Incident Response & Digital Forensics
Tangible Security will provide cybersecurity consulting in the areas of incident response and digital forensics. Depending on the need, Tangible Security may also act as a liaison to law enforcement or other third-party entities regarding any evidence collected during the process.
A list of primary activities to be conducted is below. While this represents the primary work to be conducted, it may be extended upon mutual agreement between the client and Tangible Security.
- If applicable and desired, incident and response and triage. This includes active response to incidents discovered while on site, such as an attempt at remote control or the installation of malware.
- Review of the network environment to identify potential sources of compromise such as rogue wireless access points or taps.
- Acquisition of forensically-sound evidence from electronic devices determined to be in the scope of assessment. This may include computer systems, mobile devices, network equipment, and other electronic systems containing relevant data. Where possible, evidence will be collected in both live-state and full disk image capacities, to ensure both that volatile data is not lost and that as complete of a record as possible is collected.
- Review and analysis of evidence from electronic devices to determine if compromise has occurred. If evidence of compromise is discovered, root cause analysis will be conducted to determine both the nature of the compromise and its source, as completely as possible with the given evidence.
- Generation of a report covering all discovered evidence and statements of the presence or absence of compromise as conclusively as possible with the gathered evidence.
- Recommendations for and implementation of improvements to client security posture to mitigate the risk of future compromise.
- Rapid on-site or remote response to a security incident such as a suspected breach, ransomware attack, etc.
- Covers incident triage, digital forensics, and remediation services.
Discovery and investigation of current or previous cybersecurity incidents will be conducted through a threat hunting approach based upon best practices defined to follow the MITRE ATT&CK Framework and the TaHiTI Framework.
Digital forensics investigations will follow similar best practices, as defined in NIST Special Publication 800-86 and the work of the SANS Institute.
Get In Touch Today