Forensic Incident Response
Preservation of digital evidence after a cyber attack. Evidence collection for law enforcement reports, insurance claims and post-incident analysis with chain of custody.
At a glance
Have you suffered a cyber attack and need to file a report with law enforcement? We collect and preserve the traces of the attack using forensic methodology, before they are lost, so they can be used as evidence.
Want to know more?
After a cyber attack, the first instinct is to restore systems as quickly as possible. But if the traces of the attack are not preserved before the restoration, the evidence is lost forever. Our forensic incident response intervention focuses on collecting and preserving evidence with chain of custody, so it can be used for reports to law enforcement, insurance claims and internal root cause analysis.
Why choose this service
Evidence disappears quickly
Logs that rotate, RAM that clears, systems that get restored: every hour that passes after an attack is an hour of lost evidence. Timely intervention is decisive.
A report with substance
A generic report gets filed away. A report with logs, hashes, timeline and indicators of compromise gives law enforcement concrete elements to work with.
Insurance and compliance
Cyber insurance policies and GDPR require technical documentation of the incident. Our case file satisfies both requirements.
Why forensics comes before recovery
After a cyber attack - ransomware, intrusion, data exfiltration - the natural reaction is to get everything back up and running as quickly as possible. But there is a problem: restoring systems means destroying the evidence.
Logs get overwritten. RAM clears. The attacker’s files are wiped by the restoration. If you do not collect the evidence first, it is lost forever.
Our intervention sits between the incident and the recovery: we preserve everything needed to understand what happened, who did it and how. Then your IT team can proceed with recovery.
What we do
Containment
We isolate the compromised systems to stop the attack from spreading, without shutting down machines and without losing volatile evidence.
RAM acquisition
We capture the volatile memory of compromised systems: active processes, network connections, credentials in use, malware resident in memory.
Disk imaging
Forensic copy of the disks from the involved systems. The original remains intact for any subsequent verification.
Log collection
Firewall, proxy, Active Directory, email server, VPN, application logs. We preserve them before automatic rotation deletes them.
Analysis and timeline
We reconstruct the sequence of the attack: entry point, lateral movement, persistence, exfiltration. A clear timeline of events.
Documentation
We produce the complete case file: evidence, hashes, chain of custody, timeline, indicators of compromise. Ready for law enforcement reports, insurance claims and compliance.
What the evidence is used for
Law enforcement report: A report accompanied by logs, indicators of compromise and a timeline gives law enforcement concrete elements to investigate. A generic report (“we were hacked”) ends up in a drawer.
Insurance claim: Cyber insurance policies require technical documentation of the incident to process the claim: what happened, when, what damage was caused, what measures were in place.
GDPR data breach notification: Articles 33 and 34 of the GDPR require data breaches to be notified to the supervisory authority within 72 hours and, in certain cases, to the data subjects. The notification must include the nature of the breach, the data involved and the measures adopted. Our case file contains everything required.
Internal analysis: Understanding how the attack occurred is essential to prevent it from happening again. Our analysis identifies the entry vector and the exploited vulnerabilities.
Types of incidents
- Ransomware: encrypted systems, ransom demand, potential pre-emptive data exfiltration
- Business Email Compromise (BEC): unauthorised access to email accounts, fraudulent emails sent to clients/suppliers
- Data exfiltration: unauthorised copying of sensitive data to external destinations
- Server intrusion: unauthorised access to exposed systems, installation of backdoors
- Insider threat: attack from within, an employee who sabotages or steals data
Timelines
Forensic intervention is urgent by nature. Every hour that passes reduces the available evidence.
- Initial contact: we respond within a few hours, including outside business hours
- Volatile evidence acquisition (RAM, logs): within the first 24 hours
- Disk imaging: within 48-72 hours of the incident
- Preliminary case file: within 5 business days
- Complete report: within 15 business days
Other services Legal & Digital Forensics
Discover our other legal & digital forensics services.
Digital Forensics & Forensic Acquisition
Preservation of digital evidence with chain of custody, certified timestamp and evidentiary value. Expert witness reports for civil and criminal litigation.
Forensic Web & Social Media Acquisition
Preservation of web pages, videos, posts and social media content with chain of custody and certified timestamp enforceable against third parties. Digital evidence that holds up in court.
Forensic Device Acquisition
Bit-for-bit forensic copy of computers, smartphones, hard drives and digital media with full chain of custody. Digital evidence admissible in court.
Expert Witness (CTP): Party-Appointed Technical Consultant
IT expert witness for civil and criminal cases. Technical opinions, analysis of opposing party's acquisitions and courtroom assistance.
Corporate Digital Investigations
Internal investigations into disloyal employees, data leaks and misuse of company resources. Forensic evidence collection for disciplinary or legal action.
Ready to get started?
Contact us for a free consultation. We will help you find the best solution for your business.