FeaturedCybersecurity

Digital Forensics Investigation - Caelus Engineering Case

Conducted a digital forensic investigation of a simulated insider data exfiltration incident. The case study correlates disk, memory, registry, browser, email, USB, and network artefacts into a concise incident narrative.

Report available upon request

Incident timeline visual showing registry, email, USB, packet capture, and hashing evidence sources. — Project visual summary for Digital Forensics Investigation - Caelus Engineering Case.

Summary

Project context

A course-based simulated case study focused on reconstructing a suspected insider data exfiltration event at Caelus Engineering without exposing sensitive evidence files.

Problem / goal

The goal was to determine whether data had been accessed, staged, concealed, or exfiltrated, then translate technical evidence into remediation actions that a security team could act on.

My role

Digital forensic investigator for a course-based simulated case.

What I personally contributed

Correlated disk, memory, registry, browser, email, USB, and packet-capture artefacts into a single investigation timeline.
Used hashing, artefact cross-checking, and timeline analysis to separate stronger indicators from system noise.
Translated technical findings into remediation recommendations for account, endpoint, logging, DLP, and legal follow-up.

Technical approach

Correlated Windows SAM and SOFTWARE hives with Chrome credentials, cookies, browser traces, LNK files, pagefile strings, email artefacts, USBSTOR, SetupAPI, and packet captures.
Used hashing, timeline analysis, memory review, and artefact cross-checking to reduce false positives and separate user activity from system noise.
Documented findings as a safe case study that discusses indicators and remediation without publishing evidence files.

Key features

Host, memory, browser, email, USB, and network artefact review.
Incident timeline reconstruction across multiple evidence sources.
Evidence integrity checks using MD5 and SHA256 hashing.
Remediation plan for account, endpoint, logging, DLP, and legal follow-up.

Impact / results

Identified indicators of internal data exfiltration and concealment, including post-loss file access, bulk Google Drive downloads, SanDisk USB activity, missing Prefetch files, deleted archives, and SpyAgent traces.
Produced remediation recommendations covering MFA, endpoint USB monitoring, DLP controls, Google Workspace log preservation, forensic imaging, hash comparison, and HR/legal follow-up.

What I learned

Forensic conclusions are stronger when timeline, registry, browser, network, email, and removable media artefacts support the same story.
Security reporting needs both technical precision and careful wording, especially when evidence cannot be shared publicly.

What I personally contributed

Correlated disk, memory, registry, browser, email, USB, and packet-capture artefacts into a single investigation timeline.

Used hashing, artefact cross-checking, and timeline analysis to separate stronger indicators from system noise.

Translated technical findings into remediation recommendations for account, endpoint, logging, DLP, and legal follow-up.

Technical approach

Correlated Windows SAM and SOFTWARE hives with Chrome credentials, cookies, browser traces, LNK files, pagefile strings, email artefacts, USBSTOR, SetupAPI, and packet captures.

Used hashing, timeline analysis, memory review, and artefact cross-checking to reduce false positives and separate user activity from system noise.

Documented findings as a safe case study that discusses indicators and remediation without publishing evidence files.

Impact / results

Identified indicators of internal data exfiltration and concealment, including post-loss file access, bulk Google Drive downloads, SanDisk USB activity, missing Prefetch files, deleted archives, and SpyAgent traces.

Produced remediation recommendations covering MFA, endpoint USB monitoring, DLP controls, Google Workspace log preservation, forensic imaging, hash comparison, and HR/legal follow-up.