loads RDP cache fragments, including BMC/BIN-style inputs
• Manual and semi-automatic tile reconstruction
• Neural-assisted neighbor suggestions
• Auto-stitching of likely adjacent tiles
• Fully local/browser-based processing
• OCR for recovered text
• Session save/load, undo/redo, and image export
• Demo dataset included

GitHub:
https://github.com/BZDaniel/RDPuzzle

Live version:
https://bzdaniel.github.io/RDPuzzle/RDPuzzle.html

Remember to enable AI at the top right corner, and also i currently only recommend running the smaller AI model as the large one needs quantization to run realistically in a browser.

I’d especially appreciate feedback on workflow, validation concerns, parser edge cases, false-positive matches, and anything that would make it more useful in real forensic work.

I've been doing reverse engineering and malware analysis for sometime now, and I noticed something frustrating: every detection tool flags isolated signals separately. One tool screams "entropy is high!" Another yells "found injection APIs!" A third matches a YARA rule. But nobody tells you if these signals actually mean your binary is malicious or just legitimate software doing normal things.

So I built Binary Atlas—a static PE analysis engine that runs 14 detectors but scores confidence instead of just screaming alerts.

Why This Matters:

Most tools have insane false positive rates on legitimate Windows utilities

Single signals (high entropy, API imports, YARA matches) are meaningless in isolation

Correlation > Isolation

How It Works (5 Steps):

Check if Windows trusts it (valid Authenticode signature) → LOW risk

Parse PE headers, sections, imports, strings, hashes

Run 14 detectors (packing, anti-analysis, persistence, shellcode, etc.)

Unified classifier deduplicates findings and weights signals

Score confidence (HIGH/MEDIUM/LOW) + generate detailed reports

What Makes It Different:

Instead of: "Found CreateRemoteThread—FLAGGED!"

Binary Atlas does:

CreateRemoteThread detected ✓ (confidence: MEDIUM—debuggers use this)

WriteProcessMemory detected ✓ (confidence: MEDIUM—could be legitimate)

Registry persistence APIs detected ✓ (confidence: MEDIUM)

Anti-debug checks in strings ✓ (confidence: MEDIUM)

Unified result: "All 4 signals pointing toward injection + persistence = HIGH confidence malware"

The 14 Detectors:

Packing analysis | Anti-analysis detection | Persistence mechanisms | DLL/COM hijacking | Shellcode patterns | Import anomalies | Resource analysis | Mutex signatures | Overlay detection | String entropy | YARA scanning | Compiler identification | Threat classification | Security headers

Static analysis only ( To be honest sandboxin the file confirms everything)

High false positives on some legitimate software

Looking for feedback on:

How to reduce false positives further?

Which detection modules would be most useful?

Any malware researchers want to contribute better YARA rules?

Checkout Github: https://github.com/bilal0x0002-sketch/Binary-Atlas/

There is a lot of non-data driven discussions around using AI in investigations. Some people think it will be amazing. Some think its a disaster. A lot of other people are undecided.

The community needs data to help navigate this and I'm hoping you can help.

We launched a challenge a couple of weeks back.

1. Submit anonymized screen shots of where AI was amazing, where it was a disaster, and where it was "meh...."
2. Our panel of judges (skeptics and advocates) will review them
3. The public will vote
4. Winners get bragging rights
5. All anonymous submissions are posted on github.

Judges:

• Heather Barnhart (SANS)
• Alexis Brignoni (LEAPPS)
• Eric Capuano (Digital Defense Institute)
• Brian Carrier (Sleuth Kit Labs – Organizer)
• Filip Stojkovski (BlinkOps)

Full details are here:

https://www.cybertriage.com/blog/aidfir-2026-challenge-the-good-vs-the-ugly/

Please send in your best submissions!

I've been building a Windows event log analysis tool called EventHawk and just shipped v1.2. Sharing here for feedback from people who work in IR/forensics.

What it is:

A GUI + CLI tool for parsing and analyzing .evtx files. Built around a Rust-backed parallel parser with a resource monitor that throttles workers automatically so your machine stays usable mid-parse. Supports EVTX from Windows Vista through Server 2022. Parses and filters 6M rows of event logs in just 50-60 secs.

Two parsing modes:

1. Normal Mode loads matched events into memory — fast and straightforward for most investigations.

2. Juggernaut Mode is for large captures: raw event XML goes to Parquet on disk, only metadata columns live in memory, full event detail lazy-loads on row click. Scroll 10M+ events with zero disk I/O.

v1.2 rewrote Juggernaut Mode from scratch — replaced the old multi-DuckDB connection model (OOM crashes, file lock conflicts) with a single Arrow in-memory table and filter thread. Filtering now runs as vectorized DuckDB SQL, 20-120ms at 6M rows.

Key features:

1. 20 built-in DFIR profiles — filter at parse time. Logon/Logoff, Process Creation, Lateral Movement, PowerShell, RDP, Defender Alerts, and 13 more.

2. 273+ event ID descriptions in plain English on click. No more looking up what 4688 or 7045 means mid-investigation.

3. ATT&CK tab — every parse maps events to MITRE techniques with ID, tactic, confidence, and source. Click any technique to filter the table to events that triggered it.

4. IOC tab — auto-extracts IPs, domains, file paths, hashes, URLs, registry keys, and suspicious command lines. Click any IOC to pivot the entire event table to events containing that indicator.

5. Chains tab — correlates events into multi-step attack chains shown as an expandable tree. Click any node to jump to that event.

6. Case tab — annotate events with analyst notes, export as a formal PDF investigation report.

7. Hayabusa integration — ~3,000 community Sigma rules evaluated and merged into the ATT&CK tab.

8. Sentinel anomaly engine — build a behavioral baseline from clean logs, then score a suspect capture. Each process-create event scored across five dimensions and classified into four tiers. Tier 3/4 findings include plain-English justifications. Built for novel malware, LOLBin abuse, and anything that slips past signatures.

9. Export in 8 formats — JSON, CSV, XML, HTML, PDF report, STIX 2.1, OpenIOC, YARA.

10. Full CLI and TUI for headless and automated use.

If the tool looks useful, a star on GitHub goes a long way ⭐⭐ — it helps the project get visibility and keeps me motivated to keep building. Would genuinely love feedback from anyone, especially on what's missing or annoying in the existing ecosystem.