Evidence acquisition
Disk and memory images, collection of logs and artefacts on endpoints and infrastructure, with preservation and chain of custody. The evidence before it degrades.
After an incident you need factual answers: how they got in, what they touched, what they took out. Fortgale digital forensics is the analytical phase of incident response: evidence, chain reconstruction, IOCs. Not court expert reports, but technical analysis that drives containment and notifications.
Fortgale forensics lives within incident response: the analysts who contain are the same who reconstruct the attack.
Disk and memory images, collection of logs and artefacts on endpoints and infrastructure, with preservation and chain of custody. The evidence before it degrades.
Initial vector, persistence, lateral movement, escalation. The attack timeline mapped to MITRE ATT&CK, from first compromise to objective.
Distinguishing what was accessed, encrypted or copied out: the basis for notifications and for the insurance claim. Plus the IOCs to block re-entry.
Fortgale delivers forensics as part of incident response. The evidence and reconstruction support notifications, insurance and internal decisions. Sworn reports and technical expert opinions in a judicial context are a different profession, which Fortgale does not provide: we say so clearly.
Forensics feeds containment and eradication. See the Incident Response service and the MDR that operates it 24·7·365.
The evidence makes the data breach notification and the NIS2 notification to the CSIRT accurate. The legal act stays with the controller or the DPO.
The analysis of malware and actors (e.g. CTI, 287 tools and actors profiled) accelerates reconstruction: we already know how they move.
In Operation Storming Tide the Fortgale team reconstructed a multi-stage chain (Mora_001: Matanbuchus 3.0 → Astarion RAT → SystemBC, RClone exfiltration), MITRE-mapped, with IOCs published. Exfiltration and ransomware prevented.
Read the analysis →On Nebula Broker the team analysed the proprietary BrokerLoader malware and attributed the actor: Mandiant (Google) later confirmed it as UNC4990. Forensic analysis of the code, not just the alerts.
Read the research →No. We deliver digital forensics as a phase of incident response (DFIR): attack analysis, evidence, reconstruction. We do not offer sworn reports or technical expert opinions in a judicial context: that is a forensic profession dedicated to the legal setting, distinct from ours.
Acquisition and preservation of evidence (disk, memory, logs), analysis of artefacts, reconstruction of vector and lateral movement, identification of what was exfiltrated, IOCs mapped to MITRE ATT&CK.
During and after an incident, within incident response. It answers three questions: how they got in, what they touched, what they took out. The answers drive containment, restore and notifications.
Yes: it supports the data breach notification, the cyber insurance claim and internal documentation. The legal assessment and formal acts remain with the controller, the DPO or legal counsel.
IR is the full process (detection, containment, eradication, restore); forensics is the analytical component that reconstructs the facts. At Fortgale they are the same outpost: those who contain are those who reconstruct.
Talk to the Fortgale IR team: we acquire the evidence, reconstruct the attack chain and identify what was exfiltrated, within an incident response service with a European SOC 24·7·365.
No nurturing sequences, no auto-replies. One of our analysts calls you back within one business day.
The full Report (executive summary · operational IoCs · technical runbook) is restricted. Share two details and one of our analysts contacts you with access and a short technical briefing.
Response in 30 minutes, containment in 1–4 hours. Even if you are not a Fortgale customer.