Evidenx Home
Where every investigation begins
"Did an attacker use a legitimate Windows tool to move from one computer to another?"

Without a question, evidence is just noise.

What would we expect to find?
Prefetch — activity log
What would you expect?
Shimcache — execution history
What would you expect?
MFT — file records
What would you expect?
Netstat — live connections
What would you expect?
Running processes — what is running now
What would you expect?

What did we actually find?
Prefetch — activity log
foundAttacker's tool on source
Shimcache — execution history
foundAttacker's tool on source
MFT — file records
foundService file on target
Netstat — live connections
not foundNo active connectionsnapshot — may have closed
Running processes — what is running now
foundService running on target

This evidence fits more than one explanation.

Click each piece of evidence.

Attacker used legitimate tool
Attacker's tool on sourcePSEXEC.EXE
Service file on targetPSEXESVC.EXE
Connection — not observed
Remote service created
Service file on targetPSEXESVC.EXE
Connection — not observed
Admin tool run locally
Service file on targetPSEXESVC.EXE
Connection — not observed
What if the attacker's tool wasn't found on the source?
Without this, all three explanations fit equally. Nothing distinguishes them.
Build the case.
Maliciousness has not been established.

Add each piece of evidence in any order.

Permanent records
Attacker's tool found on source. Service file found on target. Three independent logs agree.
Strong — permanent record
Snapshot — absent
No active connection observed. This is a live snapshot. The connection may have already closed.
Weak — snapshot only
Alternative explanations
The service file fits other explanations too. Only the attacker's tool on the source is unique to this theory.
Limits confidence — alternatives exist
What would make us change our mind?
We have medium confidence. But every conclusion has a way to be wrong.

Which of these would most change what we believe?
We find the attacker's tool was a legitimate IT admin tool used routinely on this network.
We find a log showing the connection existed but closed 30 seconds before collection.
We find no evidence of the attacker's tool anywhere else in the environment.
Investigators call this counterfactual reasoning: identifying what evidence would overturn a conclusion. It is not a sign of weakness. It is how you know your conclusion is honest.
The reasoning never changes.
Question
Prediction
Evidence
Absence
What changes this?
Confidence
You didn't find an answer in the data.You built the best explanation the evidence could support.That is the only kind of understanding that exists.

The steps you just took have names.

The question you started withHypothesis
What you expected to findPrediction
What you tested evidence againstObservation
What you built piece by pieceClaim
What would change your mindCounterfactual
The evidence changed.
The reasoning didn't.
This is how understanding works. In every domain. Every time.
Evidenx
Knowledge Construction.™ Not Telemetry.
The Key to Understanding.™
Back home
Evidenx
Every investigation begins with a question.

Without a question, evidence is just noise.

Prediction
If this explanation were true...

What evidence should exist?

Activity log
Execution history
File records
Live connections
Running processes
Observation
What did we actually find?
Attacker's tool on source
Service file on target
Three independent logs agree
No active connection observed
Alternatives
Multiple explanations fit the evidence.

Attacker used tool

Unique source evidence distinguishes this explanation.

Remote service

Some evidence fits, but not all.

Local admin action

Some evidence is shared.

Confidence
Confidence is not calculated.

It is constructed from support, limits, alternatives and absence.

Counterfactual
What would make us change our mind?

Every honest conclusion has a way to be wrong.

Same structure
The reasoning never changes.
Question
Prediction
Evidence
Absence
What changes this?
Confidence
Realization
The evidence changed.
The reasoning didn't.

This is how understanding works. In every domain. Every time.

Evidenx
Knowledge Construction.
Not Telemetry.

The Key to Understanding.

QR code for Evidenx Experience

Scan to investigate.

evidenx.net/experience