Four windows into the working lab, byte-level evidence inspection, disk-image acquisition, network-anomaly investigation, and Windows host-artifact analysis. The same techniques used by Fortune-500 incident-response teams, applied at human scale across Texas.
Every file on a disk begins with a fingerprint, the first few bytes that identify it as an executable, image, archive, or document. Forensic examination starts there: at the raw hex, where deleted files, renamed malware, and hidden payloads can't disguise themselves. We render the entire acquired image as scrollable hex and let the tooling surface signatures automatically.
A live view of the examiner's hex-dump pane during acquisition. Addresses on the left; raw bytes in the middle; ASCII on the right (non-printable bytes shown as a middle dot). As the scan progresses, the tooling matches each row against a library of file-format signatures, magic numbers, and labels every match in real time.
File-extension forensics is unreliable, a malicious executable renamed report.docx still has 4D 5A at offset zero. Reading the underlying bytes is how we identify files an attacker tried to hide, recover fragments after deletion, and authenticate that a photo, document, or installer is what it claims to be.
Carving, recovering files from unallocated disk space, relies on the same technique. The hex view is also where embedded artifacts surface: a JPEG hidden inside a PDF, a script appended to an image, a binary blob smuggled in a backup.
In a ransomware event or suspected intrusion, the most useful evidence isn't on any single device, it's the conversation between devices. We map the network the same way an attacker would: every host, every connection, every unusual port, until the anomalous behaviour reveals itself.
The visualisation reconstructs an investigation in miniature. First the topology is mapped, every host on the network and the connections between them, drawn from a one-hour packet capture window. Most of it is normal traffic: workstations to the domain controller, a file server to a printer, mail to mail.
Then the anomalies surface. One host is making encrypted connections to an unusual port. A second host downstream of it shows the same pattern, on the same port, within seconds, classic lateral movement. The link between them becomes the evidentiary backbone of the report.
A written report identifying the entry point, the lateral movement path, the data exfiltration channel (if any), and the remediation steps to close the gap. For small businesses recovering from ransomware, this report is also what an insurer and outside counsel will need before they'll release funds or issue a notice.
Network forensics is also how we tell opportunisticattacks (commodity ransomware) from targeted ones (someone who knew what they were after). The distinction changes the recommended response, and sometimes the jurisdiction it has to be reported to.
Once an image is acquired, the artifact-analysis phase begins. Windows logs more than most people realise, registry hives, prefetch files, Event Logs, browser history, USB device history, recently-opened files, Master File Table entries. Each is a piece of the timeline.
The browser above is a forensic artifact viewer parsing an acquired Windows host. The left tree lists the artifact categories pulled from the image. The right pane is the parsed, normalised view of whatever category is selected, here, the Registry, sorted by timestamp.
One row is flagged. A Run key under HKCU points to an executable in a user's Temp directory named to mimic a legitimate Windows service. That's a textbook persistence indicator, and one no antivirus product alerted on, which is why the host went uninspected for weeks.
Artifacts on their own are noise. The work is in the correlation: aligning a registry timestamp with a prefetch entry, a Sysmon event, a network connection, and a file system change to produce a minute-by-minute narrative of what happened, on which account, at what time.
The output is a plain-English written report with a technical appendix. The report tells the story; the appendix shows the evidence, every artifact cited, every timestamp in UTC, every hash verifiable.
Digital forensics is not one field; it's eight or nine that overlap. The practice covers the ones that apply to individual and small-business matters in Texas. Specialist areas (vehicle telematics, ICS, large-scale e-discovery) are referred to partner firms.
Acquisition and analysis of Windows, macOS, and Linux endpoints. Encrypted-container access (BitLocker, FileVault, VeraCrypt, LUKS). Deleted-file recovery. Timeline reconstruction. Persistence-mechanism identification.
iOS and Android extraction, advanced logical and file-system where supported by the same mobile-forensic suites used by federal and state agencies, under appropriate authorization. Potential for full physical extraction when the device class and tooling allow. Stalkerware and Spyware detection. Disguised-app and hidden-vault recovery. Cloud-backup analysis.
Live and offline RAM acquisition. Volatile-memory process analysis. Reverse engineering of suspect binaries with static and dynamic tooling. Sandbox detonation in an isolated lab environment.
Packet capture analysis, firewall and IDS log review, lateral-movement reconstruction, exfiltration channel identification. Particularly applicable to ransomware response and suspected business-email compromise.
Microsoft 365, Google Workspace, and major SaaS platforms. Audit log acquisition and analysis. Mailbox and OneDrive/Drive forensics. SaaS-to-SaaS data exfiltration tracing.
GPU-accelerated password recovery on owner-authorised assets. Encrypted-container unlock. Office-document and archive passwords. QuickBooks, Sage, and accounting-database access in estate matters and lawful business contexts.