How Digital Forensics Investigation Works

When your business is staring down a breach, a suspected insider threat, a wire-fraud loss, or a crypto theft, the value of a digital forensics engagement is not the tools we open on day one. It is the discipline of the process we follow from the first phone call through the final report. Petronella Technology Group has been doing this work in North Carolina since 2002, and every investigation we take on moves through the same four phases in the same order. The phases exist because digital evidence is fragile. A single careless reboot, a well-meaning IT administrator running malware cleanup before artifacts are preserved, or an endpoint detection tool auto-quarantining a binary can turn a recoverable case into a lost one.

Our methodology aligns with the NIST SP 800-86 guide for integrating forensic techniques into incident response and with the ISO/IEC 27037 standard for identification, collection, acquisition, and preservation of digital evidence. We do not need exotic tools to do good work. Most of what we use is built on battle-tested open-source tooling that has been cited in court filings for years, paired with the written procedures that let another examiner reproduce our findings step for step. That reproducibility is what makes our work defensible in front of your counsel, your insurance carrier, your regulator, or a judge.

We also write every engagement so it can be handed off. If our work product becomes evidence in a civil suit, our report should give your attorney everything they need to bring in a second expert for review. If the case moves to criminal referral, our timeline should fit cleanly into a search warrant affidavit. If your cyber insurance carrier needs proof of a covered event and reasonable remediation effort, our chain-of-custody documentation should satisfy them without follow-up calls. Good process removes friction later.

The Friday-Night BEC That Everyone Called a Typo

A North Carolina manufacturer wires mid-six figures on a Friday afternoon to a supplier they have worked with for years. The wire instructions came in by email, reviewed by the controller, matched the supplier's stationery, and referenced a live purchase order. The wire hits the receiving bank and is gone by Monday. The controller is embarrassed, the CFO is furious, and the IT team is digging through mail logs with no clear answer. We get the call Tuesday morning.

In Phase 1 we scope the incident around the controller's mailbox, the CFO's mailbox, the shared accounts-payable mailbox, the supplier-facing relationship manager's mailbox, the M365 tenant audit log, and the endpoint used by the controller. Phase 2 preserves mailbox exports, unified audit logs, sign-in logs, and a memory plus disk image of the controller's workstation before anything else is touched. Phase 3 finds a mail-forwarding rule created through an OAuth-consented third-party app three weeks earlier, a typo-squatted sender domain registered two weeks before the wire, and a TeamViewer session that ran for seven minutes on the night the fraudulent purchase order was edited. Phase 4 ties it together in a report the client hands to their insurance carrier, which triggers payout under the social engineering fraud rider. Counsel uses the same report to support a recovery demand against the receiving bank. None of this was possible without preservation on day one.

The Ransomware Negotiation That Never Happened

A dental practice is hit with ransomware on a Sunday night. Their MSP runs a well-meaning malware cleanup Monday morning before calling us. By the time we are engaged, the primary infected workstation has been reimaged, the server has been rolled back from a three-day-old VM snapshot, and three of the encryption binaries are gone. What is still intact is the firewall, the RMM tool logs, and a backup of the infected endpoint's memory from a third-party EDR agent that happened to be running. Phase 2 preserves those sources. Phase 3 identifies the initial access as a phished MSP technician credential, recovers the ransomware strain family, confirms no evidence of data exfiltration from the firewall NetFlow, and documents that the file-server impact was bounded to a known set of shares. Phase 4 gives the practice written evidence of non-exfiltration, which matters enormously for their HIPAA breach determination under the four-factor risk assessment. They file a low-risk determination with documentation, their insurance recovers the MSP's emergency work, and they do not pay the ransom. A measured forensic approach beat an impulse to pay.

The Crypto Theft Where We Followed the Money

A retail investor in Raleigh loses low-seven figures to a pig-butchering romance-investment scheme routed through a fake trading platform. By the time we are engaged, the funds have already moved through a first mixer. Phase 1 scopes around the original wallet addresses, the bridge transactions, and the communication channels. Phase 2 preserves browser history, Telegram and WhatsApp exports, email correspondence, and the victim's wallet transaction records with cryptographic signatures attached. Phase 3 traces the funds across chains using public on-chain analysis techniques, identifies a deposit address on a centralized exchange that is within US legal reach, and documents the transaction graph with block heights and transaction IDs preserved for court. Phase 4 delivers a report the victim's attorney uses to secure a subpoena on the exchange and initiate a civil freeze. Not every case ends in recovery, but defensible evidence makes recovery possible.

Most of the evidence loss in a cybercrime investigation happens in the first 24 hours, and it happens because good people are trying to help. If you are reading this during an incident, here is the short list of things to stop doing right now.

• Do not reboot affected systems. Volatile memory contains running processes, network connections, decryption keys, and injected code that will be gone forever the moment you power-cycle. If you can leave the machine running and disconnect its network cable instead, do that.
• Do not reimage yet. Reimaging in the first 48 hours trades a recoverable forensic case for a clean laptop. Spin up a replacement device for the user if they need to work, and let our team image the original first.
• Do not let anti-malware clean. Quarantine and auto-remediation silently destroy the malicious binaries and persistence mechanisms we need to identify for attribution, insurance claims, and forward protection. Disable automatic cleanup on the affected hosts until evidence is collected.
• Do not delete the suspicious email. Whether it is a phish that started the BEC or a negotiation message from a ransomware operator, that message is evidence. Preserve it with full headers intact. Forward copies to your forensic team with the original left in the mailbox.
• Do not restore from backup before triage. Rolling a server back to a pre-incident snapshot before forensic collection means we may never establish how the attacker got in. You will patch the symptom and live with the root cause.
• Do not talk to the attacker alone. If a threat actor is in active communication with someone at your company, loop in your forensic team and counsel before the next message goes out. Casual replies have reshaped entire legal strategies in the wrong direction.

None of these mistakes are career-ending. We have recovered cases where every one of them happened. But every mistake narrows the investigation and raises the cost, and avoiding them is free.

Acquisition

Write-blocked imaging is done with dd, dc3dd, and ewfacquire from the libewf project. We prefer the E01 Expert Witness format from libewf for compressibility and inline hash verification, with raw dd as a fallback when the case calls for a format-neutral image. Every acquisition is paired with an MD5 and a SHA-256 hash recorded at collection, embedded in the image file where the format supports it, and written into the chain-of-custody log. Memory acquisition uses lime on Linux hosts, winpmem on Windows hosts, and OSXPmem on macOS. For cloud artifact collection we use vendor-native export APIs where available, documented so our steps are reproducible by a second examiner.

Analysis

The Sleuth Kit and Autopsy carry the load for disk-image analysis. They give us timeline construction, deleted-file recovery, NTFS and ext4 metadata extraction, and signature-based file identification. Volatility 3 handles memory forensics: process listing, injected code detection, handle analysis, and registry extraction from page-cached hives. For network evidence we use Wireshark for interactive packet work and Zeek for corpus-scale analysis that produces conn, dns, http, ssl, files, and weird logs. Suricata gets pointed at packet captures to replay traffic against updated signature rules. Yara rules let us hunt for known indicator patterns across images and memory. Everything gets glued together with Python scripts that write to versioned Jupyter notebooks so the analysis steps stay auditable.

Crypto Tracing

For crypto cases we work the public blockchain directly. We use open-source clients and block explorers, pair them with graph-visualization tooling, and preserve the raw transaction records with block heights and timestamps before we build any narrative. Where a case reaches a centralized exchange that has US legal exposure, our report preserves the specific deposit-address-to-wallet trail your counsel needs for a subpoena. We do not replicate the full capability of commercial chain-analysis platforms, but we match them well enough for the tracing work that matters in most theft, scam, and recovery cases we see.

Log Correlation

Business-email-compromise and cloud-tenant cases are log-heavy. Microsoft 365 Unified Audit Logs, Azure AD sign-in logs, Exchange message trace, OAuth app grants, and per-mailbox MAPI connection records are the usual core set. Google Workspace cases add Admin Audit logs, Drive audit, and Gmail log search. We normalize these into a common event schema, reconstruct the attacker session timeline, and identify first-compromise indicators that often sit weeks before the financial event.

The four-phase process is the same for every case, but the shape of the engagement changes based on who is calling us and why. Knowing where you fit on the spectrum helps you know what to expect from the first 48 hours.

Small and Mid-Sized Businesses

The majority of our forensic engagements come from North Carolina SMBs in the middle of a live incident. The call usually comes from the owner, the CFO, or an outside IT provider who does not have forensic depth. Our role is triage first, evidence preservation second, and investigation third. We tell you what to stop doing, we image what needs imaging, and we write a report that does triple duty: insurance, legal, and operational lessons learned. The engagement typically runs two to six weeks depending on scope.

Law Firms Engaging Us for Clients

When counsel engages us directly, the engagement letter, communications, and deliverables are structured to fall within attorney work-product protection. The law firm is our client. The underlying party is the subject of the investigation. We support the lawyer's strategy and stay out of strategic decisions that belong to counsel. Typical engagements here include insider threat investigations, partner disputes with suspected data theft, and civil discovery where the opposing side has handled evidence in ways that need forensic examination.

Cyber Insurance and Breach Counsel Panel Work

For insurance-driven incidents we work within the carrier's incident-response panel structure. The breach coach leads, forensic work fits into the claims workflow, and our reports are written so the adjuster can close the file without iterative questions. We coordinate with outside PR, ransom-negotiation specialists, and notification vendors where the incident calls for them.

Compliance-Driven Investigations

Regulated clients, especially healthcare practices under HIPAA and defense-industrial-base contractors under CMMC, sometimes need forensic investigation to satisfy a specific control or breach determination requirement. These engagements are often smaller in scope but tighter on documentation. Our report becomes an audit artifact, which means the methodology section needs to stand on its own without a verbal briefing.