Cyber Incident Investigation & Forensics

Image - Cyber Incident Investigation & Forensics

This service aims to investigate in depth, and produce a detailed report on how a cyber incident unfolded, based on evidence collected after the compromise.

Timing of investigation

The investigation must be performed as soon as possible after realization of the compromise. Logs around the network are usually kept for a very limited time and since realization of breaches is usually already late, no time should be wasted.

Handling Volatile Data

Critical evidence are stored in volatile data like RAM memory. This evidence is instantly destroyed on restarting or powering off a computer/server. Please refrain from using or restarting/powering off computers and other devices that may be affected.

Investigation Outcome

There is absolutely no guarantee that the investigation will produce results that meet specific expectations, since it is highly dependent on timing and handling aspects stated above.

Ransomware Negotiation

Our engineers can attempt, (upon customer’s request and liability) to negotiate with extortion actors. This does not imply that this course of action is recommended or encouraged and under no circumstances there is guarantee that this will produce satisfactory results.

Key Service Stages:

Readiness Evaluation

This stage assesses all the possible entities, mechanisms and resources that may include artefacts for the investigation. In example the affected network and resource will be enumerated for network devices that may log traffic, auditing and other security mechanisms, storage, hosts, volatile memory etc.

1

Investigation Planning & Vulnerability Scanning

After mapping all resources that need further examination for evidence, engineers will try and map the attack surfaces as well as possible technical, procedural or human vulnerabilities that may have played a role in the compromise.

2

Data Collection

In this stage data is collected. This may include disk images, memory (RAM) dumps, firewall logs, even interviews with humans.

3

Data Analysis

All data is further analyzed and different artefacts from different resources are correlated to produce a detailed timeline of events that lead to the compromise.

4

Reporting

A report is being produced which includes all evidence as well as a timeline of events, also providing high-level recommendations on how to secure infrastructure from similar threats in the future.

5