Updated: 2026-01-26

Report incident

What to prepare

  • Short incident description
  • Affected systems/accounts (if known)
  • Current actions taken
  • Access to logs/SIEM (if available)
  • Decision maker contact

Incident Response

Forensics – Digital Forensics for Security Incidents

Forensics reconstructs what actually happened — technically defensible, clearly documented, and suitable for incident decisions, management, and data protection.

Digital forensics answers the core questions after a security incident:

👉 How did attackers gain access?
👉 How did they move?
👉 Which systems were affected?
👉 Was data exfiltrated?
👉 Since when has the environment been compromised?

Attack path

Entry point, movement, persistence

Evidence

Forensically sound artifacts

📊 Impact

Affected systems & data

Report Incident

Back to Incident Response

Why forensics matters

In real-world incidents, the situation is rarely clear:

  • logs are missing or fragmented
  • systems have already been rebooted
  • passwords were reset
  • attacker activity may date back days or weeks

Without structured forensics, decisions remain assumptions.

Forensics provides defensible facts.

Objectives of forensics

🎯 Technical
  • identify the entry point
  • reconstruct lateral movement
  • detect persistence mechanisms

Operational

  • determine scope
  • identify affected assets
  • provide foundation for recovery
📑 Compliance
  • assess data exposure
  • document timelines
  • support GDPR / NIS2

Typical technical scope

Telemetry & Logs

  • EDR (Defender, CrowdStrike, SentinelOne)
  • M365 / Entra ID sign-ins & Unified Audit Log
  • Active Directory security events
  • Firewall / VPN / proxy logs
  • Azure Activity Logs / AWS CloudTrail
  • Kubernetes audit logs (if applicable)

Endpoints & Servers

  • volatile artifacts (processes, network connections)
  • event logs, Prefetch, registry
  • scheduled tasks, services, autoruns
  • user profiles & browser artifacts

Cloud & Identity

  • service principals
  • API token usage
  • conditional access changes
  • privileged roles

When is forensics required?

Typical triggers
  • unclear root cause
  • suspected data exfiltration
  • compromised admin accounts
  • ransomware / malware
  • regulatory requirements
Real-world situations
  • partial visibility
  • systems already modified
  • management pressure
  • missing timeline

Our forensic process

1) Acquisition

Collect artifacts

2) Analysis

Correlate data

3) Timeline

Reconstruct events

4) Findings

Derive conclusions

5) Reporting

Document results

Common mistakes

  • rebuilding systems before analysis
  • uncoordinated password changes
  • deleting or overwriting logs
  • no clear evidence handling
  • missing documentation

What you should prepare

  • alerts / screenshots
  • known affected systems
  • actions already taken
  • SIEM / EDR / cloud access
  • decision maker

Outcomes (Deliverables)

Executive summary

Technical timeline

Attack path & IOC list

Recovery recommendations

GDPR / NIS2 context

Forensics provides the technical foundation for:

  • personal data impact assessment
  • notification decisions
  • proof of due diligence

(no legal advice)

FAQ

How long does forensic analysis take?

From hours to several days — depending on scope and log quality.

Should systems be powered off?

No — isolate instead.

Will we receive a final report?

Yes — including executive summary and technical details.

Request forensics

Report Incident

Back to Incident Response

If it is urgent, reach out as early as possible.

Report incident