Forensic Analysis Notebooks
These notebooks are the technical appendix to the incident report. They walk through static analysis pathways, evidence ledger classification, artifact metadata validation, PE feature analysis, and deep PE dissection.
They are static HTML exports, not live notebooks. They do not execute attacker-provided code in the browser. The collection uses sanitized fixtures, fake data, public indicators, and derived summaries so readers can inspect the reasoning safely.
Suggested Reading Order
Read in order. The sequence moves from analysis map to artifact validation, static PE features, evidence boundary, and deep dissection.
- Analysis Map and Safety Boundary
Maps the complete incident architecture, public/private evidence boundary, and claim-confidence model.
- Artifact Metadata and Checksums
Validates and displays the ZIP archive and PE hashes and basic file properties.
- Static PE Feature Analysis
Displays the static features (Go runtime version, certificates CN, dynamically loaded dlls, memory protections).
- Evidence Boundary and Claims Classification
Maps the claims using the capability != observed execution != proven transmission ledger.
- Deep PE Dissection and Reverse Engineering
Dissects PE headers, sections entropy, import tables, and certificate directory signatures statically.
Safety Boundary
The collection uses reviewed static metadata fixtures, hashes, and compiler strings. In compliance with strict defensive disclosure guidelines, no execution is performed, no live network traffic is captured, and raw attacker-provided binaries are omitted.