Case study: a security audit after an incident

The scenario below is a composite of typical cases we encounter in practice. It shows what a forensic audit after an incident looks like and why the first hours matter so much.

The starting situation

An employee in the accounting department received a message posing as an invoice from a regular contractor. The attachment launched malware that, after a few days, began encrypting files on shared resources. The company only noticed the problem when some documents became inaccessible.

Step 1: securing the traces

Instead of immediately “cleaning” the machines, we secured the evidentiary material: disk images, volatile memory and logs. Any rash action at this stage can irreversibly destroy evidence and make it harder to establish the scope of the breach.

The integrity of digital evidence determines its value — both in proceedings and when assessing the scale of a leak.

Step 2: log analysis and timeline

From e-mail, workstation and server logs we reconstructed the timeline: the moment the attachment was opened, the first connections to the command-and-control (C2) server, attempts to spread across the network and the start of encryption. Such a reconstruction answers the key questions: when, how and how far the attack reached.

Step 3: assessing the data scope

We established which data the attacker may have accessed and whether it was leaked. This information is essential, among other things, for assessing obligations towards authorities and data subjects.

Step 4: a report for management and legal

We presented the findings in two layers: technical (for the IT team) and managerial (for leadership and lawyers). The report covered the course of events, the scope of the breach, a root-cause assessment and remediation recommendations.

Conclusions

• The lack of MFA and network segmentation let the attack spread wider than was necessary.
• Backups existed but weren't tested regularly — restoration took longer than expected.
• The fastest security improvement came from deploying MFA, segmentation and an incident-reporting procedure.

An incident is always costly — but a well-conducted forensic audit turns it into concrete knowledge that genuinely raises the organisation's resilience.