C.01
Packet capture & traffic analysis
Deep inspection of captured traffic, flow records, and metadata to reconstruct sessions and protocols.
03 · Forensics
Network Forensics
Reading the traffic for what it meant to hide.
Overview
Analysis of network traffic and infrastructure to identify anomalies, unauthorized access patterns, and data movement across systems — connecting what moved on the wire with what happened on the host.
Capabilities
What engagements deliver.
Each engagement is scoped to the incident. The capabilities below define the outer envelope of what we bring to the work.
C.02
Lateral movement detection
Identify persistence mechanisms, credential reuse, and east-west patterns typical of advanced intrusions.
C.03
Data exfiltration patterns
Recognize staged, chunked, and covert transfer behaviors against a baseline of expected activity.
C.04
Network–endpoint correlation
Fuse network telemetry with host artifacts to produce a single, time-aligned picture of the event.
Lateral Movement Map
Reading intent in the spaces between hosts.
A representative lateral-movement path, reconstructed from flow, authentication, and endpoint telemetry.
PerimeterDistributionCoreLateralEgress
edge/fw
dc/01
dc/02
file-srv
jump-host
db-cluster
egress
SEG-01
Trusted
DMZ
Egress
trustalert
Live telemetry
5 evts- 14:02:11authKerberos TGT requested from WS-14
- 14:02:40smbSMB access to file-srv \\shares\\finance
- 14:05:02lateralPsExec session → jump-host
- 14:09:18stageStaging archive written to /tmp/a.7z
- 14:14:51exfilOutbound TLS → 185.220.* (egress)
telemetry · east-west · capture #041