icon

Digital safety starts here for both commercial and personal

Explore our comprehensive Cyber Security Services, featuring Red Team Assessment, Penetration Testing, Digital Forensics, Web Application Testing, and Network Security Audit. Our expert solutions ensure robust protection for your digital assets and infrastructure.

+91 9433 93 2620

Cyber Forensic Assessment

Cyber Forensic Assessment · IR · Court-Admissible Evidence

When it matters most,
evidence holds up.

Digital forensics & incident response by certified examiners. From malware outbreaks to insider IP theft to ransomware negotiation support — we collect, preserve, and analyse evidence to forensic standards, maintain chain of custody, and deliver reports that stand up in court or to regulators.

Start a Case → See Methodology
24/7
Emergency Response
ISO 27037
Standard-Aligned
Court-Ready
65B / BSA Certified
insec@lab ~ case-INS-2024-0419 SEALED
◈ Evidence Acquisition · E01 Image
CaseINS-2024-0419 · Data Exfiltration
ExhibitEXH-001 · ThinkPad X1
DeviceSamsung 970 EVO 1TB NVMe
FormatE01 · Expert Witness Format
BlockerTableau T35u Write-Block ✓
Size931.5 GB · acquired 02:14
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
◈ Chain of Custody
Seized · Exhibit bag sealed · photo log
Transported · tamper-evident courier
Write-blocked imaging · hashed ✓
Working copy created · original sealed
Analysis on verified copy…
287d
avg attacker dwell time before detection
$4.88M
avg cost of data breach (IBM 2024)
68%
of breaches involve non-malicious insider action
Hours
matter for volatile-evidence capture
// What We Do

Forensic depth. Incident-response speed.

Whether you need a rapid containment team at 2 AM or a months-long investigation for an insider case, the same discipline applies: collect properly, analyse rigorously, report clearly.

Incident Investigation

Root-cause investigation after a confirmed or suspected compromise.

  • Ransomware & extortion response
  • Malware outbreak scoping
  • Email compromise (BEC / ATO)
  • Data-theft & exfiltration tracing
  • Attacker attribution & TTP mapping
  • Timeline reconstruction

Disk & Memory Forensics

Bit-for-bit imaging, volatile memory capture, artefact-level analysis.

  • Write-blocked acquisition (E01/AFF4)
  • Live-memory capture (RAM)
  • Registry, MFT, USN journal, $LogFile
  • Browser, shellbags, jump lists
  • Deleted-file recovery & carving
  • Anti-forensic detection

Mobile Forensics

iOS & Android extraction, messaging recovery, location analysis.

  • Logical, file-system & physical extraction
  • Cellebrite UFED / Magnet GrayKey
  • WhatsApp · Signal · Telegram decryption
  • Cloud-backup acquisition (iCloud / Google)
  • Geolocation & call-detail analysis
  • App-data (banking, CRM, meeting apps)

Cloud & SaaS Forensics

AWS / Azure / GCP / Google Workspace / M365 investigation.

  • CloudTrail · Activity · Audit log analysis
  • M365 UAL + Purview + MDO
  • Google Workspace Admin audit
  • SaaS OAuth-grant abuse tracing
  • S3 / Blob / GCS exfil detection
  • Serverless & container evidence

Network Forensics

PCAP, NetFlow, proxy log deep-dive — what left, where it went.

  • Full-packet analysis & reconstruction
  • C2 beacon & covert-channel hunt
  • DNS & NetFlow exfil patterns
  • TLS / JA3 fingerprinting
  • Proxy / firewall log correlation
  • IOC extraction & enrichment

Malware Reverse Engineering

Static & dynamic analysis, behavioural profiling, IOC authoring.

  • Sandboxing (Cuckoo / ANY.RUN / Joe)
  • Static disassembly (IDA / Ghidra / Binary Ninja)
  • Dynamic debugging (x64dbg / WinDbg)
  • Unpacking, de-obfuscation
  • YARA rule authoring
  • MITRE ATT&CK TTP mapping

Insider & IP Theft Cases

Employee misconduct, IP theft, policy violation investigations.

  • Exit-employee artefact review
  • USB / cloud-upload exfil tracing
  • Email & chat forensic review
  • Source-code / document-IP tracing
  • Mobile device artefact review
  • Expert-witness reporting

Fraud & Financial Investigations

Payment fraud, BEC, account takeover, cryptocurrency tracing.

  • Transaction & log reconstruction
  • BEC (CEO-fraud) forensics
  • Banking trojan & stealer analysis
  • Cryptocurrency flow tracing
  • Fraudulent-wire chain analysis
  • Regulatory reporting support

Expert Witness & Legal

Court-admissible reports, depositions, and testimony.

  • IT Act · Indian Evidence Act 65B
  • BSA 2023 · Section 63 certificates
  • Affidavits & deposition support
  • Opposing-counsel evidence review
  • Civil & criminal proceedings
  • Arbitration & HR proceedings
// Methodology

ISO 27037. NIST 800-86. Disciplined from minute one.

Same rigour whether the case goes to court, to a regulator, or stays internal. Cutting corners on one case ruins every future one.

01 · INTAKE

Incident Intake

Emergency triage, scope, legal-hold issuance, engagement letter & authorization.

02 · PRESERVE

Preserve Volatile Evidence

RAM capture, running processes, network state · before anyone touches anything.

03 · ACQUIRE

Forensic Acquisition

Write-blocked imaging, E01/AFF4, MD5+SHA256 hash verification, sealed originals.

04 · CUSTODY

Chain of Custody

Tamper-evident bags, signed logs, photo trails, secure transport & storage.

05 · VERIFY

Hash & Working Copy

Cryptographic-hash verification, working copies for all analysis, original untouched.

06 · ANALYSE

Forensic Analysis

Artefact parsing, timeline, super-timeline (Plaso), IOC authoring, attribution.

07 · CORRELATE

Cross-Source Correlation

Endpoint + network + cloud + mobile tied together into a single narrative.

08 · REPORT

Expert Report

Court-admissible findings, IOCs, screenshots, hash catalogues, 65B / BSA certificates.

09 · TESTIFY

Testify & Debrief

Expert-witness testimony, deposition, debrief to exec / legal / regulator as needed.

// Evidence Sources

Wherever the evidence lives.

Workstations & Laptops

Windows · macOS · Linux · BitLocker & FileVault handling

Servers & VMs

Hypervisor-level snapshots · hot RAM · live response

Mobile Devices

iOS · Android · Cellebrite UFED · GrayKey · Oxygen

Cloud & SaaS

AWS · Azure · GCP · M365 · Workspace · Okta · Slack

Email & Messaging

Exchange / M365 · Gmail · Slack · Teams · WhatsApp

Network Captures

PCAP · NetFlow · DNS · proxy · firewall · IDS

Logs & SIEM

Windows Event · Syslog · Splunk · Sentinel · ELK · EDR

Media & Metadata

EXIF · PDF · Office · deepfake indicators · printed docs

// Lab Tool Stack

Industry-standard tooling. Fully licensed.

No pirated software. No unauthorized tools. Every instrument in our lab is licensed, versioned, and validated against known test images.

EnCase Forensic

Full disk · triage · reporting

Exterro FTK

Processing · e-discovery

Magnet AXIOM

Computer · cloud · mobile

X-Ways Forensics

Deep artefact analysis

Autopsy

Open-source core tool

Volatility 3

Memory forensics

Cellebrite UFED

Mobile extraction

GrayKey

iOS lock-bypass · authorised

Oxygen Forensic

Cloud & mobile · IoT artefacts

Tableau Write-Blockers

Hardware write protection

Plaso / log2timeline

Super-timeline generation

IDA / Ghidra / Binary Ninja

Malware reverse engineering

// Cases We Handle

From boardroom to courtroom.

RANSOMWARE

Ransomware IR

Strain identification, encryption scope, exfil validation, negotiation support, decryption feasibility, regulatory-notification evidence.

BEC

Email Compromise

ATO scoping, mailbox-rule abuse, wire-fraud tracing, forwarding rules, OAuth-grant audit, M365 UAL analysis.

IP THEFT

Insider IP Theft

Exit-employee exfil, USB/cloud uploads, source-code theft, customer-list theft, expert-witness report.

DATA BREACH

Data Breach Response

Scope confirmation, regulatory-timeline evidence, affected-data enumeration, DPA/DPDP notification support.

CRYPTO

Cryptocurrency Fraud

Wallet tracing, exchange KYC request, mixer analysis, counterparty identification, asset-recovery support.

FRAUD

Employee & Vendor Fraud

Kickback schemes, payment diversion, duplicate-invoice analysis, vendor-master tampering, internal investigations.

HR

HR & Misconduct

Policy violation, harassment evidence, whistleblower case support · privacy-respecting methodology.

REGULATORY

Regulatory Response

RBI · SEBI · CERT-In · DPDP Board incident requests · structured-evidence pack & timeline.

LITIGATION

Civil & Criminal Litigation

Pre-action investigation, e-discovery, opposing-expert rebuttal, deposition & testimony.

// Court-Admissibility

Evidence that judges accept.

Indian and international courts don't accept what wasn't collected properly. Everything we do is built around admissibility from the first minute.

65B Certification

Indian Evidence Act §65B / BSA 2023 §63 certificates issued for every electronic exhibit.

Chain of Custody

Tamper-evident sealing, signed transfer logs, photo documentation at every transition.

Hash Verification

MD5 + SHA-1 + SHA-256 at acquisition, post-acquisition, and every working-copy creation.

Write-Block Everywhere

Hardware write-blockers (Tableau) on every acquisition. No software-only shortcuts.

Original Preservation

All analysis on working copies. Sealed originals can be re-examined by opposing experts.

Expert Examiners

Certified examiners (EnCE, CCE, GCFE, CFCE). Court-tested. Trained to withstand cross-examination.

// Standards We Follow

International standards. Indian law.

ISO/IEC 27037

Identification · collection · acquisition · preservation.

ISO/IEC 27041

Assurance of investigation methods.

ISO/IEC 27042

Analysis & interpretation of digital evidence.

ISO/IEC 27043

Incident-investigation principles & processes.

NIST SP 800-86

Integrating forensic techniques into IR.

NIST SP 800-101

Mobile-device forensics guidelines.

SWGDE · SWGIT

Scientific Working Group best practices.

ACPO (UK)

Principles of digital-evidence handling.

IT Act · 2000

Section 79A · examiner of electronic evidence.

Evidence Act · 65B

Indian Evidence Act certification compliance.

BSA · 2023

Bharatiya Sakshya Adhiniyam §63 alignment.

DPDP Act · 2023

Personal-data handling during investigations.

// Engagement Timeline

Speed when it matters. Depth when you need it.

HOUR 0

Emergency Intake

24/7 hotline. Legal-hold guidance. Containment-vs-forensic trade-off briefing.

HOUR 1-8

Volatile Capture & Triage

RAM, running processes, fast-IOC sweep on candidate endpoints. Preserve before reboot.

DAY 1-3

Acquisition & Chain

Full write-blocked imaging of in-scope devices · hashed · sealed · logged.

DAY 3-10

Deep Analysis

Artefact parsing, timeline reconstruction, correlation across endpoint / network / cloud.

DAY 10-14

Reporting

Executive summary, technical report, IOC catalogue, hash ledger, 65B / BSA certificate.

DAY 14+

Testify / Remediate

Court testimony, depositions, regulator briefings, hardening & IR-playbook updates.

// FAQ

What legal, HR, and security teams ask first.

Something just happened. What do we do in the first hour?
Don't reboot. Don't install AV scans. Don't let IT "clean up." Document what you see, restrict access to the device, and call us. Volatile evidence (RAM, running processes, network state) vanishes on reboot — and so does the ability to prove what happened.
Will the report hold up in Indian court?
Yes. Every exhibit ships with an Indian Evidence Act §65B / BSA 2023 §63 certificate. Our examiners are court-tested, and our methodology aligns with ISO/IEC 27037-27043. We've supported cases in criminal, civil, arbitration, and HR proceedings.
Can you do the investigation remotely?
Partially. Volatile-evidence capture and triage can be done via remote agents. Full-disk acquisition typically needs physical access — either our courier/technician travels to site, or you ship devices under tamper-evident seal to our lab.
What about encrypted devices (BitLocker, FileVault, iOS)?
If credentials / recovery keys are available (your fleet), we handle decryption in the lab. For authorized / legal-hold investigations where no credentials exist, we work with authorised lawful-access tools (e.g. GrayKey for iOS) under explicit legal authorization only.
Can you support ransomware negotiation?
Yes — we support negotiation posture & evidence collection, though we do not broker or pay ransoms directly. We assess strain, exfil evidence, decryption-tool viability, OFAC-sanctions risk, and brief your executives, counsel, and insurer.
How do you preserve privacy during employee investigations?
Narrow scope, written authorization, segregated examiner access, and reviewable-on-request audit trails. We treat employee privacy seriously — scope creep into personal data is a fast path to inadmissibility and HR liability.
How much does it cost?
Emergency IR retainers from ₹5L. Standard single-endpoint case from ₹1.5L. Multi-endpoint investigations, insider IP cases, and expert-witness engagements vary widely — quoted per scope. Retainers available for 24/7 standby.
Do you work with cyber-insurance panels?
Yes — we're experienced with insurer-led response, pre-approval processes, and working alongside breach-response counsel. Reports are delivered in formats your insurer and legal team recognise.
// Get Started

The first hour matters. Make the call now.

Whether it's an active incident, a quiet investigation, or proactive readiness — engage us early. Every hour a device runs unexamined is evidence disappearing.

Email Us → Call +91 9433 93 2620
24/7 Emergency IR · +91 9433 93 2620
✉ contact@insec.in ☎ +91 9433 93 2620