Cyber Incident Investigation & Forensics
This service aims to investigate in depth, and produce a detailed report on how a cyber incident unfolded, based on evidence collected after the compromise.
Timing of investigation
The investigation must be performed as soon as possible after realization of the compromise. Logs around the network are usually kept for a very limited time and since realization of breaches is usually already late, no time should be wasted.
Handling Volatile Data
Critical evidence are stored in volatile data like RAM memory. This evidence is instantly destroyed on restarting or powering off a computer/server. Please refrain from using or restarting/powering off computers and other devices that may be affected.
Investigation Outcome
There is absolutely no guarantee that the investigation will produce results that meet specific expectations, since it is highly dependent on timing and handling aspects stated above.
Ransomware Negotiation
Our engineers can attempt, (upon customer’s request and liability) to negotiate with extortion actors. This does not imply that this course of action is recommended or encouraged and under no circumstances there is guarantee that this will produce satisfactory results.
Key Service Stages:
Readiness Evaluation
This stage assesses all the possible entities, mechanisms and resources that may include artefacts for the investigation. In example the affected network and resource will be enumerated for network devices that may log traffic, auditing and other security mechanisms, storage, hosts, volatile memory etc.
1
Investigation Planning & Vulnerability Scanning
After mapping all resources that need further examination for evidence, engineers will try and map the attack surfaces as well as possible technical, procedural or human vulnerabilities that may have played a role in the compromise.
2
Data Collection
In this stage data is collected. This may include disk images, memory (RAM) dumps, firewall logs, even interviews with humans.
3
Data Analysis
All data is further analyzed and different artefacts from different resources are correlated to produce a detailed timeline of events that lead to the compromise.
4
Reporting
A report is being produced which includes all evidence as well as a timeline of events, also providing high-level recommendations on how to secure infrastructure from similar threats in the future.
5