The NE Forensic Environment

Northgate Engineering: the environment

Northgate Engineering Ltd is a precision manufacturing company with 810 employees across three UK sites. Their IT infrastructure is typical of a mid-size enterprise: M365 E5 licensing, Entra ID for identity, Defender XDR for security, Sentinel for SIEM, a hybrid Active Directory environment with four domain controllers across three sites, 865 managed endpoints (predominantly Windows 11, some Windows 10), 12 Windows servers, 6 RHEL and 2 Ubuntu servers, Palo Alto Prisma Access SD-WAN, and BlueVoyant as a managed SOC partner.

The endpoints are relevant to this course. The standard workstation configuration is Windows 11 Enterprise 23H2, M365 Apps for Enterprise (Office), Defender for Endpoint P2 (onboarded), BitLocker enabled (recovery keys in Entra ID), 256GB or 512GB NVMe SSD, 16GB RAM. Sysmon is deployed across all endpoints with a standard configuration. PowerShell ScriptBlock logging is enabled via GPO. Advanced audit policies are configured for process creation (including command line), logon events, and object access (on file servers). Prefetch is enabled on all workstations (default) and disabled on servers (default).

The file servers run Windows Server 2022 with NTFS volumes. The restricted Engineering share (\\SRV-NGE-FS01\Engineering\) has file access auditing enabled (Event ID 4663) for the Manufacturing and R&D subdirectories. USB device use is permitted but logged via Defender for Endpoint device control (monitoring mode, not blocking).

This environment determines what artifacts are available for each investigation: Sysmon provides process creation and network connection telemetry. Advanced audit policies provide authentication and object access events. Defender for Endpoint provides endpoint telemetry via Advanced Hunting. BitLocker means disk images from powered-off systems require recovery keys. NVMe SSDs mean deleted file content recovery is unreliable due to TRIM. The file server's object access auditing means authentication and file access events are available for server-side analysis.

Scenario 1: INC-NE-2026-0915 — insider data exfiltration

The situation. David Chen, a senior manufacturing engineer at Northgate Engineering, submitted his resignation on September 1, 2026 with a notice period ending September 30. On September 12, the Engineering Director flagged a concern: Chen had been working unusually late hours and had requested access to several file shares outside his normal role in the weeks before his resignation. DLP alerts in Defender for Cloud Apps show Chen accessed 847 files in the restricted Manufacturing Specifications folder between August 1 and September 12 — a ten-fold increase over his previous baseline of approximately 80 files per month.

The evidence. NE's security team performed a KAPE standard collection from Chen's workstation (DESKTOP-NGE-ENG14) while he was in a meeting. The collection includes: $MFT, $UsnJrnl, all registry hives with transaction logs, Prefetch files, Event Logs (all channels), SRUM database, browser data (Chrome), LNK files, Jump Lists, and $Recycle.Bin. Additionally, file server logs from SRV-NGE-FS01 (Security Event Log with 4663 object access events) and Defender for Endpoint Advanced Hunting data for DESKTOP-NGE-ENG14 are available.

The forensic questions.

1. Which folders in the restricted Engineering share did Chen access, and when? (ShellBags, Event Logs)
2. Which specific files did Chen open? (LNK files, Jump Lists, Event Log 4663)
3. Did Chen copy files to USB storage? If so, which files, when, and to which device? (USN Journal, USB device history, MFT timestamps)
4. Did Chen copy files to cloud storage or personal email? (SRUM transfer volumes, browser history, cloud sync artifacts)
5. What tools did Chen use to archive or compress files? (Prefetch, Amcache)
6. What is the total volume of data potentially exfiltrated? (SRUM bytes sent by application)
7. Did Chen attempt to cover his tracks? (Anti-forensic indicator checklist)

The legal context. Legal hold has been placed on Chen's workstation and all related evidence. The investigation supports an HR disciplinary proceeding and potential civil action for breach of contract and misappropriation of trade secrets. The evidence standard is preponderance (balance of probabilities) — lower than criminal beyond reasonable doubt, but the methodology must still be defensible. Chen's solicitor may retain a forensic expert to review the findings.

Scenario 2: INC-NE-2026-1022 — ransomware attack

The situation. On October 22, 2026 at 06:14 UTC, Northgate Engineering's BlueVoyant SOC detected mass file encryption activity on three servers: SRV-NGE-FS01 (primary file server), SRV-NGE-APP02 (application server), and SRV-NGE-DB01 (database server). By 06:30, the ransom note was confirmed and containment was initiated — affected servers isolated, VPN connections terminated, all credentials for administrative accounts reset. Initial scoping identified 12 compromised endpoints across two NE sites. The ransomware was deployed via PsExec from a compromised IT administrator account.

The evidence. Forensic images (E01 format) of: patient zero workstation (DESKTOP-NGE-FIN01 — finance department), lateral movement host (DESKTOP-NGE-IT03 — IT department), and the encrypted file server (SRV-NGE-FS01). KAPE triage collections from the remaining 9 compromised endpoints. Defender for Endpoint Advanced Hunting data for all 12 hosts. Entra ID sign-in logs and audit logs for the investigation timeframe. Sentinel incidents and alerts. Volume Shadow Copies were deleted by the ransomware (via vssadmin and WMI) but may have partial copies on some endpoints where the deletion failed.

The forensic questions.

1. What was the initial access vector? (Patient zero endpoint analysis — email artifacts, browser history, Prefetch, MFT)
2. When did the attacker gain access and how long were they in the environment before encryption? (Timeline from initial compromise to ransomware deployment)
3. What credentials were compromised and how? (Credential harvesting tool evidence — Prefetch, Amcache, Event Logs for LSASS access)
4. How did the attacker move laterally across the network? (Cross-host authentication events, PsExec service creation, RDP connection artifacts)
5. What persistence mechanisms were installed? (Registry analysis — Services, Run keys, scheduled tasks, COM hijacks)
6. Was personal data accessed or exfiltrated before encryption? (GDPR Article 33 notification assessment — file access evidence, SRUM transfer volumes, C2 communication evidence)
7. Can any encrypted data be recovered from shadow copies? (VSS analysis — which snapshots survived the deletion attempt)
8. What anti-forensic activity did the attacker perform? (Event Log clearing, Prefetch deletion, timestomping, tool cleanup)

The legal context. The investigation supports an insurance claim under NE's cyber insurance policy (the insurer requires a forensic examination report detailing initial access, scope, and remediation). GDPR Article 33 notification assessment is required within 72 hours — the examiner must determine whether personal data was accessed or exfiltrated. NE's legal counsel is coordinating with law enforcement (National Crime Agency) — evidence preservation must meet criminal investigation standards in case of future prosecution.

Scenario 3: INC-NE-2026-1130 — unauthorized access dispute

The situation. Sarah Williams, a marketing coordinator at Northgate Engineering, has been accused of accessing the restricted HR\Compensation folder on SRV-NGE-FS01. The HR Director discovered that compensation data for all Engineering department employees appeared in a document Williams shared with a recruiter at a competing firm. Williams denies ever accessing the HR share and claims the compensation data was provided to her verbally by a colleague. Williams has been placed on administrative leave. Her workstation (DESKTOP-NGE-MKT07) is powered on but logged out and has been physically secured by IT.

The evidence. KAPE standard collection from Williams' workstation (collected after administrative leave was implemented). File server Security Event Log from SRV-NGE-FS01 (4624 authentication, 4663 object access for the HR\Compensation directory). Defender for Endpoint data for DESKTOP-NGE-MKT07. The document shared with the recruiter (recovered from Williams' sent email).

The forensic questions.

1. Did Williams navigate to the HR\Compensation folder on the file server? (ShellBags in UsrClass.dat)
2. Did Williams open specific compensation files? (LNK files in Recent folder, Jump Lists for Excel/Word)
3. Did Williams authenticate to the file server at relevant times? (Event Log 4624 on file server, correlated with workstation logon events)
4. Did Williams copy compensation files to her local workstation? (MFT for local copies, USN Journal for file creation events)
5. Is there evidence Williams emailed compensation data to external recipients? (Browser artifacts, email client artifacts, Defender for Cloud Apps DLP data)
6. Is there evidence consistent with Williams' defense — that she received the data verbally? (Absence of file access artifacts could support her claim, but absence is not proof)
7. Did Williams attempt to conceal her access? (Anti-forensic indicator checklist — clearing browser history, deleting files, timestomping)

The legal context. The investigation supports an HR disciplinary proceeding that may escalate to an employment tribunal if Williams contests the decision. The evidence standard is preponderance. The examiner must be objective — the examination must be equally capable of proving Williams accessed the data and of supporting her defense if the evidence is genuinely absent. A forensic examination conducted with a presumption of guilt will be challenged by Williams' representative and may be found unreliable.

Troubleshooting

"These scenarios are specific to Northgate Engineering — how do they apply to my environment?" The scenarios are vehicles for teaching artifact analysis in operational context. The specific names, dates, and file paths are fictional. The investigation types — insider threat, ransomware, access dispute — are universal. The artifact analysis techniques, the evidence reliability assessments, the corroboration methods, and the reporting standards apply to any Windows forensic examination regardless of the organization. Replace "Northgate Engineering" with your organization, and the investigation methodology is the same.

"My organization doesn't have Sysmon, advanced audit policies, or Defender for Endpoint." The NE environment is well-configured, which means more artifact sources are available. In environments with less telemetry, the disk artifacts covered in this course become even more important because they may be the only evidence available. If Event Logs don't contain process creation events (no advanced audit policy), Prefetch and Amcache become the primary execution evidence. If there's no EDR, the MFT, USN Journal, and registry become the primary sources for file and activity reconstruction. The artifact analysis skills are more valuable, not less, in under-instrumented environments.

"INC-NE-2026-1130 asks me to prove a negative — how do I prove Williams didn't access something?" You can't prove a negative from artifact evidence alone. What you can do is document: (a) the artifacts you examined and what they showed (or didn't show), (b) the artifacts you expected to find if the access occurred (ShellBags, LNK files, authentication events) and whether they are present or absent, (c) alternative explanations for absence (artifacts don't exist because the access didn't occur, or artifacts were deleted, or artifacts rotated out of retention). The examiner reports what the evidence shows and what conclusions the evidence supports — including the conclusion that the evidence is inconclusive if that is the honest assessment.