Digital forensics is the collection, preservation, analysis and presentation of digital evidence in a form that can be used in legal proceedings. It is a critical part of any incident investigation and can help you determine the source of the attack, the extent of the damage, and the steps you need to take to prevent similar incidents in the future.

When you hire Endorsec to perform digital forensics, we follow a predefined procedure:

  1. Evidence acquisition: This involves the creation of a forensic image (imaging) of the evidence. This should be done to avoid tampering with the original evidence.
  2. Verification: Verify the authenticity of the collected evidence. Create file hashes and ensure that the collected evidence is a 1:1 copy of the original evidence.
  3. Evidence Preservation: Ensure that the evidence collected is stored securely and tamper-proof. Ensure that only authorized personnel can access the evidence and that it cannot be altered.
  4. Analysis: This is the actual investigation step. Find and extract the relevant artifacts from the evidence. Find the needle in the haystack – how did infection occur, what system served as a beachhead for the attackers, where is Patient Zero, and how might the attackers have moved around your environment. Try to find answers to the who, when, what, where, and why of an attack.
  5. Validation: validate and replicate the analysis – have it peer reviewed, but also make sure that the analysis performed is sound and reasonable. Make sure all artifacts are covered so that the analysis is repeatable and does not raise questions.

Digital forensics is a complex process and requires dedicated specialists to ensure that no data is altered and no valuable evidence is lost during a recovery process. Endorsec can provide you with exactly these specialists and has the necessary knowledge to support and solve your investigation.