Skip to content


Questions are the core of DFIQ. All other DFIQ components are relative to Questions: Approaches describe how to answer the Questions, and Scenarios and Facets organize the Questions logically. Below is an index of all the Questions that are defined as part of DFIQ.

Some quick facts about Questions in DFIQ:

  • Questions should be small enough in scope that they can be readily answered
  • A single Question can be reused in multiple different Facets
  • If a Question has any Approaches defined, it will render as a link to the detailed Question page


Not all the Questions have Approaches defined; in fact, most don't at the moment. If you'd like to contribute an idea for a new Question, or a new Approach for answering an existing Question, please open an issue on GitHub.

Questions Index

ID Question Tags Approaches
Q1001 What files were downloaded using a web browser? NTFS macOS Chrome Web Browser USN Journal Windows Safari SQLite Edge 3
Q1002 What USB devices were attached to a computer? 0
Q1003 What files were copied from a computer to a USB device? 0
Q1004 What screenshots were taken on a computer? 0
Q1005 What files have ever been on a computer? 0
Q1006 What files are present on a computer? 0
Q1007 What files were synced or backed-up to external services? T1567.002 0
Q1008 What programs are installed on a computer? 0
Q1009 What interactions with external cloud storage sites did the actor have using their web browser? 0
Q1010 What was printed from a computer? 0
Q1011 What files were sent or received by a chat application? 0
Q1012 What files were copied from a USB device to a computer? 0
Q1013 What files are present on a USB device? 0
Q1014 What files did the actor open on their computer? File Knowledge 0
Q1015 What syncing activities did external "cloud storage" applications do on a computer? 0
Q1016 What files were sent externally via email attachments? 0
Q1017 Were any files collected into a container? 0
Q1018 What process made the DNS query? Sysmon DNS Windows CrowdStrike 3
Q1019 What web browsers were running at a given time? Process Execution Web Browser CrowdStrike 1
Q1020 What pages did web browsers visit? Internet Explorer Firefox Chrome SQLite Web Browser Edge Safari 1
Q1021 What Chrome extensions are installed? Web Browser 0
Q1022 What actions did a Chrome extension perform? Chrome Browser Extension Web Browser 0
Q1023 Is a given Chrome extension associated with a given domain? Chrome T1176 0
Q1024 Was an Incognito/Private browser session used? Process Execution Web Browser CrowdStrike 1
Q1025 What external accounts has the actor used in their web browser? 0
Q1026 What files were downloaded from messaging apps? 0
Q1027 Are there any sudden changes in the number of files on a device? 0
Q1028 Was there specialized "anti-forensic" (or "privacy") software on a computer? 0
Q1029 Were any encryption programs used on a computer? 0
Q1030 Were any security or monitoring agents tampered with or disabled? 0
Q1031 How much network traffic was there to/from a machine? 0
Q1032 What actions were taken in an Incognito (or "private") browser session? 0
Q1033 Was shell history cleared? 0
Q1034 Was content copied from a file? 0
Q1035 Were any copies made of sensitive files? 0
Q1036 Have there been any executions of PsExec? Prefetch Windows Event Logs 2
Q1037 Have there been any executions of PsExeSrv? Prefetch Windows Event Logs 3
Q1038 Were any files sent via CLI utilities? 0
Q1039 Are there any detections of exposed service account credentials? 0
Q1040 Are there any interaction with the cloud project resources from an unknown external IP address (including Tor Exit nodes, C2 tagged addresses)? 0
Q1041 Are there any unexpected successful API calls from an unknown external IP address (including Tor Exit nodes, C2 tagged addresses)? 0
Q1042 Are there any APIs recently enabled? 0
Q1043 Are there any role bindings to cluster admin for anonymous users? 0
Q1044 Are there any unexpected resources created under the cloud project? 0
Q1045 Are there any unknown accounts created? 0
Q1046 Are there any unknown role bindings created? 0
Q1047 Are there any suspicious modifications to the cloud project firewall rules/policies? 0
Q1048 Are there any suspicious modifications to the cloud project logging configuration? 0
Q1049 Is there an unusual increase of traffic between resource in the cloud project? 0
Q1050 Are there any GCS buckets within the cloud project shared externally? 0
Q1051 Are there any signs of data within the cloud project being transferred externally? 0
Q1052 What browser extensions (non-Chrome) are installed? Web Browser 0
Q1053 What Launch Agents are configured? T1543.001 macOS 0
Q1054 What Launch Daemons are configured? T1543.004 macOS 0
Q1055 What Windows logon scripts are configured? T1037.001 Windows 0
Q1056 What login hooks are configured? T1037.002 macOS 0
Q1057 What network logon scripts are configured? T1037.003 Windows 0
Q1058 What domain accounts have been created? T1136.002 Windows 0
Q1059 What local accounts have been created? T1136.001 Linux Windows macOS 0
Q1060 What AT jobs are configured? Linux T1053.002 macOS 0
Q1061 What Scheduled Tasks are configured? T1053.005 Windows 0
Q1062 What cron jobs are configured? T1053.003 Linux macOS 0
Q1063 What periodic scripts are configured? macOS 0
Q1064 What systemd timers are configured? Linux T1053.006 0
Q1065 What files are referenced in Registry "Run" keys? Windows T1547.001 0
Q1066 What items are in startup folders? Windows T1547.001 0
Q1067 What system services are installed? Linux Windows macOS 0
Q1068 When were system services last modified? Linux Windows macOS 0
Q1069 Are there any indications of dylib hijacking? T1574.004 macOS 0
Q1070 Are there any indications of dylib proxying? macOS 0
Q1071 Are there any indications of dynamic linker hijacking? T1574.006 Linux macOS 0
Q1072 Did Chrome's DNS Prefetching cause a DNS query? Web Browser DNS 0
Q1073 Have there been any modifications to the "hosts" file? 0
Q1074 Were any system event logs cleared? T1070.001 CrowdStrike T1070.002 macOS Linux Windows Event Logs 2
Q1075 Is the recipient account controlled by the sender? 0
Q1076 Were the files screenshots? 0
Q1077 Were there bulk downloads from Google Drive? 0
Q1078 Were the files copies? 0
Q1079 Is there a history of communication with the recipients? 0
Q1080 How many external recipients does the email have? 0
Q1081 Does the user have a recently provisioned host? 0
Q1082 Were any files sent via AirDrop? 0
Q1083 Were any files sent via Bluetooth? T1011.001 0
Q1084 What data was uploaded to a website via a web browser? 0
Q1085 What DNS requests have been made from a system? 0
Q1086 What web-based email messages were viewed in a web browser? 0
Q1087 Did the user access any common PaaS/SaaS services? 0
Q1088 Did the user connect to any non-Company systems using the command line? 0
Q1089 Did the user download any Citrix configuration (.ica) files? 0
Q1090 Did the user interact with any git repositories? 0