Skip to content

Juwon1405/GitNote

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits
CodeSnippets
CodeSnippets
 
 
Repositories
Repositories
 
 
Resources
Resources
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

📚 GitNote

A curated knowledge base for Digital Forensics, Incident Response, and Defensive Security

Maintained by Yushin (방주원 / Bang Juwon) — DFIR Senior Specialist · Tokyo

Last Updated Resources Stars Curated License

What is GitNote?

GitNote is the index I wish existed when I started in DFIR — a single, opinionated entry point to the references I actually use, organized so that someone walking in cold can find what they need in under 60 seconds.

It is not an "awesome list" of everything in security. It is a curated, used-in-practice subset of:

  • 🔍 Incident response frameworks — 66 IR/DFIR doctrine PDFs from NIST, SANS, ENISA, KISA, Microsoft, AWS, and more
  • 📚 Resources — practical guides on phishing analysis, blue team notes, red team tools, mindmaps for tcpdump / Burp / Windows privileges
  • 💻 Code snippets — working scripts for reverse engineering, macOS setup, network checks
  • Curated stars204 GitHub repos categorized into 12 buckets (DFIR / Blue Team / AI / Red Team / Malware / OSINT / etc.)

🗂️ Directory map

GitNote/
├── 📂 Repositories/          ← 66 IR/DFIR doctrine PDFs (NIST, SANS, ENISA, KISA…)
│   └── Cyber-Incident-Investigation-Framework/
│       ├── NIST/              (6 PDFs — 800-61, 800-86, 800-150, log mgmt, malware, patch)
│       ├── SANS/              (36 PDFs — incident handling, IR programs, NetWars, etc.)
│       ├── ENISA/             (5 PDFs — EU CSIRT guidance)
│       ├── KISA/              (2 PDFs — Korean IR guides 한국어)
│       ├── Microsoft/         (Microsoft IR Reference Guide)
│       ├── AWS/               (AWS Security Incident Response Guide)
│       ├── ACSC/              (Australian Cyber Security Centre)
│       ├── CREST/             (Cyber Security Incident Response Guide)
│       ├── FCC/               (Computer Security Incident Response Guide)
│       └── …16 organizations total
│
├── 📂 Resources/             ← Working guides + curated indexes
│   ├── awesome-stars.md       ⭐ 204 GitHub stars categorized (DFIR/Blue/AI/Red/etc.)
│   ├── [Guide] blue-team-notes.md
│   ├── [Guide] blue-team-notes_examples-of-lateral-movement.md
│   ├── [Guide] markdown-korean.md
│   ├── [Tips-and-Tricks] phishing-email-analysis.md
│   ├── [Tips-and-Tricks] chatgpt-sheat-sheet.md
│   ├── [Tips-and-Tricks] how-to-copy-github-wiki.md
│   ├── [Resources] red-team-tools.md
│   ├── [Resources] program-analysis.md
│   ├── [Resources] assembly-language.md
│   └── [Mindmap] Tools/        (tcpdump / Burpsuite / Windows Privileges — visual cheatsheets)
│
└── 📂 CodeSnippets/         ← Working scripts (reverse engineering, setup, networking)
    ├── reversing_dump-pyc-with-gdb.md       (RE technique walkthrough)
    ├── reversing_dump-pyc-with-gdb_*.py     (3 helper scripts)
    ├── setup-macos-full-20240204.sh         (full macOS dev/forensics workstation setup)
    ├── LunarToSolarEventCreator.py          (calendar utility)
    ├── network_checkip.py                   (IP enrichment helper)
    └── misc_live-gif-macker.py              (GIF capture tool)

⚡ Where to start (5 entry points)

🚨 In an active incident — go here first

Situation Read
Just got handed a Windows EVTX dump [Cheatsheet] evtx-threat-hunting-2026.md — 12 EIDs that catch 80% of intrusions
Suspect ransomware, what group? [Playbook] ransomware-2026-actor-handbook.md — 9 active 2025-2026 RaaS profiles
Live macOS host triage [Cheatsheet] macos-unified-log-triage.md + launchd_persistence_audit.sh
Live Linux host triage [Cheatsheet] linux-dfir-triage-2026.md + auditd_lateral_movement.sh
Memory dump just acquired [Cheatsheet] memory-forensics-vol3.md — Vol3 v2.27 top 12 plugins
Suspect AD identity attack [Playbook] identity-attacks-detection.md — Kerberoasting / Golden Ticket / DCSync etc.
Cloud incident (AWS / Entra ID) [Cheatsheet] cloud-dfir-aws-entra.md — top 10 events + queries
MFT export, hunt timestomp mft_timestomp_detector.py

🥇 If you're a DFIR practitioner building an IR program

  1. [Resources] dfir-2026-essential-reading.md ⭐ — 2026 reading list (M-Trends, DBIR, DFIR Report, books, training)
  2. NIST SP 800-61 r2 — foundational
  3. NIST SP 800-86 — forensic integration
  4. SANS — Incident Handler's Handbook

🥈 If you're a Blue Team analyst building detection coverage

  1. [Cheatsheet] evtx-threat-hunting-2026.md — Sigma rules + Hayabusa one-liners
  2. [Playbook] identity-attacks-detection.md — AD + Entra ID detection signatures
  3. awesome-stars.md → Blue Team section — 17 SOC/detection-engineering tools

🥉 If you're a Mac/iOS forensic analyst

  1. [Cheatsheet] macos-unified-log-triage.md — 12 working log show predicates
  2. launchd_persistence_audit.sh — comprehensive launchd persistence inventory
  3. Companion repos by the same author:

☁️ If you're a Cloud DFIR analyst

  1. [Cheatsheet] cloud-dfir-aws-entra.md — AWS CloudTrail + Entra ID signatures
  2. [Playbook] identity-attacks-detection.md — modern Entra ID attacks (device code, PRT theft, MFA fatigue)

⭐ Curated stars — by category

Resources/awesome-stars.md — 204 starred GitHub repos, auto-classified into 12 categories with manual review.

Category Count
🔍 DFIR — Forensics & Incident Response 38
🤖 AI / LLM / Agentic 30
🛡️ Blue Team — SOC, Detection, Threat Hunting 17
🦠 Malware Analysis & Reverse Engineering 15
📚 Awesome Lists & Curated References 14
🌐 OSINT & Threat Intelligence 14
🔓 Red Team — Offensive / Pentesting 13
🛠️ DevTools & Productivity 10
📖 Learning & Career 7
🔗 macOS / iOS Security & Forensics 6

🔗 Companion projects by the same author

Project What it is
agentic-dart Architecture-first autonomous DFIR agent — SANS FIND EVIL! 2026 submission. 35 typed MCP forensic functions, audit-chained reasoning loop, contradiction handler, 1135-line senior-analyst playbook.
yushin-gendfir-rag Unofficial Python replication of Loumachi, Ghanem & Ferrag — Generative DFIR with RAG (2024).
yushin-mac-forensics-platform macOS DFIR forensics platform — Flask-based web tool.
yushin-mac-artifact-collector Single-file, zero-dependency macOS artifact collector.

🤝 About the author

Yushin (방주원 / バン ジュウォン / 優心) is a DFIR Senior Specialist based in Tokyo, focused on autonomous security operations, agentic DFIR, and macOS forensics. The Japanese reading 優心 means "discerning mind" — the trait this knowledge base is meant to help cultivate.

  • 🔗 GitHub: @Juwon1405
  • 🌍 Location: Tokyo, Japan
  • 🎓 Domain: DFIR · Detection Engineering · Incident Response · macOS Forensics

📜 License

Documents in Repositories/ retain their original licenses (NIST/SANS/ENISA/etc. publications are public domain or under their respective publisher terms). Original content (Resources/, CodeSnippets/, this README) is offered under CC BY 4.0 unless otherwise specified within a file.

If a referenced PDF here belongs to you and you'd like it removed or re-attributed, please open an issue.

Last updated: 2026-05-01 · Curated by Yushin · Made in Tokyo 🗼

About

The GitNote repository is a curated collection of materials in the field of information security and computer science.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages