Forensic Analysis Notebooks

These notebooks are the technical appendix to the incident report. They walk through static analysis pathways, evidence ledger classification, artifact metadata validation, PE feature analysis, and deep PE dissection.

They are static HTML exports, not live notebooks. They do not execute attacker-provided code in the browser. The collection uses sanitized fixtures, fake data, public indicators, and derived summaries so readers can inspect the reasoning safely.

Suggested Reading Order

Read in order. The sequence moves from analysis map to artifact validation, static PE features, evidence boundary, and deep dissection.

  1. Analysis Map and Safety Boundary

    Maps the complete incident architecture, public/private evidence boundary, and claim-confidence model.

  2. Artifact Metadata and Checksums

    Validates and displays the ZIP archive and PE hashes and basic file properties.

  3. Static PE Feature Analysis

    Displays the static features (Go runtime version, certificates CN, dynamically loaded dlls, memory protections).

  4. Evidence Boundary and Claims Classification

    Maps the claims using the capability != observed execution != proven transmission ledger.

  5. Deep PE Dissection and Reverse Engineering

    Dissects PE headers, sections entropy, import tables, and certificate directory signatures statically.

Safety Boundary

The collection uses reviewed static metadata fixtures, hashes, and compiler strings. In compliance with strict defensive disclosure guidelines, no execution is performed, no live network traffic is captured, and raw attacker-provided binaries are omitted.