CASE FILE 002

Endpoint Malware Detection

A planned simulated endpoint investigation designed to build forensic workflow: artifact discovery, persistence hunting, and disciplined documentation. Details will be populated as work is completed.

Scenario Summary

This case file is a planned, academic simulation focused on endpoint artifact analysis and basic malware triage workflows. The objective is to practice repeatable procedures: evidence handling, artifact discovery, persistence checks, and clear documentation.

The scenario involves an endpoint exhibiting suspicious behavior (e.g., unusual startup entries, unexpected processes, or anomalous file activity). The investigation is designed to answer: what changed, what indicates compromise vs. benign behavior, and what evidence supports the conclusion.

Status: Planned. This page will be updated as the investigation is executed and validated, culminating in a redacted academic report.

Evidence Examined

Evidence types below reflect the intended dataset for this simulated case. Specific validated artifacts will be added after analysis is completed.

Disk Image / File System Artifacts

Used to examine file creation/modification patterns, suspicious binaries, and persistence-related files.

Registry / Startup Persistence

Used to identify common persistence mechanisms (Run keys, scheduled tasks, services) and correlate changes over time.

Event Logs / Execution Traces

Used to correlate process launches, installation events, and security-relevant activities.

Optional: Volatile Artifacts

If a memory image is available in the dataset, it can support process and network context validation.

Case Details

Case ID: CASE-002
Target Window: Spring 2026
Current Phase: Scoping & dataset selection
Status: Planned (Academic)
Investigator: Dontavious Ellis

Planned Tooling (Subject to Change)

Autopsy / similar — File system & artifact review
Sysinternals suite (where applicable) — Persistence triage
Windows event log tooling (TBD) — Correlation
YARA / basic hashing — Indicator checks (optional)

Tools are listed as targets for the workflow. Only tools actually used will be reflected in the final report.

Investigation Phases (Planned)

Phase 1 — Scope & Evidence Inventory

  • • Define dataset scope (image type, logs, host context)
  • • Establish “expected normal” vs. suspicious signals
  • • Create an evidence register and working notebook

Phase 2 — Artifact Discovery

  • • Identify suspicious files, directories, and execution traces
  • • Triage obvious persistence indicators
  • • Capture initial observations + alternative hypotheses

Phase 3 — Persistence & Behavior Validation

  • • Validate persistence claims against multiple sources
  • • Correlate event logs, registry, and file system changes
  • • Identify what can be proven vs. what is speculative

Phase 4 — Reporting (Redacted)

  • • Summarize validated observations and limitations
  • • Document methodology, tooling decisions, and repeatability
  • • Provide next steps for containment/remediation (academic)

Working Hypotheses (To Be Tested)

H1: Observed artifacts indicate malicious persistence on the endpoint.

Evidence needed: corroboration across registry/startup locations, timestamps, execution traces, and event logs.

H2: Observed artifacts may be benign software behavior or administrative tooling.

Evidence needed: baseline comparisons, known-good validation, and elimination of expected application behavior.

Confidence will be assessed after cross-validation of artifacts and timeline consistency.

Case Documentation

Redacted report will be published after this academic case is executed and validated.

* This page represents planned simulated work; no professional case details are included.