Digital Forensics
IT security incident in your company? We collect court-proof and audit-proof evidence on your behalf.
Court-proof and audit-proof preservation of evidence in the form of a forensic computer report.
- Assist in the recovery, analysis, and preservation of data, and in preparing it as digital evidence for use in court
-
Securing of all necessary files, which are needed as evidence e.g. for further digital forensic measures
-
Recovery of deleted or hidden data from digital devices, if these data are basically present by means of file carving
-
Collection of evidence on the basis of Locard’s principle for the identification of a suspect and a motive
-
File backup in compliance with the chain of custody for the integrity of the digital evidence
Procedure
1.
The first stage implies the identification of study objectives and required resources. We first identify the evidence and the type of data we are dealing with, including the devices on which the data is stored. As digital forensics specialists, we work with all types of electronic storage devices: Hard drives, cell phones, PCs, tablets, etc.
2.
At this stage, we ensure that the data is isolated and properly stored. This is done according to the Never Touch Original principle, so that evidence is secured and work is done only on images. The secured original devices remain untouched until the end of the investigation.
3.
The analysis phase involves a thorough systematic search for relevant evidence. We work with both system and user files and data objects. Based on the evidence found, we now begin to draw conclusions.
4.
In this phase, all relevant evidence found is documented. A Why-Because analysis is provided, which gives authorities new impetus in their investigation.
5.
At the final stage, all evidence and conclusions are reported in accordance with the forensic protocols, which include the methods and procedures of analysis and their explanations.
Versatile use: Whether to clarify the question of guilt in court, vis-à-vis your business partners or to present to your insurer.
We use the following techniques, among others:
Timeline Analysis:
– Listing of system events by time to facilitate identification of activities
Keyword Search:
– With text extraction and index search modules we can find files that contain certain terms or match our regular expression patterns (RegEx)
Web artifacts:
– We extract web activity from common browsers to identify user activity
Registration Analysis:
– Recently accessed documents and USB devices can be identified this way
LNK file analysis:
– Identification of links and retrieved documents
Email Analysis:
– Analysis of messages identified on the system
EXIF data:
– Extracts location and camera information from JPEG files
File system analysis:
– Support for common file systems, including NTFS, FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660 (CD-ROM), Ext2/Ext3/Ext4, Yaffs2
Unicode String Extraction:
– Extraction of strings from unallocated space and from unknown file types in all common languages
File type detection:
– Based on signatures, we index the system and detect mismatched extensions, such as is the case with malware
Android and iOS system analysis:
– Extract data from SMS, call logs, contacts, Tango and more, among others
Concrete use cases
Basic analysis
By interpreting strings, examining Windows API calls or identifying packaged malware, and detecting host-based signatures, we get an initial overview. We then detonate the malware in a controlled environment to collect network signatures and identify malicious domains and second-stage payloads.
Analysis of malware in x86 assembly language
With x86 assembly, we can now perform advanced analysis. To do this, we use tools like Cutter and x32dbg to gain important insights into the malware at the lowest possible level. By controlling the malware’s execution flow and processing its low-level instructions in a debugger, we now get all the possibilities for advanced analysis.
Documents
Malicious documents and document-supplied malware are also analyzed by our experts, including malicious macros and remote template injections.
Embedded shellcode can also be identified and extracted by us. Identification also for scripted or obfuscated malware delivery techniques.
Other fields of activity:
- Decompile and reverse engineer C# assemblies and reverse engineer the .NET framework and analyze malware written in Go.
- Reverse engineering of encrypted malware C2 droppers
- Reverse engineer malicious Android and iOS apps
- Writing YARA rules to support malware sample detection.
Book your appointment
Your contact persons
You can always reach us personally. Because loyalty based on partnership is far more important to us than short-term success.
Philipp Kalweit
Managing Partner
+49 40 285 301 257
Philipp Kalweit is an experienced IT security consultant on the topics of security awareness and offensive IT auditing. As Director Strategy & Consulting, he is responsible for corporate strategy as well as the advisory and consulting area. For the past six years, he has been advising and auditing clients from the SME and group environment, in particular ECB and BaFin-regulated organizations as well as groups in the retail sector. His consulting focus is on holistic IT security. He was honored for his work in 2019 by DIE ZEIT as “Hamburger of the Month” and in the same year was included in the Forbes “30 under 30 DACH” list.
Günther Paprocki
Managing Partner
+49 40 285 301 258
Since May 2024 industrial engineer Günther Paprocki has been a managing partner at KALWEIT ITS. As Director HR & Operations, he is responsible for the operational business and the HR department. From his positions at Sharp, Philips and Cisco, he brings a breath of fresh air to our consulting firm. Whether in the field of photovoltaics, e-mobility or the first mobile network in Germany – Günther Paprocki has always been active in forward-looking sectors in the past. His current mission: to strengthen cybersecurity in Germany.