? ? ?

??? root@wia:~#

root@wia:~$ whoami

We Investigate Anything

root@wia:~$ cat /etc/motd

Digital Forensics & Incident Response

We dissect digital evidence. We trace the untraceable.

0x0000: 57 65 20 49 6e 76 65 73 74 69 67 61 74 65 |We.Investigate|

0x000e: 41 6e 79 74 68 69 6e 67 |Anything........|

root@wia:~$ _

Artifacts

Windows EVTX, Linux logs, Winlogbeat, Cortex XDR

Tools

Masstin, Sabonis, Persistence Boromir

Cases

Investigations, CTF write-ups, incident walkthroughs

León

Cybersecurity hub, events, routes & gastronomy

# Latest Investigations

2026-04-16 tools 15 min read

Masstin triage detection: KAPE, Velociraptor, Cortex XDR — and a per-source breakdown that finally makes sense

The problem with leaf-directory grouping

Read more →

2026-04-15 tools 17 min read

Masstin custom parsers: one YAML file per vendor, one timeline for everything

The problem with vendor-specific parsing

Read more →

2026-04-15 cases 19 min read

AD DFIR Lab — Part 9: Collecting the Evidence — Forensic Imaging Pipeline

This is Part 9 of the AD DFIR Lab series. Part 8 gave us a noisy-ad-current snapshot packed with 2 years of realistic narrative. Part 9 pulls that snapshot o...

Read more →

2026-04-13 cases 30 min read

AD DFIR Lab — Part 8: A Day in the Realm — Generating Two Years of Historical Noise

This is Part 8 of the AD DFIR Lab series. We turn a sterile clean-ad snapshot into noisy-ad-2years — a dataset that looks like a real company has been using ...

Read more →

2026-04-13 cases 8 min read

AD DFIR Lab — Part 7.5: Keeping the Kingdoms Alive — Eval Licenses and Lab Longevity

This is an interlude in the AD DFIR Lab series. A short operational post about keeping the lab running for years rather than months.

Read more →