eBPF rootkits & forensics: from blinding telemetry to memory detection
How an eBPF rootkit bypasses kernel lockdown to blind Linux telemetry, and a memory detection method with Volatility 3 linking processes, maps and eBPF programs.

How an eBPF rootkit bypasses kernel lockdown to blind Linux telemetry, and a memory detection method with Volatility 3 linking processes, maps and eBPF programs.
Why modelling security data as graphs improves DFIR and threat hunting, with examples based on Zeek, Neo4j, BloodHound and JACG.
How to scale forensic investigations with Dissect, Logstash and ELK to extract, centralise and search artefacts across multiple machines.