Dead disks tell stories. Some read them for a living.

I’m a practitioner in incident response and digital forensics with a focus on ransomware recovery, threat hunting, and security engineering. My work sits at the intersection of hands-on IR, malware triage, and building tools that make investigations faster and more reliable. I publish here under the moniker deaddisk to keep the focus on methodology—not identity.

What you’ll find here#

  • Deep-dives & field notes: Windows internals, event logs, Sysmon, DFIR timelines, acquisition pitfalls, and post-intrusion tradecraft.
  • Tooling & code: Practical utilities in Rust and PowerShell (with some Python/C when it helps), especially around log parsing, artifact extraction, and repeatable analysis.
  • Playbooks & SOPs: Reproducible procedures for triage, decryptor validation, case documentation, and defensible reporting.
  • Threat intel sketches: Concise breakdowns of TTPs, detection ideas, and countermeasures—biasing toward things you can actually implement.

Principles#

  • Evidence first. Claims should be testable, artifacts preserved, and steps reproducible.
  • Operational realism. Prefer solutions that work on Tuesday at 3 a.m. during an outage over clever but fragile tricks.
  • Least drama, most signal. Clear language, minimal hype, and citations when they matter.
  • Respect for privacy. Client data is never shared. Any samples, paths, or screenshots are sanitized or intentionally synthetic.

Tech I reach for#

  • Languages: Rust, PowerShell, Python.
  • Forensics: Velociraptor, Plaso/Timesketch, Sysmon, Windows Event Logs.
  • Focus areas: Ransomware response, log/telemetry pipelines, Windows & AD artifacts, purple-team style validation.

OpSec & anonymity#

This page intentionally avoids personal identifiers (name, employer, location, dates). Case studies are generalized and de-identified. If you believe something here exposes sensitive information, please reach out so I can investigate and correct it.

Contact#

If you’d like to collaborate, request a write-up, or suggest improvements to a tool, use the site’s contact method. PGP available on request.