Cyber
Cyber Forensics
Trace intrusions, recover artifacts, and reconstruct timelines for incidents that span endpoints, networks, and the cloud.
Train. Defend. Investigate.
Digital forensicsdone end-to-end.From the silicon to the cloud.
MAF Labs investigates incidents most teams stop short of: VLSI tamper, IoT firmware, cyber intrusions across enterprise stacks. We also run a hands-on internship for the next generation of forensics engineers.
Court-ready evidenceMulti-surface coverageHands-on training
CASE-MAF-2026-0142.workbench
Recent extractions
- 14:02:11acquireemmc_dump.bin · 4.0 GiB · sha256 9f3c…b71e
- 14:09:44extractbootloader · stage1+stage2 · entropy 7.81
- 14:14:08difffirmware vs golden image · 23 deltas in /sysctrl
- 14:21:30reportchain-of-custody manifest · pdf · 12 pages
Operator: forensics-bench-3UTC 2026-04-25T14:24:00Z
Why teams choose MAF Labs
Court-ready evidence
Chain-of-custody first. Every extraction logged, hashed, and reproducible — for proceedings or post-incident audit.
Multi-surface coverage
From silicon to cloud. We pull artifacts off devices and out of stacks most teams treat as black boxes.
Hands-on training
An internship that puts students on real cases under mentor supervision — not slide decks.
By the numbers
- 5dAvg case turnaroundFrom engagement letter to first findings.
- 100%Chain-of-custody verifiedEvery artifact hashed, logged, reproducible.
- 3Forensics surfacesCyber, VLSI, and IoT under one roof.
- 1:1Mentor ratioInternship students paired with a senior engineer.
What we do
Three forensics surfaces. End-to-end coverage.
VLSI
VLSI Forensics
Hardware-level investigation across silicon, firmware, and side-channel surfaces — the layer most forensic teams stop short of.
IoT
IoT Forensics
Pull evidence off the devices most teams treat as black boxes — sensors, gateways, embedded controllers, and the protocols they speak.
Why MAF Labs
Forensics done the way it should be done.
Bit-perfect acquisition
Disk + memory + storage imaging with hash verification at every stage. No assumptions about what was there.
Full-stack reach
Cyber, VLSI, and IoT under one roof. We diff firmware as comfortably as we trace lateral movement.
Reports for two audiences
Executive summary your board can absorb. Technical appendix that holds up under cross-examination.
Confidential by default
Engagements run under NDA. Findings travel through encrypted channels. Manifests redacted on request.
Tamper-evident workflow
Every operator action audit-logged. Append-only chain-of-custody records survive even our own platform.
Trained on real cases
Internship cohorts work on real (anonymized) artifacts. Graduates ship with portfolio-grade deliverables.
How it works
From first message to court-ready report.
Tell us what you're investigating
Send the surface, the situation, and any constraints. One-business-day reply with a scoping outline — no slide deck.
We scope and acquire
Engagement letter, chain-of-custody plan, artifact acquisition. You see the manifest before any extraction touches your environment.
Findings + court-ready report
Written report with hashes, timeline, and a technical-and-executive summary. We stand by it in proceedings if it comes to that.
Cohort applications open
Real cases. Real mentors. From day one.
Eight weeks on real (anonymized) forensics cases — VLSI, IoT, cyber — paired 1:1 with a senior investigator. Portfolio-grade deliverables. Chain-of-custody from the first hash. No slide decks.