IT Sicherheit – frischer Wind
IT security – a breath of fresh air
Sécurité informatique – un vent de fraîcheur
Seguridad informática – un soplo de aire fresco
Hacker sind kreativ und finden immer neue Wege in Unternehmen einzudringen. Um Angreifern weiterhin einen Schritt voraus zu sein, braucht es immer wieder neue Ideen.

KALWEIT ITS – Wir bringen frischen Wind.
Hackers are creative and always find new ways to penetrate companies. To stay one step ahead of attackers, new ideas are always needed.

KALWEIT ITS – We bring a breath of fresh air.
Les pirates informatiques sont créatifs et trouvent toujours de nouveaux moyens de s'introduire dans les entreprises. Pour garder une longueur d'avance sur les attaquants, il faut sans cesse de nouvelles idées.

KALWEIT ITS – Nous apportons un vent de fraîcheur.
Los hackers son creativos y siempre encuentran nuevas formas de penetrar en las empresas. Para estar un paso por delante de los atacantes, siempre se necesitan nuevas ideas.

KALWEIT ITS – Traemos un soplo de aire fresco.

Digital Forensics

IT security incident in your company? We collect court-proof and audit-proof evidence on your behalf.

Court-proof and audit-proof preservation of evidence in the form of a forensic computer report.


  • Assist in the recovery, analysis, and preservation of data, and in preparing it as digital evidence for use in court


  • Securing of all necessary files, which are needed as evidence e.g. for further digital forensic measures


  • Recovery of deleted or hidden data from digital devices, if these data are basically present by means of file carving


  • Collection of evidence on the basis of Locard’s principle for the identification of a suspect and a motive


  • File backup in compliance with the chain of custody for the integrity of the digital evidence



The first stage implies the identification of study objectives and required resources. We first identify the evidence and the type of data we are dealing with, including the devices on which the data is stored. As digital forensics specialists, we work with all types of electronic storage devices: Hard drives, cell phones, PCs, tablets, etc.


At this stage, we ensure that the data is isolated and properly stored. This is done according to the Never Touch Original principle, so that evidence is secured and work is done only on images. The secured original devices remain untouched until the end of the investigation.



The analysis phase involves a thorough systematic search for relevant evidence. We work with both system and user files and data objects. Based on the evidence found, we now begin to draw conclusions.



In this phase, all relevant evidence found is documented. A Why-Because analysis is provided, which gives authorities new impetus in their investigation.



At the final stage, all evidence and conclusions are reported in accordance with the forensic protocols, which include the methods and procedures of analysis and their explanations.


Versatile use: Whether to clarify the question of guilt in court, vis-à-vis your business partners or to present to your insurer.

We use the following techniques, among others:

Timeline Analysis:

– Listing of system events by time to facilitate identification of activities

Keyword Search:

– With text extraction and index search modules we can find files that contain certain terms or match our regular expression patterns (RegEx)

Web artifacts:

– We extract web activity from common browsers to identify user activity

Registration Analysis:

– Recently accessed documents and USB devices can be identified this way

LNK file analysis:

– Identification of links and retrieved documents

Email Analysis:

– Analysis of messages identified on the system

EXIF data:

– Extracts location and camera information from JPEG files

File system analysis:

– Support for common file systems, including NTFS, FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660 (CD-ROM), Ext2/Ext3/Ext4, Yaffs2

Unicode String Extraction:

– Extraction of strings from unallocated space and from unknown file types in all common languages

File type detection:

– Based on signatures, we index the system and detect mismatched extensions, such as is the case with malware

Android and iOS system analysis:

– Extract data from SMS, call logs, contacts, Tango and more, among others


Concrete use cases

Basic analysis


By interpreting strings, examining Windows API calls or identifying packaged malware, and detecting host-based signatures, we get an initial overview. We then detonate the malware in a controlled environment to collect network signatures and identify malicious domains and second-stage payloads.


Analysis of malware in x86 assembly language


With x86 assembly, we can now perform advanced analysis. To do this, we use tools like Cutter and x32dbg to gain important insights into the malware at the lowest possible level. By controlling the malware’s execution flow and processing its low-level instructions in a debugger, we now get all the possibilities for advanced analysis.



Malicious documents and document-supplied malware are also analyzed by our experts, including malicious macros and remote template injections.

Embedded shellcode can also be identified and extracted by us. Identification also for scripted or obfuscated malware delivery techniques.


Other fields of activity:


  • Decompile and reverse engineer C# assemblies and reverse engineer the .NET framework and analyze malware written in Go.
  • Reverse engineering of encrypted malware C2 droppers
  • Reverse engineer malicious Android and iOS apps
  • Writing YARA rules to support malware sample detection.

Your contact persons

You can always reach us personally. Because loyalty based on partnership is far more important to us than short-term success.

Philipp Kalweit

Philipp Kalweit

Managing Partner


+49 40 285 301 257

Philipp Kalweit is an experienced IT security consultant on the topics of security awareness and offensive IT auditing. As Director Strategy & Consulting, he is responsible for corporate strategy as well as the advisory and consulting area. For the past six years, he has been advising and auditing clients from the SME and group environment, in particular ECB and BaFin-regulated organizations as well as groups in the retail sector. His consulting focus is on holistic IT security. He was honored for his work in 2019 by DIE ZEIT as “Hamburger of the Month” and in the same year was included in the Forbes “30 under 30 DACH” list.


Günther Paprocki

Günther Paprocki

Managing Partner


+49 40 285 301 258

Since May 2024 industrial engineer Günther Paprocki has been a managing partner at KALWEIT ITS. As Director HR & Operations, he is responsible for the operational business and the HR department. From his positions at Sharp, Philips and Cisco, he brings a breath of fresh air to our consulting firm. Whether in the field of photovoltaics, e-mobility or the first mobile network in Germany – Günther Paprocki has always been active in forward-looking sectors in the past. His current mission: to strengthen cybersecurity in Germany.