Digital Forensics Services

Introduction

Mossé Security has delivered hundreds of Digital Forensics engagements (some as part of our incident response services). Our capabilities include:

• Disk and filesystem forensics
• Windows forensics
• Memory forensics
• Application forensics
• Network forensics
• Malware analysis
• Out-of-band forensics

Benefits

Here are examples of benefits that our Certified Consultants can achieve:

• Restore incident logic and reconstruct a complete timeline
• Identify the data accessed by the adversary
• Recover deleted files
• Recover and analyse exploit payloads
• Establish the likelihood of data having left the network, and in which quantity
• Identify the employees, customers and/or suppliers that were targeted

Key Achievements

• In 2016, Mossé Security was engaged to investigate the compromise of cloud accounts by an insider threat. We discovered that a disgruntled employee had created multiple backdoor administrator accounts across Google Cloud, AWS and Gsuite, and used them to sabotage the company after they had been removed from their position. The person was a senior IT director that had significant internal system knowledge and that knew exactly which systems to target, how and when for maximum effect. Our team performed forensics in the cloud to remove all his access, produced a report for the client’s legal team and then act as expert witnesses to support legal actions.
• In 2018, Mossé Security was engaged by a top Australian organisation to investigate defamation emails sent from an anonymous email service to multiple board members and the press. Our team performed digital forensics across Active Directory records, Microsoft Exchanges records, email records, and access logs on file shares. We assisted the client identify the disgruntled employee, which they then confirmed with the help of a private investigator. In the end, the client’s legal team used our findings to resolve the matter out of court.
• In 2020, an ASX200 organisation engaged our team to investigate mission critical systems that alerted its internal Security Operations Centre of malicious activities. Their Level 3 analysts performed digital forensics on the systems but failed to identify the adversary’s persistence mechanisms. Our team performed out-of-band forensics and discovered that the attacker was employing Windows kernel drivers to hide its presence on the systems and defeat the SOC’s enterprise forensics product and prevent the acquisition of memory dumps. We were able to devise a safe way to remove the implants from the compromised machines as well as develop network detection capabilities to identify more systems affected by this massive cyber breach.

Our Certifications

Our team undertakes 2,000+ hours of pre-deployment training per year. Here are some of the certifications we hold and maintain: