Forensic: post intrusion analysis

Logo NBS System
Logo NBS System
Forensic: post intrusion analysis

If you have been the victim of a malicious act, fraud or IT attack, there is a type of information system (IS) audit: a Forensic investigation. Also called post-penetration analysis or post-mortem search, this IT security audit consists of collecting and analysing proof of compromises and determining as precisely as possible the operating methods used by the hacker. This service’s goal is to retrace the hacker’s actions or changes (placing malicious files, altering existing files, etc.).

Ultimately, determining the compromise’s cause and gathering proof of fraud will allow you to identify what to change to correct the vulnerability.

Forensic analysis: why implement it?

In case of suspected spying, fraudulent access, hacking or a dispute with a third party (such as an employee, client, competitor, or service provider), forensic analysis can provide many answers.

The main objective of this IT security service is to provide the proof and precisely retrace the attacker’s operating method, the source of the compromise and the damage it caused.

This way, you will see your system’s weak point, identify the risks it causes and identify the necessary actions: accept the risk or remove it by correcting the vulnerability that led to the penetration.

Our Forensic service will also allow you to produce the digital proof of fraud of which you were a victim in a civil or criminal case.


 NBS System’s expertise in IT security

21 years of experience

penetration test

+ 250 clients in IT security

Creator of CerberHost

Creator of Naxsi

Forensic: Two methods for two objectives



This after-the-fact analysis consists in retrieving digital traces (journals, logs, disks) to find the cause of a possible compromise of your system or application, such as a vulnerability a hacker exploited, in-house data theft, or human error. Here, the approach serves the private objective of correction, often as part of a continuous improvement approach. The results of the search are formalised and written with this in mind.


The goal of this analysis of digital traces is to reveal facts and proof to build a case and provide fact-based arguments to a legal representative (jurist, legist, or lawyer). Post-penetration analysis is generally followed by a legal action such as filing a report, a trial, etc.

Concretely, the forensic analysis is very similar in both methods. The real difference lies in the presentation and type of information included in the report.

How is a Forensic conducted?

After identifying the audit’s scope and formalise the service, a Forensic can be broken down into four major steps:

Rule out any errors

What? Our forensic experts will analyse your logs, software features, and recently used accesses.

The goal? To rule out with certainty hardware or software malfunctions and/or human error.

Evaluate the system

What? In this step, our consultants will determine the “health” of your system. This entails an audit of your hardware, storage media, protocols, etc.

The goal? To refute the theory of technical malfunction and find possible vulnerabilities or flaws in your IS that could have been exploited.

Copy of digital data

What? Our IT security experts will copy as much data as they can such as emails, computing logs, and storage present on any media such as hard drives or memory cards.

The goal? To retrieve anything that can provide information, no matter how small, that will help our experts conduct their search.

Inspection of digital data

What? This is an iterative process made up of the following four steps:

  • Identify a list of “suspicious keywords” in relation to the compromised element
  • Search for items that contain these keywords in your logs and files
  • Analyse the risk related to the items found
  • Search for new suspicious keywords coherent with the latest findings
  • (Re)define a (new) list of “suspicious keywords”


  • All of this makes up a timeline that traces the chronology of events

The goal? Detect sensitive elements with a (direct or indirect) relationship to the penetration or desired object to follow the trail or find the origin of the compromise.

Delivery of the report

The report’s composition will depend on the type of forensic analysis you need (technical or legal). In both cases, the report will include the expected proof (if the compromise has been confirmed).

When to conduct a forensic analysis?

Were you or do you suspect you were a victim of a malicious act, fraud or IT attack? That is when we can intervene.

Who conducts the forensic analysis?

The NBS System security team that works on your forensic services is specialised in audits and security tests. Its members also regularly, randomly and for a limited period, take over the role of SecOps within NBS System which helps them stay close to production and your everyday issues.

The security unit also includes a team dedicated to research and innovation that creates open source projects so that our in-house expertise can serve society and the ecosystem. This is how NAXSI, PHP malware finder, and Snuffleupagus, renowned security tools, were born. This also allows our experts to stay up-to-date on offensive and defensive changes in IT security.

Of course, these two teams (10 experts) work together, so you get the best security expertise and protection possible, even against emerging threats.

Where is the Forensic conducted?

Generally, the first three Forensic steps are conducted in your offices close to your teams and hardware.

However, the fourth step consisting of inspecting data can be done remotely (in our facilities) or in your offices. The choice is yours.

Deontology & ethics at NBS System

Our IT security experts are the only ones with access to the audit report given to you and deliver to you all information gathered in or about your system during the web security audit. The latter are not saved at NBS System and are never shared with third parties.

Do you think you’ve been compromised?

Contact our teams now!