This talk explores forged Kerberos tickets — Golden, Silver, Diamond and Sapphire — from a practical forensic angle without diving too deep into protocol details. It outlines what each ticket type represents, why attackers use them and how their presence changes the shape of an investigation. The focus is on the kinds of clues these forgeries leave behind: unusual authentication patterns, inconsistencies in logs, odd ticket lifetimes, and activity that doesn’t match normal account behavior. The session walks through where responders typically find the most useful evidence, which gaps often slow investigations, and how to judge the real scope of an incident once forged tickets are involved. Short case examples show how these attacks appear in practice and how investigators can separate false alarms from genuine compromise. The talk closes with clear steps for containment, recovery and long-term hardening, aimed at helping responders move from detection to confident remediation.