0x01 · service brief
Cold-Case Reconstruction
A forensic rebuild of an incident 30 to 365 days after the fact, when first responders have demobilized and systems have been patched or restored. Designed for matters where the original timeline no longer holds up under regulatory or litigation scrutiny and the evidentiary record must be reconstituted from fragmented artifacts.
01what you get
- Recovery and analysis of memory snapshots, partial logs, cloud audit trails, and restored backups
- Reconstructed execution timeline with per-finding confidence intervals
- Hash-verified artifact register tying every conclusion to its source
- Written reconstruction report formatted for regulator and counsel review
- Gap analysis identifying what cannot be determined and why
02how to start
Reply with the artefact identifiers you have in hand (hashes, firmware version, advisory ID, or a description of the evidence bundle). We confirm authorisation and scope before any analysis begins. If a deadline is in play, name it — we scope depth against the deadline, not against an internal pipeline.
03scoping intake
Tell us when the original incident occurred, what artefacts survive (memory captures, log fragments, restored backups, prior IR notes), the regulatory or litigation pressure driving the rebuild, and the date the reconstructed record needs to land.