[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" width=\"100%\" custom_padding=\"0px||70px||false|false\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\" width=\"100%\" custom_padding=\"0px||||false|false\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\" text_text_color=\"#FFFFFF\" text_font_size=\"30px\" text_line_height=\"1.2em\" header_font=\"Roboto||||||||\" header_text_color=\"#F07F1D\" header_font_size=\"50px\" background_image=\"https:\/\/www.usd.de\/wp-content\/uploads\/usd-analysis-header-forensik.jpg\" custom_margin=\"-31px||0px||false|false\" custom_padding=\"166px|60px|62px|60px|false|true\"]<\/p>\n
The analysis following an incident<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"RGBA(0,0,0,0)\" custom_margin=\"0px|0px|28px|0px|false|true\"]<\/p>\n
Have you been hit by a cyber-attack and need help clearing things up? Our team of experienced computer forensics experts can help with identifying the cause, scope and perpetrator of the attack for you. Furthermore, we advise you on communication issues and create regulatory or compliance-specific reports for you, if required.<\/span><\/p>\n [\/et_pb_text][et_pb_button button_url=\"\/en\/security-analysis-pentests\/contact-form\/\" button_text=\"Contact us\" _builder_version=\"4.9.4\" _module_preset=\"7d5eca5e-7ccf-4359-a023-e8404a31180a\"][\/et_pb_button][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\"]<\/p>\n Our technical incident investigation focuses on answering the following questions:<\/p>\n Our forensic investigation comprises six phases. This procedure is based on international standards and best practices such as SANS, NIST and the BSI standards [BSI \u2013 Bundesamt f\u00fcr Sicherheit in der Informationstechnik \u2013 in English: German Federal Office for Information Security]. All the phases and their results are documented accordingly. After the incident analysis has been completed, you will receive an extensive forensic report with recommendations on how to prevent attacks in the future. Furthermore, we issue you with any regulatory notifications that might be required.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_accordion open_toggle_background_color=\"#FFFFFF\" closed_toggle_background_color=\"#FFFFFF\" icon_color=\"#F07F1D\" use_icon_font_size=\"on\" icon_font_size=\"23px\" _builder_version=\"4.9.4\" _module_preset=\"default\" body_font=\"|300|||||||\" body_font_size=\"16px\" custom_margin=\"4px|0px|-1px|0px|false|true\" border_radii=\"on|5px|5px|5px|5px\" border_color_all=\"#F6F6F6\" box_shadow_style=\"preset1\" box_shadow_spread=\"-11px\" box_shadow_color=\"rgba(0,0,0,0.22)\"][et_pb_accordion_item title=\"Nicht bearbeiten!\" open=\"on\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_css_main_element=\"display: none;\"]<\/p>\n Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.<\/p>\n [\/et_pb_accordion_item][et_pb_accordion_item title=\"Preparation\" closed_toggle_text_color=\"#3C3C3C\" _builder_version=\"4.9.4\" _module_preset=\"default\" border_radii=\"on|5px|5px|5px|5px\" closed_toggle_font=\"|300|||||||\" closed_toggle_font_size=\"16px\" toggle_text_color__hover_enabled=\"on|hover\" toggle_text_color__hover=\"#F07F1D\" open_toggle_text_color__hover_enabled=\"on|hover\" open_toggle_text_color__hover=\"#F07F1D\" open=\"off\"]<\/p>\n In the preparation phase, we discuss the current situation with you and explain our course of action. Depending on the incident, we identify and make suitable forensic tools available.<\/span><\/p>\n [\/et_pb_accordion_item][et_pb_accordion_item title=\"Data Collection\" closed_toggle_text_color=\"#3C3C3C\" _builder_version=\"4.9.4\" _module_preset=\"default\" border_radii=\"on|5px|5px|5px|5px\" closed_toggle_font=\"|300|||||||\" closed_toggle_font_size=\"16px\" toggle_text_color__hover_enabled=\"on|hover\" toggle_text_color__hover=\"#F07F1D\" open_toggle_text_color__hover_enabled=\"on|hover\" open_toggle_text_color__hover=\"#F07F1D\" open=\"off\"]<\/p>\n In this step we collect all the important data of potentially affected components. For this purpose, we record the current system time and date, all the processes currently running on the system (system status), the opened network connections (sockets) and the users logged on the system, etc.<\/span><\/p>\n [\/et_pb_accordion_item][et_pb_accordion_item title=\"Examination\" closed_toggle_text_color=\"#3C3C3C\" _builder_version=\"4.9.4\" _module_preset=\"default\" border_radii=\"on|5px|5px|5px|5px\" closed_toggle_font=\"|300|||||||\" closed_toggle_font_size=\"16px\" toggle_text_color__hover_enabled=\"on|hover\" toggle_text_color__hover=\"#F07F1D\" open_toggle_text_color__hover_enabled=\"on|hover\" open_toggle_text_color__hover=\"#F07F1D\" open=\"off\"]<\/p>\n Once data collection is finished, we start examining it. In this process, we extract all the data relating to the incident. The amount of data is reduced by the fact that certain data can be excluded from further analysis (e.g. by checking against known checksums). However, it might also be required to extend the analysis to further components of the IT equipment.<\/span><\/p>\n [\/et_pb_accordion_item][et_pb_accordion_item title=\"Data Analysis\" closed_toggle_text_color=\"#3C3C3C\" _builder_version=\"4.9.4\" _module_preset=\"default\" border_radii=\"on|5px|5px|5px|5px\" closed_toggle_font=\"|300|||||||\" closed_toggle_font_size=\"16px\" toggle_text_color__hover_enabled=\"on|hover\" toggle_text_color__hover=\"#F07F1D\" open_toggle_text_color__hover_enabled=\"on|hover\" open_toggle_text_color__hover=\"#F07F1D\" open=\"off\"]<\/p>\n Very often, several subcomponents are affected by an incident, thus necessitating multiple individual examinations of them. Combining the results from these examinations to a coherent timeline and logical connection is the subject of the data analysis phase.<\/span><\/p>\n [\/et_pb_accordion_item][et_pb_accordion_item title=\"Documentation\" closed_toggle_text_color=\"#3C3C3C\" _builder_version=\"4.9.4\" _module_preset=\"default\" border_radii=\"on|5px|5px|5px|5px\" closed_toggle_font=\"|300|||||||\" closed_toggle_font_size=\"16px\" toggle_text_color__hover_enabled=\"on|hover\" toggle_text_color__hover=\"#F07F1D\" open_toggle_text_color__hover_enabled=\"on|hover\" open_toggle_text_color__hover=\"#F07F1D\" open=\"off\"]<\/p>\n Formal reporting of the investigation results takes place after data analysis. In doing so, our computer forensic experts combine the individual steps that have been recorded in the course of the investigation into one or more reports. We prepare target group specific reports, which means that the technical details in the report for the management are different from those for the system administrator, for example. In this phase, we also assist you in preparing regulatory notifications, if required.<\/span><\/p>\n [\/et_pb_accordion_item][et_pb_accordion_item title=\"Post-processing\" closed_toggle_text_color=\"#3C3C3C\" _builder_version=\"4.9.4\" _module_preset=\"default\" border_radii=\"on|5px|5px|5px|5px\" closed_toggle_font=\"|300|||||||\" closed_toggle_font_size=\"16px\" toggle_text_color__hover_enabled=\"on|hover\" toggle_text_color__hover=\"#F07F1D\" open_toggle_text_color__hover_enabled=\"on|hover\" open_toggle_text_color__hover=\"#F07F1D\" open=\"off\"]<\/p>\n Within the scope of post-processing, we offer optional identification of processes needing improvement. We recommend and provide you with technical action plans to help prevent future attacks and develop specific proposals with you for improving the corporate response strategy, namely the process of handling incidents within the company.<\/span><\/p>\n [\/et_pb_accordion_item][\/et_pb_accordion][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#F07F1D\" custom_margin=\"40px|auto||auto||\" custom_padding=\"20px|20px|20px|20px|true|true\" border_radii=\"on|5px|5px|5px|5px\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\" text_text_color=\"#FFFFFF\" header_text_color=\"#FFFFFF\" header_2_text_color=\"#FFFFFF\" header_3_text_color=\"#FFFFFF\"]<\/p>\n <\/p>\n Of course, the primary concern in most cases is to reduce the damage and to re-establish normal operation as soon as possible after a security incident. However, from a security point of view, the affected system should not be directly reinstalled after each and every incident, because this often means that the cause of the incident remains unknown and the system is still vulnerable to new attacks. Changes to the system should therefore be avoided in order not to jeopardize the investigation of the cause.<\/span><\/p>\n <\/span><\/p>\n Document what happened when, and what you did. This information is extremely valuable for the work of our computer forensic team.<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/article>\n<\/div>\nKey questions about incident investigation<\/h2>\n
\n
<\/h2>\n
Our approach<\/h2>\n
What to do in case of an emergency<\/h2>\n
Leave everything unchanged<\/h3>\n
Record everything that has happened<\/h3>\n
\n\n\n\n\n\n\n\n