Digital Forensics is the process through which forensic investigators identify, preserve, analyze, document, and present electronic evidence gathered from a variety of sources, including computers, mobile devices, remote storage devices, internet of things (IoT) devices, and virtually any other computerized system.

Originally, the term was used as a synonym for computer forensics and primarily applied to criminal investigations, focusing on the identification and use of electronic evidence in the prosecution of crimes. However, in recent years, the term has been expanded to include many other types of investigations and now encompasses the examination of any system on which digital data is stored.

The goal of digital forensics is to preserve the existing evidence as it is (or to minimize any alterations during the preservation process) while identifying useful information that helps the forensic investigator reconstruct past events. This includes, in particular, the ability to derive valuable, coherent information from data and understand how and why certain traces were created in a particular way.

Digital Forensics and Incident Response (DFIR) is an emerging cybersecurity discipline that focuses on identifying, remediating, and investigating cyber security incidents. When a cyber-attack occurs, the first priority is recovering from the incident – stop bleeding, and business continuity. But recovery is not enough, because in order to fully eradicate the threat, and prevent it from recurring, organizations need to understand the who, what, when, where, and how of a cyber security incident (Root Cause Analysis).

DFIR is the perfect combination of two highly specialized sub-fields of cybersecurity:

Digital Forensics: This investigative branch of forensic science collects, analyzes and presents digital evidence such as user activity and system data. Digital Forensics is used to uncover the facts about what happened on a computer system, network devices, smartphones or tablets and is often employed in litigations, regulatory investigations, internal company investigations, criminal activity and other types of digital investigations.

Incident Response: It is the structured approach to handling and managing the aftermath of a security breach or cyberattack. The goal of incident response is to minimize the impact of the incident, recover from it, and prevent future occurrences. It involves detecting incidents, containing the threat, eradicating the root cause, and recovering affected systems.

Business Email Compromise (BEC) is the unauthorized access to one or more mailboxes by a threat actor. Threat actors usually perform BEC attacks against organizations via spear-phishing attacks targeting relevant executives (mostly CEOs and CFOs) or their sales staff in order to commit financial fraud, such as misdirecting payments or wire transfers to an actor-controlled bank account («Payment Diversion Fraud», also known as «Payment Redirection Fraud»).

In modern cloud environments, like Microsoft 365 (M365), financial fraud is still a primary goal, but actors are increasingly evolving BEC attacks (including outbound spam to business partners) to gain greater access. Threat actors explore connected services like SharePoint, OneDrive and Teams to pivot to network environments where they can exfiltrate and sometimes encrypt (ransom) sensitive data.

In addition, the attackers combine spear-phishing with a so-called adversary-in-the-middle (AiTM) attack to circumvent multi-factor authentication (MFA) and a Microsoft 365 design flaw that allows them to create access persistency with MFA.

BEC attacks can cause significant financial losses and undermine trust in business relationships, so it is crucial to be aware of this risk and take appropriate protective measures. Account Takeovers (ATO) can go undetected for weeks or months, especially if the threat actors simply monitor payment flows and validations to help craft a successful attack.

Nearly 99% of Microsoft 365 cloud breaches result from misconfigurations or human error (excluding insider threats), leaving organizations exposed to ransomware, phishing attacks, and data breaches. The technology’s novelty and complexity mean that best practices are still forming, leading to a higher chance of misconfigurations.

We offer a combined security assessment of your Microsoft 365 environment (Microsoft Cloud Security Review) with an advanced Threat Hunting – we call it M365 Compromise Assessment – we’ll identify misconfigurations and weaknesses, enhance resilience, and provide actionable insights to your organization. Where other teams stop, we dig deeper to identify ongoing and past attacker activity to help you to spot also undetected security breaches.

The term “Triage” is derived from the French word “trier” (separate out) and originally comes from military medicine and describes a situation in which, due to limited resources, a classification of patients is performed. The purpose of classification is to ensure that given limited resources, care can be provided with minimal harm to each individual patient (e.g. sorting casualties to rationally allocate limited resources on the battlefield).

Forensic Triage is the initial phase of a digital investigation, providing rapid assessment and prioritization of digital evidence. It is the process by which forensic investigators and/or incident responders will quickly identify and categorize potential evidence and relevant artifacts in order to determine the scope and direction of a forensic investigation. Filtering what is critical to the case and what isn’t is the difference between the success and failure of an investigation. This process involves a combination of automated tools and human expertise (Efficiency, Accuracy, Resource Management, and Rapid Response).

In short, it is the action of sorting items according to quality (combined with investigative knowledge and skills).