Looking for software development? We've movedGrassFed.dev

Remote Access Evidence Review

We separated a confirmed support scam from unresolved compromise concerns and gave a professional services business clear, practical next steps.

Remote Access Evidence Review

Industries

Professional Services

Services

Vulnerability Assessment,
Digital Forensics

About the project

A professional services business needed clarity after years of suspected malicious activity involving its workplace computer, local network, and other connected devices. Several system behaviors looked alarming, but prior repairs, incomplete logs, and a removed software sample made it difficult to determine what had happened.

The goal was to separate verified events from misunderstood system behavior, check for current exposure, and identify the safest next steps without overstating what the remaining evidence could prove.

What we did

  • We reconstructed the incident history using client interviews, available technical records, and corroborating information from other parties. The evidence supported one contained tech-support scam in which remote access was used to simulate an attack. A separate remote-access event remained uncertain, so we documented the plausible explanations rather than forcing an unsupported conclusion.
  • We examined the Windows desktop for event history, active connections, services, startup items, altered network settings, and earlier antivirus results. We also analyzed the behavior of legitimate remote-support software in a sandbox. That comparison showed that command windows, self-removal, and registry changes could arise from support tooling and were not, by themselves, proof of malware.
  • We assessed the local network with vulnerability and service-discovery scans, reviewed connected devices and router settings, and checked additional workplace technology for signs of compromise. The review found no current malicious devices or cybersecurity problems on the desktop. It also isolated a router setting that warranted verification, depending on how the network was configured.
  • We made the limits of the evidence part of the outcome. Because the suspected file was no longer available and system logging was incomplete, continued access could not be ruled out with confidence. We recommended a clean operating system installation and delivered a clear distinction between confirmed facts, plausible explanations, and unresolved risk.

Technologies Used

Tenable IO

Tenable IO

Joe Sandbox logo

Joe Sandbox

N map logo

N map

Malwarebytes logo

Malwarebytes

Microsoft Windows logo

Microsoft Windows

Browse more projects

Connected Vessel Risk Review

Connected Vessel Risk Review

Account-to-Server Takeover Test

Account-to-Server Takeover Test

Contact Us