Remote Access Evidence Review
We separated a confirmed support scam from unresolved compromise concerns and gave a professional services business clear, practical next steps.

Industries
Professional Services
Services
Vulnerability Assessment,
Digital Forensics
About the project
A professional services business needed clarity after years of suspected malicious activity involving its workplace computer, local network, and other connected devices. Several system behaviors looked alarming, but prior repairs, incomplete logs, and a removed software sample made it difficult to determine what had happened.
The goal was to separate verified events from misunderstood system behavior, check for current exposure, and identify the safest next steps without overstating what the remaining evidence could prove.
What we did
- We reconstructed the incident history using client interviews, available technical records, and corroborating information from other parties. The evidence supported one contained tech-support scam in which remote access was used to simulate an attack. A separate remote-access event remained uncertain, so we documented the plausible explanations rather than forcing an unsupported conclusion.
- We examined the Windows desktop for event history, active connections, services, startup items, altered network settings, and earlier antivirus results. We also analyzed the behavior of legitimate remote-support software in a sandbox. That comparison showed that command windows, self-removal, and registry changes could arise from support tooling and were not, by themselves, proof of malware.
- We assessed the local network with vulnerability and service-discovery scans, reviewed connected devices and router settings, and checked additional workplace technology for signs of compromise. The review found no current malicious devices or cybersecurity problems on the desktop. It also isolated a router setting that warranted verification, depending on how the network was configured.
- We made the limits of the evidence part of the outcome. Because the suspected file was no longer available and system logging was incomplete, continued access could not be ruled out with confidence. We recommended a clean operating system installation and delivered a clear distinction between confirmed facts, plausible explanations, and unresolved risk.
Technologies Used
Tenable IO

Joe Sandbox
N map
Malwarebytes

Microsoft Windows

