The NE Forensic Environment and Analysis Methodology

Northgate Engineering: the environment

Northgate Engineering Ltd is a precision manufacturing company with 810 employees across three UK sites. The environment determines what artifacts are available and what is missing. Sysmon provides process creation and network connection telemetry on endpoints, but the configuration uses SANS community rules, which may miss specialized attacker techniques. Advanced audit policies provide authentication (Event ID 4624/4625), object access (4663), and process creation (4688 with command line), but only on endpoints and servers where the Group Policy applies. Defender for Endpoint provides endpoint telemetry via Advanced Hunting, including network connections, process trees, and file events across all 865 managed devices.

BitLocker is enabled on all endpoints, which means disk images from powered-off systems require recovery keys from Entra ID. NVMe SSDs mean deleted file content recovery is unreliable due to TRIM — for forensic planning, assume non-resident data from deleted files is unrecoverable on endpoints. Resident data (files under ~700 bytes) remains in MFT records regardless. The file server (SRV-NGE-FS01) uses RAID arrays with HDDs, where deleted file recovery is significantly more reliable.

The file server has object access auditing (Event ID 4663) enabled on the restricted shares (Engineering\Manufacturing, R&D, HR\Compensation). This provides server-side evidence of which accounts accessed which files, independent of workstation artifacts. The 6 RHEL and 2 Ubuntu web servers use ext4, which has its own forensic artifact set covered in later courses.

Target:     DESKTOP-NGE-ENG14 (David Chen's workstation)
Collection: !SANS_Triage compound target
Duration:   7 minutes 14 seconds
Output:     42.3 GB VHDX
Evidence collected:
  $MFT               387 MB    ◄ File system metadata (Sections 1.1-1.12)
  $UsnJrnl:$J         2.1 GB   ◄ Change journal (Module 2)
  $LogFile            64 MB    ◄ Transaction log (Module 2)
  Registry hives      148 MB   ◄ SYSTEM, SOFTWARE, NTUSER, UsrClass (Modules 3-4)
  Prefetch            38 MB    ◄ Application execution (Module 5)
  Event Logs          412 MB   ◄ Security, Sysmon, PowerShell (Module 7)
  SRUM                24 MB    ◄ Network usage by application (Module 8)
  Browser data        1.8 GB   ◄ Chrome history, downloads, cache (Module 9)
  LNK + Jump Lists    12 MB    ◄ File access evidence (Module 6)
  Amcache             8.4 MB   ◄ Application installation (Module 5)

This is the evidence set you will work with throughout the course. Each module teaches you to analyze one or more of these artifact sources. By the end of the course, you can process every artifact in this collection and integrate the findings into a unified investigation narrative.

Scenario 1: INC-NE-2026-0915 — insider data exfiltration

David Chen, a senior manufacturing engineer, submitted his resignation on September 1 with a notice period ending September 30. DLP alerts show Chen accessed 847 files in the restricted Manufacturing Specifications folder between August 1 and September 12, a ten-fold increase over his baseline. A covert KAPE collection was performed from his workstation (DESKTOP-NGE-ENG14) during a period when Chen was in an off-site meeting.

The forensic questions: Which restricted folders did Chen access and when? (ShellBags, Event Logs). Which files did he open? (LNK, Jump Lists, Event Log 4663). Did he copy to USB? (USN Journal, USBSTOR, MFT copy indicators). Did he copy to cloud storage? (SRUM, browser history, OneDrive sync logs). What tools did he use for archiving? (Prefetch for 7-Zip, WinRAR). What volume was potentially exfiltrated? (SRUM bytes by application). Did he attempt to cover his tracks? (USN Journal deletion, Recycle Bin emptying, browser history clearing, Prefetch deletion).

Legal context: HR disciplinary proceeding, potential civil action for breach of contract and IP theft. Preponderance standard (balance of probabilities in UK courts). Chen's solicitor may retain a forensic expert who will scrutinize every finding. Your documentation must withstand adversarial review.

Scenario 2: INC-NE-2026-1022 — ransomware attack

On October 22 at 06:14 UTC, BlueVoyant detected mass file encryption on three servers. By 06:30, containment was initiated. Initial scoping identified 12 compromised endpoints. Ransomware deployed via PsExec from a compromised IT administrator account. Forensic images of patient zero (DESKTOP-NGE-FIN01), lateral movement host (DESKTOP-NGE-IT03), and the encrypted file server. KAPE triage from the remaining 9 endpoints. Volume Shadow Copies were deleted by the ransomware but may have partial copies where deletion failed.

The forensic questions: Initial access vector? (Patient zero analysis). Dwell time before encryption? (Timeline reconstruction). Credentials compromised? (Credential tool evidence). Lateral movement path? (Cross-host authentication, PsExec service creation). Persistence mechanisms? (Registry analysis). Personal data accessed or exfiltrated before encryption? (File access evidence, SRUM, C2 communication). Recoverable data from shadow copies? Anti-forensic activity?

Scenario 3: INC-NE-2026-1130 — unauthorized access dispute

Sarah Williams, a marketing coordinator, is accused of accessing the restricted HR\Compensation folder. Compensation data for Engineering employees appeared in a document she shared with a competitor's recruiter. Williams denies ever accessing the HR share and claims the data was provided verbally by a colleague. Her workstation (DESKTOP-NGE-MKT07) is powered on, logged out, and physically secured.

The forensic questions: Does the workstation have ShellBag evidence for \\SRV-NGE-FS01\HR\Compensation? Do LNK files or Jump Lists reference compensation files? Do authentication logs show Williams' account accessing the file server? Can the compensation data in the shared document be matched to specific file versions via metadata or hashes? Is the data consistent with direct file access or indirect access (screenshot, verbal)? Was the shared document created with pasted data or from a file copy? Did Williams attempt to conceal access?

Common analysis issues

"These scenarios are specific to Northgate Engineering: how do they apply to my environment?" The scenarios are vehicles for teaching artifact analysis in operational context. The specific names, dates, and file paths are fictional. The investigation types. Insider threat, ransomware, access dispute — are universal. The artifact analysis techniques, the evidence reliability assessments, the corroboration methods, and the reporting standards apply to any Windows forensic examination regardless of the organization. Replace "Northgate Engineering" with your organization, and the investigation methodology is the same.

"My organization doesn't have Sysmon, advanced audit policies, or Defender for Endpoint." The NE environment is well-configured, which means more artifact sources are available. In environments with less telemetry, the disk artifacts covered in this course become even more important because they may be the only evidence available. If Event Logs don't contain process creation events (no advanced audit policy), Prefetch and Amcache become the primary execution evidence. If there's no EDR, the MFT, USN Journal, and registry become the primary sources for file and activity reconstruction. The artifact analysis skills are more valuable, not less, in under-instrumented environments.

"INC-NE-2026-1130 asks me to prove a negative: how do I prove Williams didn't access something?" You can't prove a negative from artifact evidence alone. What you can do is document: (a) the artifacts you examined and what they showed (or didn't show), (b) the artifacts you expected to find if the access occurred (ShellBags, LNK files, authentication events) and whether they are present or absent, (c) alternative explanations for absence (artifacts don't exist because the access didn't occur, or artifacts were deleted, or artifacts rotated out of retention). The examiner reports what the evidence shows and what conclusions the evidence supports. Including the conclusion that the evidence is inconclusive if that is the honest assessment.

The five-step methodology

Step 1: Identify. Every analysis begins with a question, not a tool. Map the investigation question to specific artifact categories using the selection matrix from Section 0.2 and the investigation scope from Section 0.10. For "did the subject copy files to USB between March 1 and March 15?" the primary sources are USN Journal (FILE_CREATE on removable media), MFT timestamps, and SYSTEM registry USBSTOR. Corroborating sources: ShellBags, LNK files, SRUM, Event Logs. Quality gate: at least two independent sources identified before analysis proceeds.

Step 2: Extract. Collect the artifacts identified in Step 1. Document what was extracted, from where, when (UTC), the tool and version, and the hash. This documentation is your provenance chain tracing every result to a specific location in the original evidence. Quality gate: every extracted file has a verified hash in the examination log.

Step 3: Parse. Process raw artifacts with forensic tools (MFTECmd, PECmd, SBECmd, EvtxECmd, Registry Explorer, SrumECmd). Identify critical records that answer the investigation question. For each critical record, perform raw validation against the hex data. Quality gate: every critical finding has been raw-validated.

In practice, Step 3 looks like this. You parse the MFT, then filter the output to answer the investigation question:

.\MFTECmd.exe -f C:\Cases\INC-0915\evidence\$MFT --csv C:\Cases\INC-0915\output --csvf mft_parsed.csv

MFTECmd version 1.4.0.0  Author: Eric Zimmerman
Processed C:\Cases\INC-0915\evidence\$MFT in 14.2 seconds
Records: 412,847 (free: 28,441)                    ◄ 28K deleted file records recoverable
Output: C:\Cases\INC-0915\output\mft_parsed.csv

412,847 MFT records parsed in 14 seconds, including 28,441 deleted file records still in the MFT. You open mft_parsed.csv in Timeline Explorer, filter by the investigation timeframe and the target directories, and identify the critical records. Those critical records are the ones you raw-validate in a hex editor.

Step 4: Correlate. Cross-reference critical findings across independent sources. Correlation works at temporal (do timestamps agree?), entity (do references point to the same file/user?), and logical levels (do findings tell a consistent narrative?). Conflicts between sources are informative, not problematic. A missing record where one is expected is as informative as a present record where none is expected. Quality gate: every critical finding supported by at least two independent sources, with conflicts investigated and resolved.

Step 5: Conclude. State the finding with five components: the claim (what the evidence proves), the confidence level (with rationale), the evidence sources (specific artifacts and records), the limitations (what the evidence does not prove), and the alternative explanations (considered and assessed). Quality gate: alternative explanations documented for every critical finding.

The methodology scales to context. For SOC triage, the five steps take 4 minutes. For a court-facing examination, each step takes hours. The methodology is the same; the depth scales to the consequence of the findings. The methodology is also iterative: discovering unexpected evidence during Step 3 adds new questions and loops back to Step 1.

Common analysis issues

"The five-step process seems slow for triage situations." The methodology scales to the context. For SOC triage: Identify (which artifact answers "is this a true positive?": 30 seconds), Extract (the artifact is already in the EDR or SIEM: 0 seconds), Parse (query or tool output: 1 minute), Correlate (check one additional source: 2 minutes), Conclude (true positive/false positive: 30 seconds). Total: 4 minutes. For a court-facing examination: each step takes hours. The methodology is the same; the depth scales to the consequence of the findings.

"What if I find something unexpected during Step 3 that changes the investigation questions?" Good. That's how real investigations work. Document the new finding, add the new question to the investigation scope, and loop back to Step 1 for the new question. The methodology is iterative, not linear. A ransomware investigation may start with "how did the attacker get in?" and, during MFT analysis, discover evidence of data exfiltration that adds "was personal data exfiltrated?" to the scope. Document the scope change and continue.

"How detailed should the examination documentation be?" Detailed enough that a different examiner can reproduce your analysis from your notes. This means: the specific tool commands you ran (or screenshots), the specific filters you applied, the specific records you examined, the raw validation results, and the correlation logic. If the finding is "Prefetch proves 7z.exe executed on March 15 at 14:22:18" your notes should include the PECmd command, the relevant CSV row, the raw validation of the timestamp, and the corroborating USN Journal entry. For non-critical contextual analysis, a summary is sufficient.

Step 1: Identify. Which artifacts answer this question?

Every analysis begins with a question. Not with a tool. The investigation question determines which artifacts are relevant, which are primary, and which provide corroboration. Opening MFTECmd output before defining what you're looking for leads to data browsing. Defining the question first focuses the analysis.

The Identify step maps the investigation question to specific artifact categories using the artifact selection matrix from WF0.2 and the investigation scope from WF0.10. For the question "did the subject copy files to USB between March 1 and March 15?" the artifact mapping is: primary sources are USN Journal (FILE_CREATE events with parent references to removable media), MFT timestamps (files on the USB volume or copied from network to local), and SYSTEM registry USBSTOR (device connection history with timestamps). Corroborating sources are ShellBags (did the user navigate to the USB drive?), LNK files (did the user open files from the USB?), SRUM (data transfer volumes to the removable media device), and Event Logs (USB device connection events 20001/20003).

The quality gate for this step: at least two independent artifact sources must be identified as potentially answering the question before analysis proceeds. If only one source exists, the finding will be limited to a single-source confidence level. Which should be documented in advance, not discovered at the end.

Step 2: Extract. Collect the raw artifacts

The Extract step collects the specific artifacts identified in Step 1 from the evidence source. If the evidence is a KAPE collection, the artifacts may already be extracted. The $MFT, registry hives, Prefetch files, and Event Logs are in the KAPE output directory. If the evidence is a forensic image, mount the image read-only and extract the needed artifacts.

Document the extraction: what was extracted, from where (image name, partition, path), when (UTC), the extraction tool and version, and the hash of the extracted file. This documentation is your provenance chain. It traces every analysis result back to a specific location in the original evidence.

The quality gate: every extracted artifact file has a verified hash recorded in the examination log. If an artifact file is corrupted (bad hash, truncated, zero bytes), document the corruption and note which analysis capabilities are affected.

Step 3: Parse. Process and validate

The Parse step processes raw artifacts into human-readable form using forensic tools, then validates critical findings against the raw data.

Run the appropriate tool: MFTECmd for the $MFT, PECmd for Prefetch files, SBECmd for ShellBags, EvtxECmd for Event Logs, RECmd or Registry Explorer for registry hives, SrumECmd for the SRUM database. Output to the case's output\ directory in CSV format for analysis in Timeline Explorer.

After parsing, identify the records that answer the investigation question. These are the critical records. The specific MFT entries, Prefetch files, ShellBag entries, or Event Log records that will support findings in the report. For each critical record, perform raw validation: open the original artifact in a hex editor, navigate to the record, and confirm the tool's interpretation matches the raw data. Document the validation result.