Forensic Analysis Services

In today's environment, information security forensic analysis is frequently needed to encompass complex networked environments, where investigation needs to encompass an entire operating environment, including a multitude of servers (e.g. file, print, communications and e-mail), as well as remote access facilities.

  • Where a follow-up action against a person or organization after an information security incident involves legal action (either civil or criminal), evidence through forensic analysis should be collected, retained, and presented in support of potential legal action in accordance with the rules for evidence in the relevant jurisdiction(s). 

  • Where identified by prior assessment as required for evidential purposes, de facto in the context of a significant information security incident, information security forensic analysis should also be conducted. 

Our Forensics Analysis Services involve the use of IT based investigative techniques and tools, supported by documented procedures, to review the designated information security incident(s) in more detail. Our Information security forensic analysis IT based tools comply with standards such that their accuracy cannot be legally challenged, and are always be kept up-to-date in line with technology changes.

  • Activity to ensure that the target system, service and/or network is protected during the information security forensic analysis from being rendered unavailable, altered or otherwise compromised, including by malicious code (including viruses) introduction, and that there are no or minimal effects on normal operations.
  • Activity to prioritize the acquisition and collection of evidence i.e. proceeding from the most volatile to the least volatile (this depends in large measure on the nature of the information security incident).
  • Activity to identify all relevant files on the subject system, service and/or network, including normal files, password or otherwise protected files, and encrypted files
  • Activity to recover as much as possible discovered deleted files, and other data
  • Activity to uncover IP addresses, host names, network routes and web site information
  • Activity to extract the contents of hidden, temporary and swap files used by both application and operating system software.
  •  Activity to access the contents of protected or encrypted files (unless prevented by law).
  •  Activity to analyze all possibly relevant data found in special (and typically inaccessible) disc storage areas.
  •  Activity to analyze file access, modification and creation times.
  •  Activity to analyze system/service/network and application logs.
     Activity to determine the activity of users and/or applications on a system/service/network.
     Activity to analyze e-mails for source information and content.
     Activity to perform file integrity checks to detect Trojan horse files and files not originally on the system.
     Activity to ensure that extracted potential evidence is handled and stored in such a way that it cannot be damaged or rendered unusable, and that sensitive material cannot be seen by those not authorized. It is emphasized that evidence gathering should always be in accordance with the rules of the court or hearing in which the evidence may be presented
     Activity to conclude on the reasons for the information security incident, the actions required and in what timeframe, with evidence including lists of relevant files included in an attachment to the main report.
     Activity to provide expert support to any disciplinary or legal action as required.