On-Demand Digital Forensics: Investigate an Incident, Verify a Cleanup
Two new one-off services: an owner-installed agent collects internal evidence — IOCs, file integrity, persistence, logs — and an AI-guided, read-only investigation returns a verifiable compromise verdict with an ISO/IEC 27037-aligned chain of custody. Cleanup Verification proves a remediation worked.
Until now, everything TCSR did looked at your site from the outside — the view an attacker gets before they're in. That's the right place to start, but it can't answer the question you actually have the morning you find something wrong: has this server been compromised, and if so, what did they touch? From today there's an answer. TCSR now offers two one-off services — Digital Forensics and Cleanup Verification — that collect evidence from inside your own server and turn it into a clear, verifiable report. No subscription required; buy one when you need it.
How it works
You don't hand us a password or open a port. Instead you download a small agent for your stack — a Bash script, a PHP drop-in, or a WordPress file — and run it on your own server. It reads internal state the external scan can never see and sends its findings to TCSR over HTTPS. It only ever reads; it never changes a thing on your system, and you delete it when you're done.
What it gathers is the material a first-responder looks for:
- Indicators of compromise — webshell and backdoor signatures, obfuscated PHP, executable code hiding in your uploads folder.
- File integrity — which files changed inside the incident window you specify, and a timeline of when.
- Persistence — the mechanisms an intruder uses to stay: unexpected admin accounts, new SSH keys, suspicious cron jobs and services.
- Log analysis — exploitation signatures in your web and auth logs, successful logins from unfamiliar places.
An investigation that thinks
The first sweep is only the beginning. Once the evidence arrives, the AI reads it and decides what to look at next — hash these suspicious files, read the head of that one, tail this log around the incident. The agent runs those follow-ups and reports back, and the loop tightens until the picture is clear.
This is powerful, so it's deliberately caged. The agent will only ever perform a fixed set of read-only actions — hash a file, list a directory, tail a log — and only on paths under your web root or a short allow-list, size-capped, never with a .. in sight. It re-validates every instruction itself. Even a fully compromised server on the other end could not make the agent run a command or write a byte.
A verdict, not a grade
An external scan earns an A–F grade. A forensic examination answers a different question, so it gives a different answer: a single verdict — Compromise Detected, Suspicious Indicators, No Compromise Found, or Inconclusive — backed by the evidence and a plain-language assessment of affected assets, likely root cause, and the containment and recovery steps to take next.
Evidence you can prove
Forensic evidence is only as good as its integrity. Every report carries a chain-of-custody manifest: each collected item is hashed with SHA-256, and those hashes are bound into a single manifest digest that is printed into the report. The report itself is then sealed with its own SHA-256 and registered at /verify — so a third party can confirm, from the reference alone, that the document is authentic and unaltered, and that its evidence set hasn't changed. Collection and preservation follow the recognised digital-evidence standards — ISO/IEC 27037, NIST SP 800-86 and NIST SP 800-61.
After you clean up — prove it
Finding the problem is half the job; knowing you actually fixed it is the other half. Cleanup Verification re-runs the same agent after a remediation and compares it to your previous investigation: which indicator categories are now gone, which persist, whether anything new appeared. Instead of hoping the site is clean, you get a dated, verifiable document that says so — or tells you plainly that the cleanup was incomplete.
The honest boundaries
The same candour that governs the rest of TCSR applies here, and it matters more when the stakes are legal:
- This is not an accredited forensic audit. The evidence is collected by an agent you installed on your own system, with your authorization. That makes it a genuinely useful, standards-aligned examination — but alignment is not certification, and self-collected evidence is not the same as an examiner-preserved chain of custody. If litigation is likely, engage a certified examiner; our report is a strong starting point, not a substitute.
- Authorization is required. You confirm you're entitled to investigate the system before anything runs, and the service is available only for a property whose ownership you've already verified.
- Bounded by what was collected. A "No Compromise Found" verdict means no indicators appeared in the evidence gathered within your incident window — not a guarantee of a clean bill of health.
Getting one
Both services are one-off — a single payment, no subscription. Audit-plan subscribers get one investigation included each month; everyone else buys as needed. You can start from any verified property, or read the details first on the services page.
An external scan tells you what the world can see. A forensic investigation tells you what happened inside. When you need the second kind of answer, it's now one download away.