Investigations

Six investigations across host, network, and application layers.

Each case documents the failure, the pivot, and the verified outcome. Findings were produced in controlled lab environments and through externally graded IR work with IronCircle TDX Arena. Evidence handling, methodology, and command-level detail are preserved in the full reports.

Host Forensics

Volatile memory, process artifacts, and malware identification where conventional tooling failed.

Memory Forensics & Credential Recovery

Standard ASCII string search surfaced nothing useful in the memory dump. Pivoted to UTF-16LE on the hypothesis that Windows process memory preserves command-line strings as wide characters, which surfaced the full 7-Zip command line with credentials inline. Validated extracted artifacts against source files through MD5 hash chain verification before reporting.

Volatility3 UTF-16LE pivot 7-Zip command recovery MD5 hash verification
Outcome Recovered plaintext credentials from volatile memory, reconstructed the attacker's full command sequence, proved evidence integrity through cryptographic hash chain.
View full investigation →

Malware Identification Where AV Failed

Local antivirus returned clean on a file that was producing anomalous behavior. Performed static analysis and file hash generation, then cross-referenced against multi-engine threat intelligence. Identified the sample as a known malicious payload that the local AV had missed. Authored a YARA rule derived from the observed indicators so future detection would not depend on signature updates.

Static analysis VirusTotal YARA rule authoring File hash IOCs
Outcome Confirmed malicious identification where local AV returned clean. Produced durable YARA detection rule for future host monitoring.
View full investigation →
Network & Detection

Traffic analysis, rule authoring, and service configuration under controlled access constraints.

Network Intrusion Detection Engineering

Analyzed live packet capture to isolate anomalous RDP patterns from baseline traffic. Initial hypothesis on port-based signatures was too noisy. Pivoted to TCP header inspection and identified a static TCP Window Size of 1024 as a reliable signature for the malicious traffic. Authored a custom Snort rule targeting that specific header field, validated detection accuracy in Snorby, confirmed low false positive rate against benign traffic.

Wireshark Snort rule authoring TCP header analysis Snorby validation
Outcome Isolated malicious RDP from baseline behavior using a non-obvious header-level signature. Authored and validated a custom detection rule with minimal false positive rate.
View full investigation →

SMB Service Misconfiguration Analysis & Access Recovery

An internal SMB service was failing silently, lecturers could not upload, students could not access. Root-cause analysis surfaced three layered misconfigurations operating against each other, a deprecated authentication mode active alongside a restrictive protocol floor, with user validation silently disabled in the share definition. Ruled out the protocol floor as the cause, the real failure was security = share combined with an orphaned valid users declaration. Restored explicit per-user authentication under least-privilege constraints.

Samba / SMB smb.conf analysis Privilege enumeration Service recovery
Outcome Service restored under explicit per-user authentication. Anonymous and share-level access no longer permitted. Deprecated auth mode eliminated from runtime configuration.
View full investigation →
Application & Data

Credential exposure, protocol-level exploitation, and SIEM-based attacker activity reconstruction.

Credential Exposure & SIEM Pivot Investigation

Recovered administrative credentials from an exposed POP3 service using both a scripted PowerShell approach and a direct Telnet session, validating the finding through two independent methods. Pivoted into Splunk and authored custom SPL queries correlating logs across sources, reducing 3,000+ raw events to 56 targeted IOCs. Base64-decoded payloads captured in transit confirmed active exfiltration, closing the full attack chain from exposure to impact.

Splunk (custom SPL) POP3 protocol exploitation Base64 payload decoding Multi-source log correlation
Outcome Recovered exposed credentials. Reconstructed the attack chain across mail and SIEM from 3,000+ events down to 56 IOCs. Decoded obfuscated payloads to confirm active compromise.
View full investigation →

Credential Leak Analysis & Active Account Detection

A breached credentials dump was reported, but no one knew which accounts were still compromised. OSINT traced the leak to a paste site. Reformatted the raw credential format through a Bash sed pipeline to machine-readable input, then reverse-engineered the login API via browser DevTools to capture the exact POST schema. Built a Python credential-testing tool using only standard library, avoiding any external dependency for operational portability. Identified accounts that remained active and validated the compromise.

OSINT Web API reconnaissance Python (stdlib only) Credential validation tooling
Outcome Traced the leak to a paste site, reverse-engineered the authentication API, built standalone tooling to identify still-active compromised accounts post-leak.
View full investigation →
What's next

The systems I built out of what I learned here. Each one addresses a failure mode I saw firsthand in investigative work.

View systems