CTI practitioners have threat intelligence databases; what about digital forensics practitioners? How can they organize knowledge and ensure that investigations are carried out in a repeatable manner? In the same way that threat intelligence describes attackers, capabilities, and infrastructure, Digital Forensics Intelligence describes the relationship between systems, questions, and investigation techniques.

Enter DFIQ (Digital Forensics Investigative Questions; https://dfiq.org/): a framework used to model scenarios, questions and approaches in digital forensics investigations. This talk will take a deeper dive into the DFIQ model, and more importantly the different ways it is practically used to facilitate forensic investigators' day-to-day activities, ensure repeatable conclusions of investigations, and knowledge sharing among analysts. We'll discuss how DFIQ is stored in Yeti, used in Timesketch, and can be used to leverage end-to-end collection and analysis workflows to accelerate and structure investigations in large enterprise environments.