Attack Path Reconstruction
We connected fragmented evidence to help leadership make informed decisions about recovery, rebuilding, and hardware reuse.

Industries
Maritime
Services
Digital Forensics
About the project
After a disruptive encryption incident affected several connected systems, a maritime organization needed to determine where the compromise most likely began, how the attacker progressed through the environment, and whether more analysis could materially change the root-cause conclusion. The answers would shape recovery and decisions about affected hardware.
Some evidence needed to trace movement between systems was no longer available. The investigation had to provide useful direction without treating gaps as facts, while making the remaining uncertainty clear to leadership.
What we did
- We examined forensic artifacts from an internet-facing communications system, Windows servers, and domain infrastructure. We aligned evidence of persistence, credential-capture tooling, remote access, scripted data staging, internal discovery, and disruptive encryption in a single timeline. This established the order of confirmed activity and outlined the best-supported progression of the compromise over several months.
- We compared remote-management and persistence artifacts across separate systems. Shared infrastructure and matching configurations tied the earliest confirmed Windows foothold to an earlier compromise on the communications system. That sequence, combined with the system’s long-standing public exposure, made it the strongest supported starting point for the wider compromise in the available evidence.
- Several high-value sources were already gone, including security logs covering key activity and older backups from affected systems. We separated confirmed events from inferred movement and assessed whether another path was better supported by the evidence that remained. The exact credential, session, or relay method used to move between systems could not be established, and we stated that limit clearly.
- We delivered a concise root-cause position quickly enough to support recovery work, documented the remaining uncertainty, and explained why further investigation was unlikely to materially change the central conclusion. Leadership could then make more confident decisions about wiping, rebuilding, repurposing, and returning affected hardware to service rather than extending an open-ended investigation.
Technologies Used

Microsoft Windows
Powershell
Virus Total

