Theos built the engagement around the threat actors targeting our sector in Hong Kong. The findings were structured for HKMA submission and the gaps have since been closed.
Digital Forensics: What happened, how it happened, and what the evidence shows.
Forensic depth integrated with incident response. The same team. Full evidence continuity throughout.
OVERVIEW
What is digital forensics?
Digital forensics is the methodical collection, preservation, analysis, and reporting of digital evidence following a cybersecurity incident. Where incident response prioritises rapid containment and recovery, digital forensics provides the deeper, structured investigation required to establish exactly what happened, how it happened, and what the evidence shows.
The distinction matters. Forensic rigour determines whether evidence holds up in legal proceedings and satisfies regulatory scrutiny. Root cause identified without forensic depth may leave the initial access vector in place. Digital forensics provides the evidentiary foundation that incident response alone cannot.
What Digital Forensics Includes:
-
Forensically sound acquisition of endpoint, network, cloud, and email data
-
Documented evidence handling from collection through analysis and storage
-
Full attacker activity mapped from initial access to discovery
-
Initial entry point identified, exploited vulnerabilities and misconfigurations documented
-
Every affected system and dataset identified
-
Findings documented to the standard required for proceedings and regulatory inquiry
Business Outcome:
You know exactly what happened, in what sequence, and what was affected. Root cause is confirmed. Evidence is preserved to legal standard. Your regulator, insurer, and legal team have the documentation they need. Your security programme has the intelligence to prevent recurrence.
THE CHALLENGE
An investigation without forensic rigour produces assumptions. Answers require evidence.
When an incident occurs, the window to preserve critical evidence is short. Evidence preserved in the first hours is available for the investigation. What is collected correctly from the first moment of engagement is what the investigation stands on.
When an incident occurs, the instinct is to move fast: contain, remediate, restore. That instinct is correct. But moving fast without forensic discipline produces investigations that are incomplete, evidence that is inadmissible, and root causes that are assumed rather than confirmed.
Systems are rebuilt before disk images are taken. Logs are overwritten before they are collected. The attacker’s persistence mechanism is missed because the investigation stopped at visible indicators. The environment is declared clean and the same threat re-enters within weeks.
Regulatory inquiries require evidence to a standard that a rapid internal investigation rarely produces. Insurers require documentation that supports the claim. Legal proceedings require chain of custody that most organisations cannot demonstrate. Digital forensics, conducted by specialists from the first moment of engagement, is the only way to ensure the investigation produces answers that hold.
What forensic rigour provides that rapid internal investigations cannot:
Evidence preserved before remediation alters the environment
Root cause confirmed through analysis, not assumed from visible indicators
Attacker persistence mechanisms identified and confirmed removed
Chain of custody maintained to legal admissibility standard
Scope confirmed through investigation, not estimation
Regulatory documentation produced to the standard notification timelines require
THEOS APPROACH
Forensic discipline from the first moment of engagement.
Theos delivers cyber forensics across APAC with rigour applied from the moment an engagement begins. Evidence collection is structured to preserve admissibility. Chain of custody is documented continuously. Analysis is conducted systematically, not reactively. The investigation does not stop at visible indicators. It runs until root cause is confirmed and scope is fully established.
Forensically Sound Evidence Collection
Theos collects digital evidence using forensically sound acquisition methods across endpoint, network, cloud, and email environments. Every acquisition is documented, hashed, and stored securely. Evidence is preserved in a manner that maintains admissibility for legal proceedings and satisfies regulatory standards across APAC jurisdictions.
Chain of Custody
Every step of evidence handling is documented from collection through analysis and storage. Chain of custody logs are maintained throughout the engagement and produced as part of the final report. For organisations facing legal proceedings or regulatory inquiry, this documentation is the foundation that the investigation stands on.
Timeline Reconstruction
Theos reconstructs the full attacker timeline from initial access through to discovery. Every action taken by the attacker is mapped in sequence: how entry was gained, how the environment was navigated, what was accessed, what was exfiltrated, and when each event occurred. That timeline is the core of the investigation report and the basis for regulatory notification.
Root Cause Analysis
Identifying root cause is not optional. Theos confirms root cause before an engagement closes. Theos identifies the initial access vector, the vulnerabilities or misconfigurations exploited, and the persistence mechanisms established. Those findings drive the remediation actions and the security programme improvements that follow.
Cloud and Multi-Environment Forensics
Modern environments are not single-site. Theos conducts forensic investigations across AWS, Azure, Microsoft 365, and hybrid environments, analysing audit logs, user activity, configurations, and cloud-native telemetry alongside on-premise evidence. Attacker activity does not respect environment boundaries. Neither does the investigation.
BENEFITS
What Theos Digital Forensics delivers for your organisation.
Confirmed root cause
The initial access vector identified and documented through forensic analysis
Full scope
Every affected system and dataset established through investigation
Legal-standard evidence
Chain of custody maintained, admissibility preserved
Regulatory documentation
Findings produced to the standard required for APAC regulatory inquiry
Re-infection prevention
Persistence mechanisms confirmed removed before recovery is declared
Programme intelligence
Root cause findings feed directly into MDR detection tuning, VAPT scope, and IR preparedness improvements
HOW IT WORKS
How a Theos Digital Forensics engagement works.
1
Engagement and Evidence Preservation
Theos is engaged and immediately issues preservation guidance to prevent evidence destruction. Live systems are imaged where appropriate. Log retention is confirmed. Actions that would overwrite forensic evidence are paused until collection is complete.
2
Evidence Collection
Forensically sound acquisition across the agreed scope: disk images, memory captures, system logs, network traffic, cloud audit logs, and email data. Every acquisition is hashed and documented. Chain of custody begins from first collection.
3
Analysis
Theos analysts examine collected evidence to reconstruct attacker activity. Artefacts are analysed across every environment in scope. The investigation is not limited to known indicators of compromise. It looks for attacker behaviour across the full timeline.
4
Timeline and Scope Determination
A full attack timeline is constructed from the evidence. The scope of affected systems and data is established through analysis, not assumption. Every system reached by the attacker is identified. Every dataset accessed or exfiltrated is documented.
5
Root Cause Confirmation
The initial access vector is identified and confirmed. Exploited vulnerabilities and misconfigurations are documented. Persistence mechanisms are identified and flagged for eradication. Root cause is not declared confirmed until the evidence supports it.
6
Reporting and Debrief
Theos delivers a full forensic investigation report covering the attack timeline, scope, root cause, and remediation recommendations. Chain of custody documentation is included. An executive summary is produced for board and regulatory audiences. A debrief is conducted with your technical and legal teams.
EVIDENCE TYPES
What Theos collects and analyses.
-
Endpoint
disk images, memory captures, system logs, registry artefacts, and process activity
-
Network
traffic captures, firewall logs, proxy logs, and DNS records
-
Cloud
AWS CloudTrail, Azure Activity Logs, GCP audit logs, and cloud-native telemetry
-
Microsoft 365
mailbox data, audit logs, SharePoint activity, and Teams communications
-
Email systems
headers, content, routing, and server logs
-
Third-party and SaaS platforms
where audit logs and access records are available
SCOPE COVERAGE
Where Theos Digital Forensics operates.
-
On-premise environments
Windows, Linux, and macOS endpoints and servers
-
Cloud environments
AWS, Azure, GCP, and hybrid configurations
-
Microsoft 365 and Google Workspace
cloud productivity and email forensics
-
Network infrastructure
logs and traffic across internal and perimeter environments
-
APAC jurisdictions
Singapore, Hong Kong, Malaysia, Philippines, and broader APAC on coordination. Theos conducts forensic investigations in Singapore and across APAC.
-
Cross-border investigations
multi-jurisdiction evidence collection and regulatory coordination
PROOF
What the work produces.
5,000+
Incidents Managed Across the Practice
Legal
Standard Evidence Collection, Every Engagement
8.9
Client Satisfaction Score
APAC
Multi-Jurisdiction Regulatory Experience
Hear it from our clients
What outcome accountability
looks like in practice.
THEOS operates across Singapore, Hong Kong, Malaysia, and the Philippines, serving regulated enterprises where the cost of a breach is highest. What our clients describe is not a vendor relationship. It is a security partnership.
“
“
The engagement identified gaps our existing programme had not surfaced. The findings went directly into our regulatory submission and the gaps have since been remediated.
“
Theos engaged credibly at board level and at SOC level in the same programme. The ability to do both simultaneously, and produce documentation that holds up to BNM examination, is what made the difference.
“
We called Theos during an active ransomware incident. Two weeks later the threat was contained. We have not used another security provider since.
DIGITAL FORENSICS vs INCIDENT RESPONSE
Digital forensics and incident response: how they work together.
Factor
Primary focus
Pace
Evidence standard
Root cause
Output
When engaged
Digital Forensics
Evidence collection, preservation, and analysis.
Methodical and deliberate.
Legal and regulatory admissibility.
Confirmed through forensic analysis.
Forensic report with chain of custody documentation.
Post-incident or alongside IR for legal and regulatory purposes.
Incident Response
Containment, recovery, and restoration.
Rapid and action-oriented.
Operational sufficiency.
Identified where operationally possible.
Incident report with remediation actions.
During an active incident.
USE CASES
Who Theos Digital Forensics is built for.
Organisations facing regulatory inquiry following a breach
MAS, HKMA, BNM, and BSP all carry incident investigation and notification requirements. Theos produces forensic findings documentation to the standard required for regulatory submission, covering timeline, scope, root cause, and remediation actions.
Organisations involved in or anticipating legal proceedings
Evidence that does not meet admissibility standards cannot be used. Theos forensic processes are designed from the outset to maintain chain of custody and produce evidence documentation that stands up in court and in arbitration.
Organisations that need to confirm root cause before rebuilding
Returning systems to production without confirmed root cause is a path to recurrence. Theos confirms the initial access vector, removes all persistence mechanisms, and validates the environment is clean before recovery is declared complete.
Organisations managing an insider threat investigation
Insider threat investigations require forensic discipline and legal sensitivity. Theos conducts structured investigations that preserve evidence, maintain chain of custody, and produce findings that support HR, legal, and regulatory processes.
Organisations that experienced an incident and want a retrospective investigation
If a previous incident was closed without a complete forensic investigation, residual risk remains. Theos can conduct a retrospective investigation using available evidence to establish what occurred, confirm scope, and determine whether the threat was fully eliminated.
WHY THEOS
Why Theos Digital Forensics
Integrated DFIR: no handoff, no gap
At Theos, digital forensics and incident response are delivered by the same practice. The practitioners who contain the incident are the practitioners who investigate it. There is no handoff between an IR team and a forensics team, and no gap in evidence continuity that a handoff creates.
Evidence to legal standard from the first moment
Forensic collection begins from the moment of engagement, ensuring everything the investigation produces is usable, admissible, and defensible in legal proceedings and regulatory inquiries.
Root cause, confirmed
Theos confirms root cause before closing every forensic investigation. The initial access vector is confirmed through evidence. Persistence mechanisms are identified and documented. The investigation is complete when the evidence says it is complete, not when the timeline says it should be.
Regulatory and legal experience across APAC jurisdictions
Forensic findings documentation produced by Theos satisfies the regulatory and legal requirements of each APAC jurisdiction we operate in. Our practitioners have managed investigations coordinated with MAS, HKMA, BNM, and BSP, and understand what each regulator expects from evidence documentation. Findings are structured to support regulatory notification requirements under MAS TRM, HKMA iCAST, BNM RMiT, and PDPA obligations across Singapore and Malaysia.
Trusted by enterprises and insurers
Cyber insurers require forensic evidence to support claims following a breach. Theos produces findings documentation structured to the standard insurers require: timeline of events, scope of data affected, root cause confirmed, and remediation actions documented. For organisations navigating a claim, that documentation is the difference between a supported claim and a protracted dispute.
Intelligence that feeds the programme
Every forensic investigation produces findings that improve the security programme it serves. Root cause becomes a VAPT scope input. Attacker tradecraft observed in the investigation becomes a detection rule in MDR. The breach your organisation experienced becomes the intelligence that prevents the next one.
GET PROTECTED TODAY
Security is not a product you buy. It is an outcome you earn.
If an investigation is underway and you need forensic depth, or if an incident has closed and the root cause was never confirmed, Theos Digital Forensics provides the analysis your organisation needs to move forward with confidence.
We deliver outcomes.
FAQ
Frequently Asked Questions
The questions regulated enterprises ask most often before commissioning a purple team exercise.
How does digital forensics help after a cyber attack?
Digital forensics establishes the facts an organisation needs to move forward after an incident. Theos traces the origin of the attack and maps every action the adversary took inside the environment. Compromised data is identified and documented. Evidence is preserved to the standard required for legal proceedings, regulatory submission, and insurance claims. Findings are translated into specific recommendations to prevent recurrence — root cause addressed, persistence mechanisms removed, detection gaps closed.
What is digital forensics and how is it different from incident response?
Digital forensics and incident response rely on many of the same core skills and investigative techniques. A digital forensics engagement is typically more methodical and deliberate, with a strong focus on the collection, preservation, analysis, and reporting of evidence, often to a standard suitable for legal or regulatory proceedings. Incident response is fast-paced and action-oriented, prioritising rapid investigation, containment, and recovery to minimise business disruption. Digital forensics provides the deeper, structured analysis required for evidentiary and legal purposes, building on the investigation that incident response initiates.
When should we involve DFIR in an investigation?
DFIR should be engaged at the first sign of suspicious activity or a confirmed incident. Early involvement preserves critical evidence, maintains the integrity of systems, and ensures a more accurate understanding of the scope and impact of the incident.
What types of evidence can you collect and analyse?
Theos collects and analyses a wide range of digital evidence, including endpoint data such as disk images, memory captures, and system logs, network traffic and logs, cloud environments across AWS, Azure, and Microsoft 365, and email systems. Together these build a comprehensive view of attacker activity across your entire environment.
Can DFIR findings be used in legal proceedings?
Yes. Theos forensic processes are designed to meet legal and regulatory standards, ensuring evidence is collected, preserved, and documented in a manner suitable for legal proceedings, regulatory inquiries, and internal investigations.
How do you ensure chain of custody during a forensic investigation?
Theos documents every step of evidence handling from collection through analysis and storage. This includes maintaining detailed logs, using forensically sound acquisition methods, and ensuring secure storage to preserve the integrity and admissibility of evidence.
Do you handle cloud forensics (AWS, Azure, M365)?
Yes. Theos has extensive experience conducting forensic investigations across AWS, Azure, and Microsoft 365. We analyse audit logs, user activity, configurations, and cloud-native telemetry to identify suspicious behaviour and determine the scope of incidents.
Can you identify the root cause of a breach?
Yes. Identifying root cause is a core objective of every forensic investigation. Theos reconstructs attacker activity, identifies the initial entry point, and analyses exploited vulnerabilities or misconfigurations to provide a clear understanding of how the breach occurred.