82,847 log lines, one attack chain — a Sysmon intrusion reconstructed

82,847 log lines, one attack chain: a Sysmon intrusion reconstructed

A Windows endpoint compromised by a single malicious HTA — and the whole chain (mshta as a LOLBIN, a fileless PowerShell stager, a COMSPEC persistence trick that never touches the registry, and a self-replicating Python RAT beaconing to C2) reconstructed from an 82,847-line Sysmon export with nothing but jq.

June 23, 2026 · 9 min · Kartik Sankhla
A court-admissible FAT32 investigation, byte by byte

A court-admissible FAT32 investigation, byte by byte

A FAT32 USB image examined the way a court requires — no GUI shortcuts, every claim tied to raw bytes: recovering a deleted JPEG, and catching four files wearing the wrong extension.

May 30, 2026 · 5 min · Kartik Sankhla
The file we couldn't recover — an ext3 deleted-file investigation

The file we couldn't recover: an ext3 deleted-file investigation

A user created five files and deleted some. Recovering them from an ext3 image meant Trash artifacts, orphan inodes full of GNOME metadata — and proving why one file was gone for good.

May 30, 2026 · 6 min · Kartik Sankhla