Skip to content


Questions are the core of DFIQ. All other DFIQ components are relative to Questions: Approaches describe how to answer the Questions, and Scenarios and Facets organize the Questions logically. Below is an index of all the Questions that are defined as part of DFIQ.

Some quick facts about Questions in DFIQ:

  • Questions should be small enough in scope that they can be readily answered
  • A single Question can be reused in multiple different Facets
  • If a Question has any Approaches defined, it will render as a link to the detailed Question page


Not all the Questions have Approaches defined; in fact, most don't at the moment. If you'd like to contribute an idea for a new Question, or a new Approach for answering an existing Question, please open an issue on GitHub.

Questions Index

ID Question Tags Approaches
Q1054 What Launch Daemons are configured? macOS T1543.004 0
Q1017 Were any files collected into a container? 0
Q1057 What network logon scripts are configured? T1037.003 Windows 0
Q1050 Are there any GCS buckets within the cloud project shared externally? 0
Q1080 How many external recipients does the email have? 0
Q1074 Were any system event logs cleared? T1070.001 T1070.002 Linux Windows macOS 0
Q1065 What files are referenced in Registry "Run" keys? T1547.001 Windows 0
Q1058 What domain accounts have been created? T1136.002 Windows 0
Q1055 What Windows logon scripts are configured? Windows T1037.001 0
Q1072 Did Chrome's DNS Prefetching cause a DNS query? Web Browser DNS 0
Q1012 What files were copied from a USB device to a computer? 0
Q1014 What files did the actor open on their computer? File Knowledge 0
Q1019 What web browsers were running at a given time? Web Browser 0
Q1083 Were any files sent via Bluetooth? T1011.001 0
Q1075 Is the recipient account controlled by the sender? 0
Q1002 What USB devices were attached to a computer? 0
Q1028 Was there specialized "anti-forensic" (or "privacy") software on a computer? 0
Q1067 What system services are installed? macOS Linux Windows 0
Q1063 What periodic scripts are configured? macOS 0
Q1078 Were the files copies? 0
Q1027 Are there any sudden changes in the number of files on a device? 0
Q1041 Are there any unexpected successful API calls from an unknown external IP address (including Tor Exit nodes, C2 tagged addresses)? 0
Q1021 What Chrome extensions are installed? Web Browser 0
Q1069 Are there any indications of dylib hijacking? macOS T1574.004 0
Q1001 What files were downloaded using a web browser? NTFS Safari USN Journal Windows macOS Edge SQLite Chrome Web Browser 3
Q1004 What screenshots were taken on a computer? 0
Q1039 Are there any detections of exposed service account credentials? 0
Q1024 Was an Incognito/Private browser session used? Web Browser 0
Q1071 Are there any indications of dynamic linker hijacking? T1574.006 macOS Linux 0
Q1005 What files have ever been on a computer? 0
Q1052 What browser extensions (non-Chrome) are installed? Web Browser 0
Q1056 What login hooks are configured? macOS T1037.002 0
Q1049 Is there an unusual increase of traffic between resource in the cloud project? 0
Q1015 What syncing activities did external "cloud storage" applications do on a computer? 0
Q1010 What was printed from a computer? 0
Q1006 What files are present on a computer? 0
Q1035 Were any copies made of sensitive files? 0
Q1025 What external accounts has the actor used in their web browser? 0
Q1047 Are there any suspicious modifications to the cloud project firewall rules/policies? 0
Q1003 What files were copied from a computer to a USB device? 0
Q1045 Are there any unknown accounts created? 0
Q1053 What Launch Agents are configured? macOS T1543.001 0
Q1016 What files were sent externally via email attachments? 0
Q1009 What interactions with external cloud storage sites did the actor have using their web browser? 0
Q1044 Are there any unexpected resources created under the cloud project? 0
Q1018 What process made the DNS query? DNS 0
Q1064 What systemd timers are configured? T1053.006 Linux 0
Q1037 Have there been any executions of PsExeSrv? Prefetch Event Logs Windows 3
Q1079 Is there a history of communication with the recipients? 0
Q1038 Were any files sent via CLI utilities? 0
Q1036 Have there been any executions of PsExec? Prefetch Event Logs Windows 2
Q1008 What programs are installed on a computer? 0
Q1084 What data was uploaded to a website via a web browser? 0
Q1030 Were any security or monitoring agents tampered with or disabled? 0
Q1032 What actions were taken in an Incognito (or "private") browser session? 0
Q1070 Are there any indications of dylib proxying? macOS 0
Q1077 Were there bulk downloads from Google Drive? 0
Q1013 What files are present on a USB device? 0
Q1046 Are there any unknown role bindings created? 0
Q1023 Is a given Chrome extension associated with a given domain? Chrome T1176 0
Q1062 What cron jobs are configured? macOS Linux T1053.003 0
Q1059 What local accounts have been created? T1136.001 macOS Linux Windows 0
Q1048 Are there any suspicious modifications to the cloud project logging configuration? 0
Q1060 What AT jobs are configured? T1053.002 macOS Linux 0
Q1042 Are there any APIs recently enabled? 0
Q1051 Are there any signs of data within the cloud project being transferred externally? 0
Q1068 When were system services last modified? macOS Linux Windows 0
Q1082 Were any files sent via AirDrop? 0
Q1029 Were any encryption programs used on a computer? 0
Q1061 What Scheduled Tasks are configured? Windows T1053.005 0
Q1081 Does the user have a recently provisioned host? 0
Q1066 What items are in startup folders? T1547.001 Windows 0
Q1026 What files were downloaded from messaging apps? 0
Q1020 What pages did web browsers visit? Safari Internet Explorer Edge Firefox SQLite Chrome Web Browser 1
Q1043 Are there any role bindings to cluster admin for anonymous users? 0
Q1040 Are there any interaction with the cloud project resources from an unknown external IP address (including Tor Exit nodes, C2 tagged addresses)? 0
Q1033 Was shell history cleared? 0
Q1073 Have there been any modifications to the "hosts" file? 0
Q1007 What files were synced or backed-up to external services? T1567.002 0
Q1076 Were the files screenshots? 0
Q1022 What actions did a Chrome extension perform? Chrome Web Browser Browser Extension 0
Q1011 What files were sent or received by a chat application? 0
Q1034 Was content copied from a file? 0
Q1031 How much network traffic was there to/from a machine? 0