Skip to content
Security incident? Call: +48 732 059 711
Cydefen
pl en
Digital Forensics

Every bit has a story — we read it

Acquisition, preservation and analysis of digital evidence — ENCASE, FTK, Volatility, Linux forensics. Every disk and memory snapshot preserved with hash, timestamp and unbreakable chain of custody. Evidence that survives court scrutiny.

Who is it for?

  • Organisations in active incident needing immediate forensics
  • Companies preparing for legal proceedings after cyberattack
  • In-house teams lacking expertise for data acquisition
  • Insurers and cyber claim teams
  • Entities required to demonstrate chain of custody for regulators
What you get

Outcomes

Forensic image (disk image)

Bit-by-bit disk copy with verified hash (MD5, SHA1, SHA256). Stored in EWF or DD standard with timestamp metadata and chain of custody.

Memory dump (RAM snapshot)

Full RAM dump — current processes, network connections, environment variables, in-memory hashes. Acquired BEFORE system shutdown, when traces are fresh.

Artefact analysis (artifacts)

Prefetch, NTFS Journal, Registry, Browser cache, Temporary files, bash history, syslog. Every artefact dated, catalogued and analysed for significance.

Reconstruction timeline

Timeline of all events — which process launched when, which files were modified when, which network connections were established when.

IoC (Indicators of Compromise)

Malware hashes (YARA rules), IP addresses, domains, URLs — exported in format ready for import to your SOC/SIEM or Wazuh.

Chain of custody (evidence handling)

Documentation of every step — who, when, why touched every piece of evidence. Irrefutable for court and audits.

How we work

Forensics in 5 phases

  1. 01

    Preparation and isolation

    Network isolation of system, preparation of forensic device, storage medium preparation. No contamination, no system time modification.

  2. 02

    Hot acquisition (RAM)

    Memory dump with system on — using Volatility, Belkasoft, DumpIt. Hash before and after. Attachment timestamps (ABS - Always Be Securing).

  3. 03

    Cold acquisition (disk)

    System shutdown, disk connection to Write Blocker (hardware device guaranteeing no write), bit-by-bit image acquisition with ENCASE or FTK Imager.

  4. 04

    Analysis in sterile lab

    Disconnected system — offline analysis. ENCASE or FTK — file review, MFT analysis, registry analysis, log analysis. Every click documented.

  5. 05

    Report and artefacts

    Full report with timeline, IoC, identified artefacts, malware analysis (if present) and recommendations for further investigation or regulators.

FAQ

Frequently asked questions

What happens to personal data found in forensics?
Stored in territorial data center, encrypted AES-256, access logged. NDA before work. Data deleted after 90 days, unless law requires longer retention.
Will forensics destroy my system?
No. Write Blocker guarantees no writes. Analysis is done on copy (image), never on original. Original system remains unchanged.
What does chain of custody look like for court?
Every piece of evidence has unique ID, every transfer — documentation. Photographs before acquisition, hash before and after, every access to evidence — log. Ready for expert examination.
What are the differences between ENCASE and FTK?
Both industry standards. ENCASE better for Windows, FTK for universality. We use both — choosing tool by data type and complexity.
How long does full forensics of large infrastructure take?
Acquisition (acquisition) — depends on disk size, but 1–10TB takes 4–24h. Analysis — 5–20 days depending on complexity and number of systems.

Need forensics right now?

We will enter the system in 2–4 hours. We will establish crisis path and first data assessment.

Crisis contact Back to incident response