Court-admissible DFIR. Daubert-ready.
Digital incidents become legal proceedings. Our forensic methodology is engineered to produce evidence that survives expert challenge in court — ISO/IEC 27037 acquisition, unbroken chain of custody, scientifically validated techniques, and analyst testimony where required.
ISO/IEC 27037ISO/IEC 27035ISO/IEC 27041NIST SP 800-86Daubert principlesGDPR Art. 33/34NIS2 / DORASEC Cyber
ACTIVE INCIDENT?
Do not power off systems or delete files. Our emergency response team is available 24/7/365 — contact us immediately to preserve evidence and limit adversary dwell time.
STANDARDS, LAW & REGULATION
Documentation that survives a courtroom.
International Standards
- ISO/IEC 27037:2012 — identification, collection, acquisition, and preservation of digital evidence
- ISO/IEC 27035-1:2023 — incident management principles and structured response process
- ISO/IEC 27041:2015 — assurance for digital evidence investigation methods and tools
- NIST SP 800-86 — integration of forensic techniques into incident response
- RFC 3227 — guidelines for evidence collection, archiving, and order of volatility
- SWGDE Standards — Scientific Working Group for Digital Evidence best practices
Court & Legal Admissibility
- Reproducible methodology — peer-reviewed, scientifically validated techniques aligned to Daubert principles — defensible under expert challenge in EU and common-law jurisdictions alike
- Expert witness capability — qualified to provide testimony in civil, criminal, and regulatory proceedings across jurisdictions
- Legal hold & preservation notices — drafting support, litigation hold procedures, and e-discovery coordination
- International tribunal readiness — documentation suitable for ICC, ICSID, and cross-border arbitration proceedings
- Attorney-client privilege — engagement under privilege where directed by counsel, shielding findings from compelled disclosure
Regulatory Notification
- GDPR Art. 33 / 34 — 72-hour supervisory authority notification and data subject communication support
- SEC cyber disclosure — material incident determination and 8-K / 10-K factual summary preparation
- NIS2 / DORA — significant incident reporting to competent authorities and financial regulators
- HIPAA Breach Rule — 60-day notification preparation and breach risk assessment documentation
- US state notification laws — multi-jurisdiction compliance mapping for incidents with cross-state impact
- Direct liaison with internal and external legal counsel throughout all notification timelines and regulator correspondence
EVIDENCE INTEGRITY
Chain of custody, end to end.
Every item of evidence is handled under a documented, auditable protocol from first contact to certified disposal. Designed to withstand adversarial scrutiny by opposing counsel in any jurisdiction.
Acquisition
- Hardware write-blockers — on all physical media — forensic acquisition never modifies source evidence
- Bit-for-bit forensic imaging using validated, court-accepted tools
- Dual cryptographic hash verification — SHA-256 (authoritative) and MD5 (retained only for legacy-tool interoperability) computed and recorded at acquisition and at every subsequent transfer
- Volatile memory acquired before any shutdown using platform-appropriate acquisition tooling
- Full acquisition metadata logged: analyst identity, UTC timestamp, hardware identifiers, tool name and version
Custody & Storage
- Tamper-evident seals and unique evidence reference numbers applied to all physical media immediately upon acquisition
- AES-256 encrypted evidence containers — with access restricted to named analysts — no shared credentials
- Air-gapped analysis workstations — investigation infrastructure is never connected to client production networks
- Immutable audit trail — every access, transfer, and analysis action logged with analyst identity and UTC timestamp
- Physical evidence stored in access-controlled, environmentally monitored secure storage for the duration of the engagement
Verification & Disposition
- Hash re-verification at each analysis phase confirms evidence integrity has not been altered since acquisition
- Working copies used for all analysis — originals are never directly examined
- Formal evidence receipt and transfer documentation signed by all parties at each handoff
- Retention schedule defined per engagement agreement or court order; no open-ended storage
- Certified secure destruction — of evidence copies at end of retention, with witnessed destruction certificate provided to client
WHAT WE INVESTIGATE
Every incident type, every evidence source.
Incident Types
- Ransomware & extortion — including double-extortion, ransomware-as-a-service operators, and data leak site negotiation
- APT / nation-state intrusion — long-dwell, living-off-the-land, supply chain implant, and espionage campaigns
- Business Email Compromise (BEC) — account takeover, wire fraud redirection, and executive impersonation
- Insider threat & data exfiltration — privileged abuse, intellectual property theft, and sabotage investigations
- Data breach & unauthorised access — lateral movement mapping and complete scope determination for notification purposes
- Financial & cryptocurrency fraud — blockchain tracing, transaction forensics, and asset recovery support
- Industrial & OT incidents — ICS/SCADA impact assessment and evidence preservation in operational technology environments
Forensic Capabilities
- Memory forensics — live acquisition, malware detection, process injection, code injection, and rootkit identification
- Disk & file system forensics — deleted artefact recovery, anti-forensic detection, and deep multi-source timeline reconstruction
- Cloud forensics — cloud provider audit logs, SaaS platform event analysis, and control-plane investigation
- Network forensics — full-packet capture analysis, C2 beacon identification, and lateral movement reconstruction from flow and PCAP data
- Mobile forensics — iOS and Android acquisition (physical, logical, file-system) using validated mobile forensics tooling
- Malware analysis — static disassembly, dynamic sandbox execution, C2 infrastructure mapping, and detection rule development
- Threat actor attribution — TTP analysis mapped to MITRE ATT&CK, adversary infrastructure pivoting, and threat intelligence correlation
DELIVERABLES
Reports for engineers, lawyers, and regulators.
Technical Report
- Complete attack timeline with UTC-anchored events across all evidence sources
- Confirmed and assessed initial access vector(s)
- Full lateral movement, privilege escalation, and persistence path reconstruction
- Scope determination: confirmed affected vs. ruled-out systems and data
- Structured IOC package — hashes, IPs, domains, TTPs in STIX 2.1 / MISP format
- Custom YARA and Sigma detection rules for identified malware families and TTPs
- MITRE ATT&CK navigator layer with full TTP mapping and threat actor profile
Legal & Regulatory
- Court-ready evidentiary report — with documented methodology, tool validation records, and signed analyst declaration
- Complete chain of custody log and evidence register for all acquired items
- Expert witness brief and supporting affidavit prepared upon instruction of counsel
- Breach scope determination and data subject impact assessment for notification obligations
- Regulatory notification factual summary (GDPR, SEC, NIS2, HIPAA) suitable for direct submission
- Forensic examination certificate with cryptographic hash verification record
Executive & Remediation
- Executive summary — non-technical narrative suitable for board, regulator, and insurer communication
- Root cause analysis and contributing security control failures
- Prioritised containment and eradication checklist
- Strategic remediation roadmap with risk-ranked recommendations to prevent recurrence
- Post-incident lessons-learned facilitation session with technical and leadership teams
- Cyber insurance claim support documentation where applicable
HOW WE ENGAGE
Emergency or retainer.
Emergency Engagement
- Immediate triage — severity assessment and routing to a senior responder within 15 minutes; stakeholder identification and emergency NDA executed within the first hour
- Out-of-band comms established — encrypted communication channel activated immediately; no incident-related information transmitted via client infrastructure
- Volatile evidence preservation — immediate guidance on preservation actions; remote or on-site acquisition initiated to capture memory and live state before it degrades
- Parallel containment guidance — containment recommendations issued concurrently with evidence collection to limit adversary dwell and blast radius without destroying evidence
- Encrypted status cadence — secure briefings at agreed intervals throughout the incident; no gaps in communication during active crisis
- Final delivery & handover — complete technical and legal deliverable package with structured remediation handover and debrief
Retainer Engagement
- Contractual SLAs — defined acknowledgement, analyst assignment, and on-site response times guaranteed in writing
- Pre-executed documentation — NDA, engagement letter, and evidence handling agreements signed before any incident occurs
- Environment familiarisation — asset inventory, crown jewels register, and network architecture reviewed and held in readiness prior to any incident
- Annual tabletop exercise — IR simulation included; validates playbooks and stakeholder readiness against realistic threat scenarios
- Priority queuing — retainer clients are always mobilised ahead of ad-hoc engagements during surge conditions
- Unused hours credit — unconsumed retainer hours roll over or credit future engagements per contract terms
Get a written proposal
Send scope + timeline. Detailed SoW within 1 business day.
Open the form →
Email a senior practitioner
Direct line for scoping questions. NDA available on request before you share details.
hello@grillisecurity.com →
Active incident?
24/7 incident line. Triage call + retainer set-up inside the hour for new engagements.
+372 5610 1641 →
