IT security incident in your company? We collect court-proof and audit-proof evidence on your behalf.
Court-proof and audit-proof preservation of evidence in the form of a forensic computer report.
- Assist in the recovery, analysis, and preservation of data, and in preparing it as digital evidence for use in court
Securing of all necessary files, which are needed as evidence e.g. for further digital forensic measures
Recovery of deleted or hidden data from digital devices, if these data are basically present by means of file carving
Collection of evidence on the basis of Locard’s principle for the identification of a suspect and a motive
File backup in compliance with the chain of custody for the integrity of the digital evidence
The first stage implies the identification of study objectives and required resources. We first identify the evidence and the type of data we are dealing with, including the devices on which the data is stored. As digital forensics specialists, we work with all types of electronic storage devices: Hard drives, cell phones, PCs, tablets, etc.
At this stage, we ensure that the data is isolated and properly stored. This is done according to the Never Touch Original principle, so that evidence is secured and work is done only on images. The secured original devices remain untouched until the end of the investigation.
The analysis phase involves a thorough systematic search for relevant evidence. We work with both system and user files and data objects. Based on the evidence found, we now begin to draw conclusions.
In this phase, all relevant evidence found is documented. A Why-Because analysis is provided, which gives authorities new impetus in their investigation.
At the final stage, all evidence and conclusions are reported in accordance with the forensic protocols, which include the methods and procedures of analysis and their explanations.
Versatile use: Whether to clarify the question of guilt in court, vis-à-vis your business partners or to present to your insurer.
We use the following techniques, among others:
– Listing of system events by time to facilitate identification of activities
– With text extraction and index search modules we can find files that contain certain terms or match our regular expression patterns (RegEx)
– We extract web activity from common browsers to identify user activity
– Recently accessed documents and USB devices can be identified this way
LNK file analysis:
– Identification of links and retrieved documents
– Analysis of messages identified on the system
– Extracts location and camera information from JPEG files
File system analysis:
– Support for common file systems, including NTFS, FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660 (CD-ROM), Ext2/Ext3/Ext4, Yaffs2
Unicode String Extraction:
– Extraction of strings from unallocated space and from unknown file types in all common languages
File type detection:
– Based on signatures, we index the system and detect mismatched extensions, such as is the case with malware
Android and iOS system analysis:
– Extract data from SMS, call logs, contacts, Tango and more, among others
Concrete use cases
By interpreting strings, examining Windows API calls or identifying packaged malware, and detecting host-based signatures, we get an initial overview. We then detonate the malware in a controlled environment to collect network signatures and identify malicious domains and second-stage payloads.
Analysis of malware in x86 assembly language
With x86 assembly, we can now perform advanced analysis. To do this, we use tools like Cutter and x32dbg to gain important insights into the malware at the lowest possible level. By controlling the malware’s execution flow and processing its low-level instructions in a debugger, we now get all the possibilities for advanced analysis.
Malicious documents and document-supplied malware are also analyzed by our experts, including malicious macros and remote template injections.
Embedded shellcode can also be identified and extracted by us. Identification also for scripted or obfuscated malware delivery techniques.
Other fields of activity:
- Decompile and reverse engineer C# assemblies and reverse engineer the .NET framework and analyze malware written in Go.
- Reverse engineering of encrypted malware C2 droppers
- Reverse engineer malicious Android and iOS apps
- Writing YARA rules to support malware sample detection.
You can always reach us personally. Because loyalty based on partnership is far more important to us than short-term success.
+49 40 285 301 257