Advanced Forensics
Armor as a trusted partner is always on standby to guide you in handling full-scale cyber events and forensics triage as a part of the incident response process. Depending on the XDR+SOC subscription, Armor provides a team of experts for Digital Forensics and Incident Response (DFIR) to work with you to deliver findings, recommendations, and a Root Cause Analysis (RCA) as a part of the Digital Forensics Engagement report.
Digital Forensics and Incident Response (DFIR) Services
Digital Forensics Engagement services include:
Investigation of on-premises, cloud, and containerized systems while ensuring secure protection of forensics data.
Diagnostics including detailed log analysis and correlation with threat sources (i,e. Threat Intelligence) and past experience.
Extract insights from digital evidence by combining intensive analysis of the threat (i,e. Malware strain, suspicious events, attack vectors, personal identifiable information risk).
Guiding evidence preservation, including hosts, network, mobile, cloud, or any other form of digital data.
Compile a report that explains what happened during the security event, and if possible, identifies the root cause along with digital evidence. The report may contain recommendations for remediating future attacks.
Communication Plan
Armor collaborates with you primarily via a ticketing platform for communication, responding to incidents, and periodic updates. Depending on the type and severity of the incident, Armor may require collaborating with your team and SMEs via chat/video/voice platforms. Armor recommends real-time collaboration tools such as Slack or Microsoft Teams.
In the event of a Critical Incident, the SOC team will create a war room and conference bridge to assign roles and initial briefing. The SOC team will share bridge details via a ticket or an agreed-secured method.
Process flow
| Stages | Description |
|---|---|
| Preparation | 1. Objective of investigation environment context and resources required. 2. Plan Acquisition of digital evidence. 3. Preparation of secure assessment environment, storage, tools and techniques. |
| Collection | 1. Collect detailed information on infected systems and type of attacks. |
| Preservation | 1. Collected evidence is isolated, secured and preserved for the period of assessment & reporting. |
| Analysis | 1. Comprehensive Forensics Analysis to identify the root cause of incident, attack vector and impact. 2. Process data and Interpret Analysis results, Gather facts. 3. Initial findings and mitigation guidance. |
| Report | 1. Documentation of the findings and recovery recommendation. 2. Process of summarization and explanation of conclusions. |
| Post Assessment | 1. Secure deletion of evidence collected for Forensics Analysis. 2. Ongoing guidance on remediation and recovery. |