M.Tech Cyber Security at NFSU, on an ISEA research fellowship. I work on digital forensics, memory & filesystem forensics, malware analysis, and Linux internals. I write here about what I’m investigating and building.

Smoke on the water plant: a 2/5 attacker and a city's chlorine levels
In March 2016, attackers rated 2 out of 5 in sophistication reached the chemical-dosing controls of a US water utility — through a SQL-injected payment portal, a password left in a plaintext config file, and a physical Ethernet cable that bypassed every logical safeguard standing between them. A case study in why the least-skilled attacker in the building is still dangerous once the architecture has already done the work for them.

82,847 log lines, one attack chain: a Sysmon intrusion reconstructed
A Windows endpoint compromised by a single malicious HTA — and the whole chain (mshta as a LOLBIN, a fileless PowerShell stager, a COMSPEC persistence trick that never touches the registry, and a self-replicating Python RAT beaconing to C2) reconstructed from an 82,847-line Sysmon export with nothing but jq.

Fully certified, completely vulnerable: three chinks in the compliance armour
Capital One, SolarWinds, and Schrems II were all fully certified when they were completely breached. Three case studies in the gap between passing an audit and actually being secure — and why that gap is structural, not accidental.

The same app, now a contact-wiper: an APK repackaging attack on Apple Silicon
Take a trusted Android app, inject a payload, and re-sign it so it still installs as legitimate — then do the whole thing on an M-series Mac instead of the prescribed Ubuntu VM, where four things break that no tutorial warns you about.

A court-admissible FAT32 investigation, byte by byte
A FAT32 USB image examined the way a court requires — no GUI shortcuts, every claim tied to raw bytes: recovering a deleted JPEG, and catching four files wearing the wrong extension.

The file we couldn't recover: an ext3 deleted-file investigation
A user created five files and deleted some. Recovering them from an ext3 image meant Trash artifacts, orphan inodes full of GNOME metadata — and proving why one file was gone for good.

Hello, and what this site is
A short note on what I’ll be writing about here.