Forensic investigation, root cause analysis and cleanups

Need a forensic investigation or cleanup from the world’s leading Magento security experts? Sansec provides the gold standard in ecommerce forensics. We offer fast and effective investigations and (optionally) complete cleanups when you subscribe to our annual Advanced or Enterprise plan. Our team of forensic specialists will provide the following services:

1. Run an deep examination of your system, covering all aspects of your code base, including database records, embedded assets, system processes, scheduled tasks and any other relevant attack surface. Refer to the section below for a detailed list of relevant components.

2. This deep scan typically reveals indicators for a live or past breach. Pending sufficient log retention, we will investigate any vulnerabilities that may have been exploited in the past 3 months and present a root cause analysis to you.

3. We will conduct a manual analysis of any potential vulnerabilities or weaknesses of your store, and present you with tailored recommendations. They may include advice on how to harden your configuration, code and procedures, so your store will be among the top-most secure stores of the global Internet.

4. Finally, we will make sure that eComscan and Sansec Shield are properly installed in monitoring and active protection mode, set up to alert your tech team on your preferred channels, and optimized for your specific hosting architecture.

To get us started ASAP, order an annual Advanced or Enterprise plan and grant us temporary access (follow these instructions). We are happy to sign an MNDA for the duration of our investigation. We will report back to you within seven days of having received access (but typically, our investigations are completed much faster).

Important

Do not remove or modify any suspicious code, without consulting us. The creation and modification timestamps may be lost, which are vital in a root cause analysis.

Our reporting and root cause analysis is aimed to help you quickly obtain full visibility into the scope of an incident, during the first phase of incident response. Our reporting to you is confidential and may not be disclosed to third parties, such as insurers and payment providers. If you already have full visibility and require reporting for legal purposes, we recommend to engage a PFI consultancy instead.

Previously we offered one-off investigations at 450 EUR per hour, however we now offer investigations as part of a minimum scanning commitment only. The reason is that having full visibility after an incident is vital, should the manual analysis miss an entry vector. Typically, criminals tend to try to get back in after they have been evicted, so monitoring irregular activity in the months after an incident is especially important.

Sansec is the only forensic investigator who is specialized in Adobe Commerce & Magento security. We have investigated over 10,000 compromised stores since 2015, and have a 100% success rate in finding the root cause of incidents.

Forensic investigation process overview

For a compromised Magento store, we typically examine the following components and behavior.

1. Full scan of PHP and JS code files, for known malware and suspect code behavior
2. Full scan of relevant database tables, notably core_config_data, cms_blocks, cms_pages, sales_order, quote_*, admin_users
3. Analysis of stored executable code in the database, such as triggers and functions
4. Detection of executable code blocks hidden in media or styles assets
5. Analysis of system (background) processes
6. Analysis of periodic tasks
7. Analysis of disk I/O activity during a transaction
8. Analysis of network I/O during a transaction
9. Analysis of shell activity and initialization code
10. Simulation of a customer-initiated transaction via the regular checkout flow
11. Analysis of third party hosted Javascript sources
12. Scan for obfuscated code blocks
13. Semi-automated analysis of web server access logs, covering the suspected attack period
14. Historical cross-referencing of HTTP activity and disk I/O
15. Cross-referencing network activity with our private database of attacker infrastructure
16. Analysis of staff account password strength and 2fa implementation
17. Examination of Magento system and error log
18. Examination of Magento audit log, if available
19. Check for unauthorized backend activity based on trusted IP sets

Beyond these lines of investigation, we conduct a number of proprietary checks.

To get us started ASAP, order an annual Advanced or Enterprise plan and grant us temporary access (follow these instructions). We are happy to sign an MNDA for the duration of our investigation. We will report back to you within seven days of having received access (but typically, our investigations are completed much faster).

Terms & conditions

Our general terms & conditions apply to our forensic investigations. In addition, the following specific terms apply:

1. Investigation Report: Sansec provides a detailed PDF report upon request (included with Enterprise plan). Customer may request one revision of the report within 7 days of initial delivery. The report is provided for the customer's internal use and incident response purposes only.

2. Data Privacy: Sansec does not access or process customer personal data (PII) unless explicitly required for the investigation and with customer consent. While we can estimate infection periods, customers are responsible for identifying affected users in case of skimming incidents. Sansec will maintain confidentiality of all information accessed during the investigation.

3. Scope: Each investigation covers one security incident. We will not investigate potential breaches that occurred more than 3 months before the reported incident date. If evidence suggests multiple unrelated incidents, each will be treated as a separate investigation. The investigation scope is limited to the production environment and systems explicitly granted access to.

4. Cleanup Services: If cleanup is explicitly requested, Sansec will remove identified malicious code or processes. Customer is responsible for maintaining adequate backups prior to cleanup. Sansec is not liable for data loss or service interruption resulting from cleanup activities. Customer must approve cleanup activities before execution.

5. Access Requirements: Customer must provide timely access to production environments, relevant logs, and case details. Investigation timeline begins only after receiving all required materials. Delays in providing access or materials may extend completion time. Sansec requires secure access credentials and will not store credentials beyond the investigation period.

6. Communication: Sansec communicates directly and exclusively with the customer's designated point of contact. We do not participate in discussions with third parties, your customers, external consultants, insurers, or legal representatives. Enterprise investigation includes one initial consultation call to discuss scope, timeline and requirements. All subsequent communication will be conducted via email for clear documentation and efficient follow-up.

7. Timeline: While we typically complete investigations within 7 days, this timeline begins only after receiving all required materials (case details, production environment access, and relevant logs). Delays in providing these materials may affect completion time, and investigation will proceed on a best-effort basis. Complex incidents or incomplete information may require additional time.

8. Limitations: Sansec's investigation is based on available evidence, logs, and system state at the time of investigation. We cannot guarantee detection of all malicious activity, especially if evidence has been destroyed or if access is limited. Historical investigations are limited by log retention periods and system state preservation.

9. Root Cause Analysis: Root cause analysis is based on available evidence and our expertise. While we strive for accuracy, we cannot guarantee absolute certainty of identified root causes, especially if critical evidence (logs, backups, system snapshots) is unavailable or incomplete.

10. Customer Responsibilities: Customer is responsible for: (a) maintaining adequate system backups, (b) preserving system state and logs upon discovery of an incident, (c) providing accurate and complete case information, (d) implementing recommended security measures, and (e) coordinating with their hosting provider if needed.

11. Intellectual Property: Investigation reports and methodologies remain the intellectual property of Sansec. Customer may use reports for internal purposes and incident response. Reports may not be shared with third parties without prior written consent from Sansec.

12. Liability: Sansec's liability is limited to the cost of the investigation service. We are not liable for: (a) business interruption, (b) lost revenue, (c) damages to third parties, (d) costs of remediation beyond the scope of explicitly requested cleanup services, or (e) inability to identify all aspects of an incident due to missing evidence.

13. Force Majeure: Sansec is not liable for delays or inability to complete investigations due to circumstances beyond our reasonable control, including but not limited to: hosting provider outages, network failures, customer system unavailability, or acts of third parties affecting customer systems.

14. Payment Terms: Forensic investigations are included as part of annual Advanced or Enterprise plan subscriptions. If an investigation is requested during an active subscription period, no additional fees apply. Cancellation of subscription prior to completion of investigation may result in forfeiture of investigation services.

15. Post-Investigation Support: Included monitoring services (eComscan and Sansec Shield) will be configured and activated as part of the investigation. Ongoing support for these services follows standard support terms. Additional investigation requests after completion of initial investigation may require separate engagement.