TLP - The Digital Forensics Podcast

Clint Marsden
TLP - The Digital Forensics Podcast

Get involved in the exciting world of Digital Forensics and Incident Response with: Traffic Light Protocol. The Digital Forensics Podcast.In each episode, we sit down with seasoned DFIR professionals, the blueteamers who work around the clock to investigate cyber intrusions. From data breaches to cyberattacks, they share firsthand accounts of some of the most intense investigations they've ever tackled, how they deal with burnout and the added pressure of cat and mouse while they learn about new attack chains. 

  1. 22 JUNE

    Episode 22:AI Chat Forensics: How to Find, Investigate, and Analyse Evidence from ChatGPT, Claude & Gemini

    Send us a text Unlock the secrets behind digital forensic investigations into AI chat platforms like ChatGPT, Claude, and Google's Gemini in this insightful episode. Learn the precise methods for discovering, extracting, and interpreting digital evidence across Windows, Mac, and Linux environments, whether it's browser caches, memory forensics, network logs, or cloud-based data exports. From identifying subtle signs of malicious AI usage and attempts to evade security controls, to piecing together forensic timelines, this podcast provides practical, hands-on guidance tailored for cybersecurity professionals, forensic analysts, and IT investigators. Tune in now and boost your expertise in this emerging field of AI-driven digital forensics. You'll learn: AI Chat Evidence Locations Discover exactly where to find critical forensic evidence from ChatGPT, Claude, and Gemini across Windows, Mac, and Linux systems. Extracting and Analyzing Chat Data Learn practical techniques to extract, review, and interpret digital artifacts, including browser caches, local storage, memory dumps, and network logs. Identifying AI Jailbreaking and Misuse Understand how to spot attempts to bypass AI guardrails and recognize malicious prompts or suspicious activity within chat logs. Cloud vs Local Forensic Challenges Explore unique challenges associated with investigating cloud-based AI platforms versus local installations, and how to overcome them. Building Effective Forensic Timelines Master the art of assembling comprehensive forensic timelines by integrating timestamps, metadata, network traffic, and other key sources of digital evidence. Links and references https://help.openai.com/en/articles/7260999-how-do-i-export-my-chatgpt-history-and-data https://pvieito.com/2024/07/chatgpt-unprotected-conversations https://www.scribd.com/document/818273058/Conversational-AI-forensics#:~:text=of%20Gemini%20are%20stored%20in,based%20mobile%20app https://ar5iv.labs.arxiv.org/html/2505.23938v1#:~:text=source%20for%20corroborating%20evidence,of%20the%20NationalSecureBank%20phishing%20email aletheia.medium.com

    41 min

  2. 10 JUNE

    Episode 21: How IRCO is Changing DFIR: The AI Copilot for Real-Time Cyber Investigations

    Send us a text Link to IRCO- Incident Response Copilot on Chat  GPT https://chatgpt.com/g/g-68033ce1b26481919b26df0737241bac-irco-incident-response-co-pilot In this episode of TLP: The Digital Forensics Podcast, Clint dives deep into IRCO (a custom GPT designed specifically for DFIR and SOC analysts). From real-world cyber incidents to post-incident reporting and CTF training, IRCO acts like your AI-powered colleague: fast, focused, and built for real investigations or even CTF's. Learn how this tool understands your forensic workflows, decodes technical jargon, and supports smarter, faster investigations. Clint shares how to start using IRCO, common use cases, how to keep your data safe, and why many in the field are underestimating its capability. Whether you're writing reports, analyzing logs, or stuck mid-incident, IRCO can give you the 1% edge you need to  solve tricky DFIR investigations and communicate reports more quickly. 🔍 Topics covered:  – What is IRCO?  – How to integrate AI into digital forensics workflows  – Using  IRCO  for live incidents, CTFs, and training  – Privacy and responsible AI use in SOC environments  – Actionable prompts and use cases 🎧 Subscribe to TLP now and give IRCO a test run. You might just find your new secret weapon in responding to incidents quicker than ever.   https://chatgpt.com/g/g-68033ce1b26481919b26df0737241bac-irco-incident-response-co-pilot

    16 min

  3. 4 JUNE

    Episode 20:What Makes an Elite Incident Response Team: Mindset, Mastery, and Real-World DFIR Lessons

    Send us a text Drawing inspiration from observing military special forces and over five years of hands-on DFIR experience, Clint explores the mindset, habits, and tactical processes that set top-performing IR teams apart. Clint Marsden explores the mindset, habits, and tactical processes that set top-performing IR teams apart. From threat intelligence workflows and detection-first thinking to deep forensic analysis and clear executive reporting, this episode is packed with real-world lessons, relatable stories, and practical advice. Whether you're running your first threat hunt or leading an enterprise SOC, you'll walk away with a clearer vision for building a resilient, high-performing IR capability. You’ll learn: Why elite IR teams focus on boring repetition and clarity over cool toolsHow to track threat groups and adapt detection rules in real timeWhere most SOCs fail with SIEM tuning and memory forensicsHow to communicate findings that actually move leadership to actCheck out the blog: www.dfirinsights.com

    38 min

  4. 26 MAY

    Episode 19: AI Data Poisoning: How Bad Actors Corrupt Machine Learning Systems for Under $60

    Send us a text Clint Marsden breaks down a critical cybersecurity report from intelligence agencies including the CSA, NSA, and FBI about the growing threat of AI data poisoning. Learn how malicious actors can hijack AI systems for as little as $60, turning machine learning models against their intended purpose by corrupting training data. Clint explains the technical concept of data poisoning in accessible terms, comparing it to teaching a child the wrong labels for objects. He walks through the six-stage framework where AI systems become vulnerable, from initial design to production deployment, and covers the ten security recommendations intelligence agencies are now promoting to defend against these attacks. The episode explores real-world examples of AI systems gone wrong, from shopping bots buying drugs on the dark web to coordinated attacks by online communities. You'll discover practical mitigation strategies including cryptographic verification, secure data storage, anomaly detection, and the importance of "human in the loop" safeguards. Whether you're a cybersecurity professional, AI developer, or simply curious about emerging digital threats, this episode provides essential insights into protecting AI systems from manipulation and understanding why data integrity has become a national security concern. Key Topics Covered: Split view poisoning and expired domain attacksData sanitization and anomaly detection techniquesZero trust principles for AI infrastructureThe role of adversarial machine learning in cybersecurityWhy defenders must learn AI as quickly as attackers The PDF from CISA etc al: https://www.ic3.gov/CSA/2025/250522.pdf

    26 min

  5. 28 FEB

    Audiobook - Mastering Sysmon. Deploying, Configuring, and Tuning in 10 easy steps

    Send us a text This episode features the complete narration of my ebook: Mastering Sysmon – Deploying, Configuring, and Tuning in 10 Easy Steps, providing a step-by-step guide to getting Sysmon up and running for better threat detection and incident response. If you’re in security operations, digital forensics, or incident response, this episode will help you: Deploy Sysmon efficiently.Tune Sysmon logs for maximum insight while reducing noise.Use Sysmon for investigations—from process creation tracking to network monitoring.Understand real-world use cases of how Sysmon can catch adversaries in action.Key Topics Covered: Why Sysmon Matters – A deep dive into how Sysmon enhances Windows logging.Common Mistakes & How to Avoid Them – Logging misconfigurations, tuning issues, and evidence handling best practices.Step-by-Step Deployment Guide – From downloading Sysmon to configuring it for lean detections.Tuning for Performance & Relevance – How to tweak Sysmon settings to avoid excessive log volume.Investigating Security Events – Key Sysmon event IDs that provide forensic gold.Real-World Use Cases – Examples of how Sysmon has caught attackers in action.Sysmon Bypass Techniques – How adversaries evade detection and how to stay ahead.Resources Mentioned: Sysmon Download – Microsoft SysinternalsSysmon Configuration Files – Olaf Hartong’s Sysmon-ModularMITRE ATT&CK Framework – MITRE ATT&CKACSC Sysmon Config Guide – ACSC GitHubKey Takeaways: Sysmon provides deep system visibility – if tuned correctly. Tuning is essential – Avoid log overload while keeping useful data. Use a structured deployment process – From baselining performance to verifying logs. Sysmon alone isn’t enough – It works best when combined with other detection tools. Be aware of bypass techniques – Attackers can disable Sysmon, so defense in depth is key.

    43 min

  6. 27 FEB

    Episode 17 - Building a CTF

    Send us a text So You Want to Build Your Own DFIR CTF? Ever wanted to build your own Digital Forensics and Incident Response (DFIR) Capture the Flag (CTF) challenge but weren’t sure where to start? In this episode of Traffic Light Protocol, we share the how-to of CTF builders, making it easy for anyone—no pentesting skills required! Today's episode includes:  Choosing Your CTF Theme – Using MITRE ATT&CK and APT tracking to craft a realistic attack scenario.Setting Up the Lab – Spinning up a Windows VM, configuring Sysmon, and enabling forensic logging.Running the Attack Simulations – Using Atomic Red Team to generate forensic artifacts.Testing & Troubleshooting – Making sure your tests actually work before unleashing them on your team.Building an Engaging Story – Crafting a compelling incident narrative that challenges analysts to think like investigators.Resources mentioned in the podcast: https://drive.google.com/drive/folders/1vF3y-OlsowjX9LUOi7ywDy8VgcfhWcUX?usp=sharing

    28 min

  7. 27 FEB

    Episode 16 - Mastering the Basics: Key Strategies for Cyber Investigations

    Send us a text Kicking off 2025, we're getting back to basics with something every cyber investigator needs to master—starting an investigation the right way. Too often, investigations get derailed because the right questions weren’t asked at the outset, evidence wasn’t properly handled, or reporting lacked clarity. In this episode, we cover how to build an investigation plan that keeps you on track, ensures consistency, and leads to better results. We talk about evidence volatility, log retention, structuring reports that make sense to non-technical stakeholders, and how to ask the right questions from the start.

    31 min

  8. 15/10/2024

    Episode 15 -Windows event log analysis with Hayabusa. The Sigma-based log analysis tool

    Send us a text Key Takeaways: Introduction to Hayabusa: Hayabusa is an open-source Windows Event Log Analysis Tool used for processing EVTX logs to detect suspicious activities in Windows environments.Critical Alerts Detection: The tool is capable of detecting a variety of suspicious activities, including WannaCry ransomware and unauthorized Active Directory replication.Efficient Incident Response: Hayabusa is ideal for incident response workflows, enabling teams to quickly triage and analyze Windows logs to detect potential breaches or malicious activity.Importance of Informational Alerts: Informational alerts can indicate early reconnaissance phases of attacks and should not be dismissed.Hypothesis-Driven Threat Hunting: Build a threat hunting hypothesis using MITRE ATT&CK or industry-specific threat intelligence to narrow the focus of the search.Integration with SIEM and TimeSketch: Hayabusa supports integration with security tools like SIEM and can export logs into TimeSketch for further analysis and visualization.Open-source and Free: Hayabusa is freely available to the cybersecurity community, making it an essential tool for threat detection without added cost.

    23 min
See All (23)

Ratings & Reviews

5
out of 5
2 Ratings

About

Get involved in the exciting world of Digital Forensics and Incident Response with: Traffic Light Protocol. The Digital Forensics Podcast.In each episode, we sit down with seasoned DFIR professionals, the blueteamers who work around the clock to investigate cyber intrusions. From data breaches to cyberattacks, they share firsthand accounts of some of the most intense investigations they've ever tackled, how they deal with burnout and the added pressure of cat and mouse while they learn about new attack chains. 

Information

To listen to explicit episodes, sign in.

Stay up to date with this show

Sign-in or sign-up to follow shows, save episodes and get the latest updates.
Select a country or region

Africa, Middle East, and India

Asia Pacific

Europe

Latin America and the Caribbean

The United States and Canada