River City Digital Forensics logo
River City Digital Forensics

DFIR Tools · Research · Blog
Tools

DFIR tools built to support practical investigation workflows

Practical DFIR tooling designed to support forensic analysis, investigative reconstruction, incident response, and modern cybersecurity workflows.

V1.0.0

Interactive Sign-In Analyzer

Purpose-built for triage, scoping, and investigative narrative support using Microsoft 365 sign-in telemetry.

  • High-signal detector summaries
  • Timeline and narrative support
  • Designed for investigator usability

View downloads

Coming soon 

Non-Interactive Sign-In Analyzer

Analysis of non-interactive authentication activity, including token-based access, application sign-ins, and background authentication events often associated with persistence and post-compromise behavior.

  • Detection of token-based and non-interactive authentication patterns
  • Identification of persistence and stealth access mechanisms
  • Correlation of application, service, and background sign-in activity

View downloads

Coming soon

Uniified Audit Log Analyzer

Focused on audit log review with a clean interface for rapid filtering, IOC identification, and artifact-based investigation.

  • Audit telemetry workflow support
  • Investigator-oriented filtering
  • Reporting-friendly outputs

View downloads

Coming Soon

Future Research Utilities

Reserve this space for acquisition helpers, triage aids, parsers, forensic workflow accelerators, and experimental releases.

  • Standalone utilities
  • Case support tools
  • Research releases

Read related articles

Development Pipeline

Upcoming Tools

  • Analyzer for staged payload decoding and execution tracing
  • Authentication Kill Chain Correlation across interactive and non-interactive telemetry
  • Domain and infrastructure enrichment for investigator pivoting and attribution support
  • Standalone triage utilities for rapid parsing of common DFIR artifacts
Research

Ongoing Work

Current research focuses on improving the speed and clarity of investigative analysis across modern authentication, audit, and identity telemetry. Emphasis is placed on detection logic aligned to real-world attacker behavior, structured timeline reconstruction, and producing clear, defensible outputs that support investigative decision-making.