Skip Ribbon Commands
Skip to main content
Home > Services > Incident Response > Forensic Analysis


Forensic Analysis

What is Forensic Analysis?

If you saw an episode of “CSI” and are looking for the latest information on crime scene forensics try this article “How Crime Scene Investigation Works.

If you suspect that you’re the victim of a data breach, call us now for guidance, or if you just want to learn more about forensic analysis keep reading.

Related: 7 Steps of a Data Breach Investigation

Forensic Analysis is the use of controlled and documented analytical and investigative techniques to identify, collect, examine and preserve digital information. Recognizing the fragile nature of digital data, and the legal and regulatory requirements to properly preserve electronically stored information (ESI) during forensic investigations, SecureState maintains standards relating to protecting ESI against manipulation or destruction.

The 'Why & How' of a Forensic Investigation

When an incident occurs, a forensic investigation may be needed based upon legal, financial or regulatory requirements. The purpose of forensics is to determine actions, motives, vectors, effects and evidence for incidents misuse, theft, or fraudulent activities.

During the course of an investigation, forensic analysis focuses on three primary areas: Evidence Acquisition, Evidence Analysis, and Evidence Reporting. For details about this process view our Approach and Methodology.

Related: Data Breaches Continue Unabated


SecureState’s Incident Response Team is comprised of industry experts with experience in Military Intelligence, Law Enforcement, and Big X Consulting. Members of our Team have been involved in the acquisition and forensic analysis of data in high profile events including the Space Shuttle Columbia Disaster. They have coordinated Incident Response teams that included FEMA, AFCERT, and DHS against inclement weather, terrorist activities, and world-wide threat events. Several members of the Team have high-level government security clearances and are trusted with the nation’s most classified secrets. Our strategic partnerships with the FBI, DHS, US-CERT and InfraGard permit SecureState to obtain the latest cutting-edge and persistent attacker techniques and exploits, which gives us the information necessary to identify those attacks, contain and eradicate them.


Like on Facebook View on LinkedIn Share on Twitter Share on Google Plus

Retrieving Data

Our Approach and Methodology

Forensic analysis is the use of controlled and documented analytical and investigative techniques to identify, collect, examine and preserve digital information. SecureState provides a thorough approach to the forensic methodology, and ensures all tools, methodologies and processes are forensically sound and unaltered. SecureState works as an extension of the corporation’s response team to help ensure relevant and efficient analysis for three primary areas of forensics: Evidence Acquisition, Evidence Analysis, and Evidence Reporting.

Forensic Acquisition: Computer Forensics Acquisition is the process of acquiring electronic evidence in a manner that preserves the data and maintains chain of custody. SecureState establishes tested and proven acquisition methodologies, information gathering and structured reporting of security related events. Electronic evidence contains the information needed to understand how the events happened, resources or data that may have been affected, and mitigation strategies. It is essential that electronic evidence is acquired in a methodical, safe, and secure manner.

Evidence Collection: All evidence collection procedures are reviewed by SecureState’s Incident Response Team before acquisition begins. As deemed appropriate, SecureState is the custodian of data and the handler for response, evidence collection and retention, and data or device analysis. All imaging, data collection and documentation will be observed and supervised by a SecureState Lead Investigator.

Forensic Analysis: The primary scope for Forensic analysis is to identify unauthorized or anomalous indicators that exist (past or present), how they were deployed, and what capabilities they might have had on the system. After identifying if a successful compromise or malicious software exists, SecureState’s primary focus would be directed at determining applicable next steps relating to regulatory or legal compliance, as well as business impact and risk. Applicable next steps would involve additional forensic acquisition and documentation, collecting and identifying the initial intent of the compromise, remediation, and determining if any private, regulatory or sensitive data was captured or modified.

Documenting and Recording: All details, facts and processes will be documented as soon as the Response Team begins analysis on a potential incident or forensic investigation. SecureState will incorporate appropriate media for logging the incident process such as host records, tagging and labeling systems. Every step taken from the time the incident was detected and recorded to its resolution will be documented, time stamped, reviewed, and signed by the incident handler. Since documentation is an ongoing process throughout the examination, it is vital to be complete, accurate, and comprehensive during the reporting process. SecureState will safeguard data related to incidents since it will contain sensitive system or personnel information, data on exploited vulnerabilities, or information that may be needed for law enforcement. To reduce the risk of sensitive information being disclosed, SecureState ensures that access to incident data is restricted and properly stored. In accordance with applicable policies, rules, regulation, or other governing requirements, SecureState is responsible for the secure and timely delivery of its investigation reports, final incident reports, and all other reports required in accordance with the Incident Response Policies.

What Makes Us Different

With top industry certifications and clearances, SecureState’s Incident Response experts can assist in the forensics of computer investigations, email, intellectual property theft/corporate espionage, and deleted file recovery. SecureState approaches computer forensics by exceeding the methodologies set forth by industry standards and regulatory requirements. In fact, SecureState develops its own policies and investigation protocols through a well-integrated mix of best practices, case law, and subject matter experts in the areas of audit and compliance, risk, and ethical hacking.

SecureState has helped develop, implement, and sustain organizational policies and government regulations that require computer forensic investigations, and has been the case lead and primary technical point of contact for investigating system intrusions, fraud, system abuse, intellectual property theft, harassment, regulatory compliance, and many other Internet and insider-based crimes. SecureState professionals are well trained on incident response, but also are well versed in all aspects of security; we use this integration to help provide in-depth investigations into the origin of an incident, what data may be affected, the impact to the organization, and if the analysis should dictate a regulatory or legal response:

  • SecureState only employs experts with prior military experience, background checks, security clearances, and some of the toughest security and regulatory certifications around.
  • SecureState relies on many CME’s from all supporting fields and practices to ensure the data, information, and analysis is accurate and thorough
  • SecureState offers many digital forensic services, including computer forensics, network forensics, mobile device forensics, media forensics, and forensic data analysis.
  • SecureState’s Computer Forensics Team works closely with the other teams at SecureState by integrating services, expertise, industry-approved policies and methodologies, and regulatory or government regulations.
  • SecureState has developed forensic methodologies that are required or driven by regulatory guidelines such as PCI, PHI and privacy laws.
  • SecureState ensures lessons-learned meetings integrate forensic acquisition, tracking, management and validation within the organization’s Incident Response program
  • SecureState maintains a facility that is designed to the specifications required by Director of Central Intelligence Directive 6/9 Physical Security Standards for Sensitive Compartmented Information Facilities (SCIF).

Related Blog Posts