Texas, USA·By appointment·DPS license #A31200301
Home/Inside the lab
Inside the lab

What a digital-forensics examination actually looks like.

Four windows into the working lab, byte-level evidence inspection, disk-image acquisition, network-anomaly investigation, and Windows host-artifact analysis. The same techniques used by Fortune-500 incident-response teams, applied at human scale across Texas.

Practice area
Digital forensics · Texas
Disciplines
Disk · mobile · network · memory
Tooling
Court-tested, licensed
Reports
Plain English + technical appendix
01 · Byte-level inspection

Reading evidence one byte at a time.

Every file on a disk begins with a fingerprint, the first few bytes that identify it as an executable, image, archive, or document. Forensic examination starts there: at the raw hex, where deleted files, renamed malware, and hidden payloads can't disguise themselves. We render the entire acquired image as scrollable hex and let the tooling surface signatures automatically.

What you're looking at

A live view of the examiner's hex-dump pane during acquisition. Addresses on the left; raw bytes in the middle; ASCII on the right (non-printable bytes shown as a middle dot). As the scan progresses, the tooling matches each row against a library of file-format signatures, magic numbers, and labels every match in real time.

4D 5AWindows PE (.exe, .dll)
FF D8 FFJPEG image
50 4B 03 04ZIP / docx / apk
25 50 44 46PDF document
89 50 4E 47PNG image
52 61 72 21RAR archive

Why it matters to the case

File-extension forensics is unreliable, a malicious executable renamed report.docx still has 4D 5A at offset zero. Reading the underlying bytes is how we identify files an attacker tried to hide, recover fragments after deletion, and authenticate that a photo, document, or installer is what it claims to be.

Carving, recovering files from unallocated disk space, relies on the same technique. The hex view is also where embedded artifacts surface: a JPEG hidden inside a PDF, a script appended to an image, a binary blob smuggled in a backup.

Think a file on your device isn't what it claims to be?
A free 30-minute scoping call, evenings and weekends, obligation-free.
Talk to the examiner
02 · Network forensics

Watching how the boxes talk to each other.

In a ransomware event or suspected intrusion, the most useful evidence isn't on any single device, it's the conversation between devices. We map the network the same way an attacker would: every host, every connection, every unusual port, until the anomalous behaviour reveals itself.

How the discovery unfolds

The visualisation reconstructs an investigation in miniature. First the topology is mapped, every host on the network and the connections between them, drawn from a one-hour packet capture window. Most of it is normal traffic: workstations to the domain controller, a file server to a printer, mail to mail.

Then the anomalies surface. One host is making encrypted connections to an unusual port. A second host downstream of it shows the same pattern, on the same port, within seconds, classic lateral movement. The link between them becomes the evidentiary backbone of the report.

  • Live packet capture · Zeek + Suricata IDS
  • Flow reconstruction across firewall, switch, and host logs
  • Indicator-of-compromise (IOC) matching against threat feeds
  • Lateral-movement timeline reconstructed to the second

What gets delivered

A written report identifying the entry point, the lateral movement path, the data exfiltration channel (if any), and the remediation steps to close the gap. For small businesses recovering from ransomware, this report is also what an insurer and outside counsel will need before they'll release funds or issue a notice.

Network forensics is also how we tell opportunisticattacks (commodity ransomware) from targeted ones (someone who knew what they were after). The distinction changes the recommended response, and sometimes the jurisdiction it has to be reported to.

Recovering from ransomware or a suspected intrusion?
Bring the logs and the timeline, and we'll tell you what the traffic shows.
Talk to the examiner
03 · Windows artifact analysis

Every action a Windows machine takes leaves a trace.

Once an image is acquired, the artifact-analysis phase begins. Windows logs more than most people realise, registry hives, prefetch files, Event Logs, browser history, USB device history, recently-opened files, Master File Table entries. Each is a piece of the timeline.

What the analyst is looking at

The browser above is a forensic artifact viewer parsing an acquired Windows host. The left tree lists the artifact categories pulled from the image. The right pane is the parsed, normalised view of whatever category is selected, here, the Registry, sorted by timestamp.

One row is flagged. A Run key under HKCU points to an executable in a user's Temp directory named to mimic a legitimate Windows service. That's a textbook persistence indicator, and one no antivirus product alerted on, which is why the host went uninspected for weeks.

  • Registry hives (SYSTEM, SOFTWARE, NTUSER, BAM, AmCache)
  • Prefetch and SuperFetch · what ran and when
  • Event Logs (Security, System, Application, PowerShell, Sysmon)
  • Browser history across Edge, Chrome, Firefox, Safari
  • USB device history with first-insertion timestamps
  • Master File Table reconstruction for file timestamps

From artifact to narrative

Artifacts on their own are noise. The work is in the correlation: aligning a registry timestamp with a prefetch entry, a Sysmon event, a network connection, and a file system change to produce a minute-by-minute narrative of what happened, on which account, at what time.

The output is a plain-English written report with a technical appendix. The report tells the story; the appendix shows the evidence, every artifact cited, every timestamp in UTC, every hash verifiable.

Need a Windows machine examined?
Plain-English findings up front, full technical appendix attached.
Talk to the examiner
04 · Disciplines covered

The disciplines the lab supports.

Digital forensics is not one field; it's eight or nine that overlap. The practice covers the ones that apply to individual and small-business matters in Texas. Specialist areas (vehicle telematics, ICS, large-scale e-discovery) are referred to partner firms.

Host & disk forensics

Acquisition and analysis of Windows, macOS, and Linux endpoints. Encrypted-container access (BitLocker, FileVault, VeraCrypt, LUKS). Deleted-file recovery. Timeline reconstruction. Persistence-mechanism identification.

Mobile forensics

iOS and Android extraction, advanced logical and file-system where supported by the same mobile-forensic suites used by federal and state agencies, under appropriate authorization. Potential for full physical extraction when the device class and tooling allow. Stalkerware and Spyware detection. Disguised-app and hidden-vault recovery. Cloud-backup analysis.

Memory & malware analysis

Live and offline RAM acquisition. Volatile-memory process analysis. Reverse engineering of suspect binaries with static and dynamic tooling. Sandbox detonation in an isolated lab environment.

Network forensics & incident response

Packet capture analysis, firewall and IDS log review, lateral-movement reconstruction, exfiltration channel identification. Particularly applicable to ransomware response and suspected business-email compromise.

Cloud & application data

Microsoft 365, Google Workspace, and major SaaS platforms. Audit log acquisition and analysis. Mailbox and OneDrive/Drive forensics. SaaS-to-SaaS data exfiltration tracing.

Recovery & access

GPU-accelerated password recovery on owner-authorised assets. Encrypted-container unlock. Office-document and archive passwords. QuickBooks, Sage, and accounting-database access in estate matters and lawful business contexts.

Engagement intake

Talk to Private-Eye.

Most engagements are quoted within 24 hours.

Request a consultation