About This Workshop
Modern threat investigations require analysts to move beyond isolated artifact analysis and toward reconstructing causality across multiple evidence sources. While timeline construction provides temporal ordering, it often fails to explain how activities across memory, disk, and network are related. This workshop, a continuation of Chain of Infection Detection, introduces a practical methodology for correlating forensic artifacts across heterogeneous sources – specifically volatile memory, persistent storage, and network captures. Participants will build a lightweight Python-based pipeline that parses, normalizes, and links artifacts into unified event structures, enabling cross-domain correlation. The session will leverage and extend an open-source tool to demonstrate how investigators can build their own correlation engines and adapt them to evolving threats.