SECURITYSQUAD
Back to the blog

IT Forensics: securing traces, investigating incidents

2026-07-18 · by SECURITYSQUAD

After a serious security incident, every minute counts – and so does every decision made in that minute. Rebuilding systems too hastily often destroys exactly the traces that later determine investigation, insurance payout and liability. IT forensics turns an incident into solid facts rather than guesswork.

What is IT forensics?

IT forensics – also called digital forensics – is the methodical securing, examination and analysis of digital traces with the aim of reconstructing an incident in a traceable way. Unlike simply cleaning up after an attack, the point is to answer reliably what happened: how did attackers get in? Which systems and data were affected? Was data exfiltrated? And since when?

The decisive difference lies in the demand placed on the result. Forensics works so that its findings hold up outside your own IT department – towards insurers, supervisory authorities and, where necessary, in court. In Germany, the BSI IT-Forensics guide has become a reference for a methodically sound approach.

When do you need IT forensics?

Forensics is not a standard part of every IT ticket, but indispensable in certain situations:

  • After a ransomware attack – to clarify the point of entry, the path of spread and possible data exfiltration before systems are restored.
  • On suspicion of data leakage – for example when internal documents surface or unusual data movements are noticed.
  • In insider cases – misuse of privileges, sabotage or data theft by your own staff.
  • For any reportable incident – when you have to demonstrate reliably to regulators, a critical-infrastructure regime or under the GDPR what happened.

Especially for critical-infrastructure operators and healthcare organisations, clean investigation is not only self-protection but part of the regulatory duty of evidence.

The forensic process

A forensic approach follows a fixed, documented sequence – not as bureaucracy, but because each step carries the evidential value of the result.

1. Identification

First, it is determined which systems are affected and where relevant traces might reside: servers, endpoints, log data, network telemetry, cloud services. This is also where the critical decision is made whether to disconnect a system or leave it running to capture volatile evidence such as memory.

2. Legally sound acquisition (imaging)

Before any analysis, the storage media are copied bit-for-bit – a forensic image. All work is done on the copy; the original remains untouched. Cryptographic checksums (hash values) make it possible to prove at any time that the copy is identical to the original and has not been altered since. This integrity protection is the foundation of any legally sound analysis.

3. Analysis

On the secured copy, the traces are correlated and evaluated: timelines of access, malware, altered or deleted files, logon events, data movements. The goal is a robust reconstruction of the incident – from first access to impact.

4. Documentation and reporting

Every step is logged – who did what, when, with which tools. The result is a traceable report that cleanly separates findings from conclusions and stays understandable for non-technical readers too.

Chain of custody and evidential value

The evidential value of digital traces stands or falls with the chain of custody – the seamless documentation of who found, secured, transported, stored and examined which piece of evidence, and when. If this chain cannot be demonstrated end to end, findings lose their force, no matter how clean the technical analysis was.

German law contains no explicit provision on the chain of custody, yet courts place great emphasis on its observance. It counts just as much towards cyber insurers, who tie payouts to a traceable account of how the damage occurred, and towards supervisory authorities. Preserve the chain from the outset and you keep every path open – including the one to criminal prosecution.

Interplay with incident response and SOC

Forensics and incident response are two sides of the same coin. Incident response stops the attack, limits the damage and restores operations – often under severe time pressure. Forensics then investigates, afterwards or in parallel, what actually happened. The two must not get in each other's way: a hasty clean-up can destroy evidence, while overly slow acquisition can paralyse the business. The skill lies in weighing them against each other.

A Security Operations Center does valuable groundwork. A managed SIEM like our GUARDIANVIEW continuously collects and retains telemetry – logs, logins, network events. In an emergency, this data is the first source of traces. Look for it only after the incident, and you often find nothing left.

Common mistakes in an emergency

The most severe damage to later investigation happens in the first hours:

  • Rebuilding or resetting affected systems before they have been secured.
  • Continuing to work on the original instead of a forensic copy.
  • Letting logs be overwritten because retention periods are set too short.
  • Acting without a record – without noting who did what, and when.

The most important immediate measure is often the simplest: stay calm, change nothing, and bring in the right experts early.

What SECURITYSQUAD provides

SECURITYSQUAD offers IT forensics as a service – closely coupled with incident response. We secure traces methodically and in a legally sound way, reconstruct the incident and document it traceably for insurers, regulators and, where needed, prosecution. Because we also run managed SIEM and SOC with GUARDIANVIEW, detection, response and investigation mesh seamlessly. As a company working to ISO 27001 and IT-Grundschutz (BSI) since 2022 and a member of the Alliance for Cyber Security, we value a clean, standards-oriented approach.

Read more: GUARDIANVIEW – Managed SIEM · Ransomware Protection · Cyber Risk Check · Expertise & Services