CASE FILE 001

Network Intrusion Analysis

An in-progress simulated case study used to build network forensics workflow: evidence handling, traffic analysis, timeline reconstruction, and disciplined documentation. Details will be populated as analysis is completed.

Scenario Summary

This case file is an academic, simulated investigation built as a structured learning exercise in network forensics and incident reconstruction. The objective is to practice methodical evidence handling, analytic restraint, and repeatable documentation.

The scenario involves anomalous outbound network activity from a workstation during non-business hours. The investigation is designed to answer three questions: what happened, when it happened, and what evidence supports those conclusions.

Status: In Progress. As analysis is completed, this page will be updated with validated observations, supporting artifacts, and a final redacted report suitable for portfolio review.

Evidence Examined

Evidence types below reflect the dataset used for this simulated case. Specific artifacts and validated excerpts will be added as analysis progresses.

Packet Captures (PCAP)

Used to triage sessions, identify anomalies, and validate indicators with repeatable filters.

Firewall / Proxy Logs

Used to correlate connection attempts, policy interactions, and timing consistency.

Network Flow Data

Used to quantify volumes and timing patterns to support timeline drafting.

Timestamps & Metadata

Used to reconcile ordering and identify gaps or conflicts across artifacts.

Case Details

Case ID: CASE-001
Opened: Spring 2026
Current Phase: Evidence review & traffic triage
Status: In Progress (Academic)
Investigator: Dontavious Ellis

Planned Tooling (Subject to Change)

Wireshark (or equivalent) — Packet review
Zeek / Suricata logs (if available) — Event context
SIEM-style log search (tool TBD) — Correlation

Tools are listed as targets for this case workflow. Only tools actually used will be reflected in the final report.

Investigation Phases (In Progress)

Phase 1 — Scope & Evidence Inventory

  • • Confirm dataset sources (PCAP, logs, flow data)
  • • Establish baseline traffic expectations
  • • Create an evidence register and working notebook

Phase 2 — Traffic Triage & Indicators

  • • Identify unusual destinations, volumes, and timing
  • • Extract candidate IOCs (IPs, domains, TLS fingerprints if available)
  • • Record alternative explanations to test

Phase 3 — Timeline Draft & Validation

  • • Construct event sequence with timestamps and sources
  • • Flag gaps and conflicting evidence
  • • Re-run analysis to verify repeatability

Phase 4 — Reporting (Redacted)

  • • Summarize validated observations
  • • Document methodology and tooling decisions
  • • Provide limitations and next steps

Working Hypotheses (To Be Tested)

H1: Outbound traffic patterns indicate potential unauthorized access or misuse.

Evidence needed: consistent indicators across multiple artifacts, reproducible filters/queries, and timeline coherence.

H2: Observed traffic could be explained by benign scheduled activity or normal system behavior.

Evidence needed: baseline comparison, corroborating logs, and elimination of expected services/updates.

Confidence will be assessed after cross-validation of artifacts and timeline consistency.

Case Documentation

Redacted report will be published after this academic case is completed and validated.

* This page represents in-progress simulated work; no professional case details are included.