What we do

Services

Specialized digital forensics and incident response across the full spectrum of cyber threats and corporate investigations. Senior-led. Immediate. Confidential.

SIFT FORENSIC EXAMINER — EVIDENCE.E01 [READ-ONLY]
EVIDENCE TREE
▶ EVIDENCE.E01
├─ [C:] NTFS 119GB
│ ├─ Windows/
│ │ └─ Prefetch/
│ └─ Users/admin/
│ ├─ AppData/
│ └─ Desktop/ ◄
│ └─ toolkit.exe
└─ Unalloc. Space
OFFSET │ HEX DUMP │ ASCII
000000004D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00MZ..........ÿÿ..
00000010B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00¸.......@.......
0000002000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
000000400E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68..º..´.Í!¸.LÍ!Th
0000005069 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6Fis program canno
0000006074 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20t be run in DOS
000000706D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00mode....$.......
⚠ ANOMALY — Offset 0x0040
PE executable header · Entropy 7.82 · VT: 47/68
MD5: a2f84c3e91b7d5f6a0c4e8b2d6f1e3a7
EXTRACTED STRINGS (3 of 47)
C:\Windows\Temp\svchost32.dll
http://185.2██.█4█.51/gate.php
cmd.exe /c net group /domain
PE TIMESTAMPS
Compile: 2024-01-14 03:22 UTC
Modified: 2024-03-01 22:47 UTC
Signed: NO — unsigned binary
Files: 847 · Anomalies: 3 · Verified: 100% · Mode: READ-ONLY

Investigation

Digital Forensics

When a digital incident occurs, the instinct to act quickly can destroy the evidence needed to understand what happened. Conducting end-to-end forensic investigation across endpoints, mobile devices, cloud platforms, and enterprise systems, with evidence collected, preserved, and analyzed under documented methodology and unbroken chain of custody from first contact to final report.

  • Endpoint and mobile device forensics
  • Cloud and Microsoft 365 forensics
  • Network packet capture and traffic analysis
  • Static and dynamic malware analysis
  • Memory forensics and volatile data analysis
  • Log analysis and event timeline reconstruction
  • Forensic acquisition and analysis across any operating system, hardware platform, or IoT device
  • Large-scale media examination and perceptual hashing
INCIDENT RESPONSE — NETWORK TOPOLOGY — IR-2024-0847
INTERNETFIREWALLBypassedVPN GWCreds stolenCORE SWITCHDOMAIN CTRLDA dumpedFILE SERVERExfil 2.3GBMAIL SERVERIsolatedWORKSTATIONS376 affectedTHREAT ACTORTOR + VPNCompromisedIsolatedClean
Hosts: 376 affected · Exfil: 2.3GB · DA compromised · Elapsed: 4h 22m

Response

Incident Response

A security incident in progress puts your organization in a race it did not start. Providing senior-led response from initial triage through threat containment, scope determination, evidence preservation, and recovery planning, across the full range of attack scenarios your teams will face.

  • Insider threat and data exfiltration
  • Cloud account compromise and unauthorized access
  • Web application intrusion and defacement
  • Business email compromise and wire fraud
  • Corporate espionage and intellectual property theft
  • Third-party and supply chain breach investigation
  • Credential theft and account takeover
  • Destructive attack and data destruction incidents
RANSOMWARE SCOPE — LockBit 3.0 — 78% ENCRYPTED
FILE SYSTEM — encryption propagation
Encrypted (78%)
In progress
Clean (22%)
VARIANT INFO
FamilyLockBit 3.0
Ext.lockbit3
C2TOR hidden svc
First hit02:47 UTC
SCOPE
47,284 encrypted
of 60,622 total
STATUS
[✓]Memory captured
[✓]VSS intact
[✗]Encryption stopped
[↻]Negotiation...
! DO NOT REBOOT
Files encrypted: 47,284 · VSS: INTACT · Memory: IMAGED · Negotiation: PENDING

Ransomware

Ransomware Response

Ransomware stops operations and forces decisions that cannot wait. Providing structured response from initial triage through threat actor identification, attribution, and full scope determination. Evidence is preserved throughout, and negotiation support, recovery planning, post-incident hardening, and regulatory advisory are handled in parallel with your legal team.

  • Threat actor identification and attribution
  • Full scope and impact determination
  • Forensic evidence preservation
  • Negotiation support and ransom decision advisory
  • Recovery and restoration planning
  • Post-incident hardening and re-entry prevention
  • Regulatory disclosure support
OSINT + DARK WEB INTELLIGENCE — Global Threat Monitor — LIVE
▼ DARK WEB (.onion)forum.dark22.onionmarket.thief.onionleaks.dump99.onionAPT-ZETAState ActorSYNDCT-44Criminal ORGGRP-8AState ActorCARTEL-7Criminal ORGCLIENT NETACTIVE ALERTS7CRITICAL14 alerts past 72h
Sources: 847 dark web · Threats: 7 critical · Last scan: 4 min ago · Status: LIVE

Intelligence

OSINT & Dark Web Intelligence

Threats often appear on the public Internet and on the dark web before they reach your environment. Using dedicated OSINT tradecraft and a purpose-built dark web scanning platform that crawls known and emerging dark web sites, conducting retroactive and proactive intelligence hunts to identify exposed credentials, leaked data, threat actor chatter, and mentions of your organization before they escalate.

  • Dark web monitoring for leaked credentials and stolen data
  • Proactive and retroactive dark web threat hunting
  • Threat actor profiling and attribution intelligence
  • Compromised credential identification and alerting
  • Brand and domain protection monitoring
  • Open source intelligence (OSINT) investigations
SECURITY POSTURE ASSESSMENT — NIST CSF 2.0 — CONFIDENTIAL
25%50%75%GOVERN89%IDENTIFY61%PROTECT47%DETECT22%RESPOND34%RECOVER58%
CRITICAL FINDINGS
1.Detection: CRITICAL GAP
2.IR playbooks untested 18m
3.EDR: 67% endpoint coverage
4.Log retention: 30 days (need 90)
5.SIEM: <25% threat coverage
6.No threat hunting program
PRIORITIES
P1 Deploy detection coverage
P2 IR tabletop within 60 days
P3 Expand EDR to 100%
OVERALL RISK
HIGH
Controls assessed: 108 · Gaps: 34 · Framework: NIST CSF 2.0 · Next review: 90 days

Advisory

Cybersecurity Advisory

Most organizations invest in security tools without knowing whether they actually detect the threats they face. Drawing on experience designing national security testing frameworks and delivering security programs across telecoms, media, financial services, and government, providing security architecture review, threat hunting, detection improvement, and incident response readiness that builds real organizational resilience.

  • Security program architecture and strategic advisory
  • Threat hunting and detection improvement
  • Purple team exercises and adversary simulation
  • Incident response planning and tabletop exercises
  • Security architecture review and hardening
  • Security policy development and review
eDISCOVERY PLATFORM — SMITH v. ACME CORP — CV-2024-0847
DOCUMENT PIPELINE — 2.4M docs processed
COLLECTAll custodians
2,400,000docs
DEDUPLICATEMD5/SHA hash filter
1,247,000docs
PROCESSIndex + normalize
891,247docs
REVIEWPrivilege + relevance
547,382docs
PRODUCECourt-ready
18,443docs
MATTER STATS
CaseSmith v. Acme
CourtOntario Superior
Total ESI2.4M / 847GB
Reviewed61% complete
Privileged2,847 logged
Responsive18,443 docs
PRODUCTION
[✓]Set 1 — Produced
[↻]Set 2 — In review
[↻]Privilege log
Deadline: 30 days
Review rate: 2,400/day
Processed: 891,247 · Privileged: 2,847 · Responsive: 18,443 · Produced: 8,247

Litigation

eDiscovery

Civil litigation and regulatory matters increasingly turn on the quality and handling of electronic evidence. Working directly with legal counsel to collect, process, and analyze electronically stored information, producing findings that direct litigation strategy and withstand judicial scrutiny.

  • Legal hold advisory and implementation
  • Cross-platform data collection across email, cloud, and enterprise systems
  • Processing, deduplication, and data volume reduction
  • Email threading and near-duplicate grouping for efficient review
  • Keyword search, concept analytics, and early case assessment
  • Production in required formats with metadata integrity intact
  • Regulatory disclosure and privilege log support
Expert Forensic Opinion
STRICTLY CONFIDENTIAL — SOLICITOR–CLIENT PRIVILEGE
v. · CV- Court
Expert Findings
1.Account accessed the restricted directory on 14 occasions between , exclusively outside business hours.
2.847 files (2.3 GB) transferred to USB S/N: at on .
3.Browser history and Recycle Bin deliberately purged at — nine minutes post-transfer.
[Expert Witness]
SIFT Solutions Inc.
OFFICIAL
SIFT
CERTIFIED
Confidential
Privileged

Expert

Expert Opinion

Civil proceedings and regulatory matters often require a clear, independent technical opinion on digital evidence. Qualified as a digital forensics expert in civil matters, providing written opinions on forensic methodology and findings, drafted in language that counsel, insurers, and decision-makers can act on.

  • Written expert opinions for civil and regulatory matters
  • Technical findings explained clearly for legal and non-technical audiences
  • Forensic methodology documentation for legal review
  • Litigation support on IP, fraud, employment, and data breach matters
  • Legal counsel briefing and case strategy support

In crisis right now?

Call now. Every inquiry goes directly to a senior investigator who takes your matter seriously and responds as quickly as possible. All inquiries are strictly confidential.