Forensic investigation, root cause analysis and cleanups

Require a forensic investigation or cleanup? When you order an Advanced or Enterprise plan for one year, we will run a forensic investigation and - if explicitly requested - perform a cleanup for you. Our forensic experts will do the following:

1. Run an extended examination of your system, covering all aspects of your code base, including database records, embedded assets, system processes, scheduled tasks and any other relevant attack surface. Refer to the section below for a detailed list of relevant components.

2. This scan typically reveals indicators for a live or past breach (NB. 50% of all eCommerce sites have been breached in the past 5 years!). Pending sufficient log retention, we will investigate any vulnerabilities that may have been exploited in the past 6 months and present a root cause analysis to you.

3. We will conduct a manual analysis of any potential vulnerabilities or weaknesses of your store, and present you with tailored recommendations. They may include advice on how to harden your configuration, code and procedures, so your store will be among the top-most secure stores of the global Internet.

4. Finally, we will make sure that eComscan is properly installed in monitoring mode, set up to alert your tech team on your preferred channels, and optimized for your specific hosting architecture.

To get us started ASAP, order an Enterprise plan and grant us temporary access (follow these instructions). We are happy to sign an MNDA for the duration of our investigation. We will report back to you within seven days of having received access (but typically, our investigations are completed much faster).

Important

Do not remove or modify any suspicious code, without consulting us. The creation and modification timestamps may be lost, which are vital in a root cause analysis.

Our reporting and root cause analysis is aimed to help you quickly obtain full visibility into the scope of an incident, during the first phase of incident response. Our reporting to you is confidential and may not be disclosed to third parties, such as insurers and payment providers. If you already have full visibility and require reporting for legal purposes, we recommend to engage a PFI consultancy instead.

Previously we offered one-off investigations at 450 EUR per hour, however we now offer investigations as part of a minimum scanning commitment only. The reason is that having full visibility after an incident is vital, should the manual analysis miss an entry vector. Typically, criminals tend to try to get back in after they have been evicted, so monitoring irregular activity in the months after an incident is especially important.

Sansec is the only forensic investigator who is specialized in Adobe Commerce & Magento security. We have investigated over 10,000 compromised stores since 2015.

Forensic investigation process overview

For a compromised Magento store, we typically examine the following components and behavior.

1. Full scan of PHP and JS code files, for known malware and suspect code behavior
2. Full scan of revelevant database tables, notably core_config_data, cms_blocks, cms_pages, sales_order, quote_*, admin_users
3. Analysis of stored executable code in the database, such as triggers and functions
4. Detection of executable code blocks hidden in media or styles assets
5. Analysis of system (background) processes
6. Analysis of periodic tasks
7. Analysis of disk I/O activity during a transaction
8. Analysis of network I/O during a transaction
9. Analysis of shell activity and initialization code
10. Simulation of a customer-initiated transaction via the regular checkout flow
11. Analysis of third party hosted Javascript sources
12. Scan for obfuscated code blocks
13. Semi-automated analysis of web server access logs, covering the suspected attack period
14. Historical cross-referencing of HTTP activity and disk I/O
15. Cross-referencing network activity with our private database of attacker infrastructure
16. Analysis of staff account password strength and 2fa implementation
17. Examination of Magento system and error log
18. Examination of Magento audit log, if available
19. Check for unauthorized backend activity based on trusted IP sets

Beyond these lines of investigation, we conduct a number of proprietary checks.

To get us started ASAP, order an Enterprise plan and grant us temporary access (follow these instructions). We are happy to sign an MNDA for the duration of our investigation. We will report back to you within seven days of having received access (but typically, our investigations are completed much faster).

Terms & conditions

Our general terms & conditions apply to our forensic investigations. In addition, the following specific terms apply:

1. Investigation Report: Sansec provides a detailed PDF report upon request (included with Enterprise plan). Customer may request one revision of the report.
2. Data Privacy: Sansec does not access or process customer personal data (PII). While we can estimate infection periods, customers are responsible for identifying affected users in case of skimming incidents.
3. Scope: Each investigation covers one security incident. We will not investigate potential breaches that occurred more than 3 months before the reported incident date.
4. Communication: Sansec communicates directly and exclusively with the customer. We do not participate in discussions with third parties, your own customers or external consultants.
5. An Enterprise investigation includes one initial consultation call to discuss scope, timeline and requirements. All subsequent communication will be conducted via email for clear documentation and efficient follow-up.
6. Timeline: While we typically complete investigations within 7 days, this timeline begins only after receiving all required materials (case details, production environment access, and relevant logs). Delays in providing these materials may affect completion time, and investigation will proceed on a best-effort basis.