When Cyber Incidents Hit Indian Organisations:
Real-World Digital Forensics & Incident Response

Digital Forensics Incident Response (DFIR) combines two disciplines: digital forensics - the scientific investigation of what happened, how, and by whom during a cyber incident - and incident response - the structured process of containing, eradicating, and recovering from a cyber attack.

In India, DFIR matters critically because:

• CERT-In mandates incident reporting within 6 hours of detection under its 2022 directions.
• The DPDP Act 2023 requires mandatory breach notification with penalties reaching ₹250 crore.
• Cyber insurance claims require forensically documented evidence to be valid.
• Criminal prosecution of attackers and insider threat actors requires court-admissible digital evidence.
• Board and regulatory accountability demands a documented, defensible account of the incident and the organisation's response.

Without qualified DFIR, organisations pay more, recover slower, face regulatory penalties and cannot effectively pursue legal remedies against attackers.

ISECURION's full-spectrum DFIR engagement covers:

ISECURION is a CERT-In empanelled cybersecurity auditing organisation, giving our incident reports additional regulatory standing.

ISECURION operates 24 hours a day, 7 days a week. Remote triage and containment guidance can begin within hours of initial contact. On-site deployment is available across Bangalore, Mumbai, Delhi NCR, Hyderabad, Chennai, Pune, Kolkata, Ahmedabad and other major Indian cities.

For organisations with an ISECURION DFIR retainer, guaranteed SLA response times are agreed contractually in advance - removing any ambiguity during an active crisis.

Critical reminder: Every hour of delay expands incident scope. In the Mumbai logistics case study, 36 hours lost before engaging a specialist team significantly increased recovery complexity and total cost.

Under CERT-In's 2022 directions (effective April 2022), all Indian organisations - service providers, intermediaries, data centres, corporates and government entities - must report cybersecurity incidents to CERT-In within 6 hours of detecting the incident or being made aware of it.

Reportable incident categories include: data breaches, ransomware attacks, unauthorised access, identity theft, phishing, DDoS attacks, website defacement, malicious code, and several others.

Additional requirements under the 2022 directions include: maintaining logs for 180 days in India, synchronising system clocks with NTP servers, and providing CERT-In with information, logs and assistance when required.

ISECURION manages CERT-In notification preparation and submission as part of every DFIR engagement, ensuring compliance even under the intense pressure of an active incident.

The Digital Personal Data Protection Act 2023 (DPDP Act) requires data fiduciaries - organisations that collect and process personal data - to notify the Data Protection Board of India and affected data principals (individuals) in the event of a personal data breach, without undue delay. Penalties for non-compliance can reach ₹250 crore.

Key DPDP breach obligations:

• Notify the Data Protection Board of every personal data breach
• Notify affected data principals whose data was compromised
• Maintain a record of breaches and actions taken

The Bangalore FinTech case study - involving 2.4 million Aadhaar-linked customer records - triggered DPDP Act notification obligations alongside RBI mandatory reporting. ISECURION helps organisations understand their specific obligations, prepare notifications, and document incidents in a manner demonstrating regulatory good faith.

Note: Special categories of data - including health data and financial data - attract the most stringent DPDP Act obligations.

ISECURION's position - consistent with CERT-In, Interpol, NCSC UK and international law enforcement guidance - is that paying ransoms is not recommended. Key reasons:

• No guarantee of decryption: Threat actors frequently fail to provide working decryption keys, or the decryption process is slow and incomplete.
• Data still sold: Exfiltrated data is typically sold on dark web markets regardless of ransom payment. Payment does not prevent this.
• Funds criminal operations: Ransom payments directly fund the same threat actor infrastructure used for further attacks.
• Sanctions risk: If the ransomware group is on a sanctioned entity list (OFAC, EU), payment may constitute a sanctions violation.
• Increases recurrence risk: Organisations known to have paid ransoms become repeat targets.

In the Mumbai logistics case study, the ransom was not paid. Recovery was achieved through cold backups, vendor-supported rebuilds and manual data reconciliation. A well-prepared organisation with immutable backups, tested recovery plans and a DFIR retainer substantially reduces both the pressure to pay and the cost of recovery.

During a DFIR investigation, ISECURION forensic analysts preserve:

• Forensic disk images - bit-for-bit captures including deleted files and unallocated space, created using write-blocking hardware
• Memory dumps - volatile RAM captures from live systems containing running processes, network connections and encryption keys
• Network and firewall logs - traffic metadata, DNS query logs, proxy logs and IDS/IPS alerts
• Windows event logs - Security, System, Application, PowerShell, Task Scheduler logs
• Active Directory logs - authentication events, group membership changes, GPO modifications
• Cloud audit logs - AWS CloudTrail, Azure Monitor, GCP Audit Logs, M365 Unified Audit Log
• Email headers and server logs - for BEC and phishing investigations
• EDR telemetry - process trees, file creation events, network connections

Chain of custody - a documented record of who collected each piece of evidence, when, how and where it has been stored - is essential for admissibility in Indian courts, regulatory proceedings (CERT-In, RBI, Data Protection Board), and law enforcement submissions. ISECURION maintains rigorous chain-of-custody documentation on every engagement.

Business Email Compromise (BEC) is a financially motivated attack where threat actors compromise or impersonate legitimate email accounts - typically senior executives, legal intermediaries or financial officers - to redirect high-value wire transfers or extract sensitive information. It requires no malware: only patience, research and the exploitation of human trust.

Typical BEC attack stages: OSINT target identification → phishing or credential stuffing to compromise an executive email account → weeks of silent surveillance reading emails → lookalike domain registration → interception of payment-related communications → fraudulent wire transfer instruction.

Protection measures for Indian organisations:

• Enforce MFA on all email accounts (M365, Google Workspace) - this single control prevents the majority of account compromise
• Configure DMARC, DKIM and SPF email authentication to prevent domain spoofing
• Establish a mandatory out-of-band (telephone) verification protocol for all wire transfer instructions, regardless of apparent sender or urgency
• Monitor M365 Unified Audit Logs for impossible travel, new inbox forwarding rules and suspicious OAuth app grants
• Implement conditional access policies restricting email login to managed, compliant devices from approved geographies
• Conduct regular phishing simulation training for all staff, particularly those in finance, legal and executive support roles

The Delhi NCR law firm case study in this article illustrates how a 4-week silent reconnaissance preceded a ₹2.3 crore fraudulent transfer - all without a single piece of malware being deployed.

Dwell time is the period between a threat actor's initial access to a network and the detection of their presence. Research consistently shows that longer dwell times correlate directly with higher incident costs - because attackers use undetected time to steal data, destroy backups, escalate privileges and maximise the blast radius of their eventual payload.

In the Mumbai ransomware case study, dwell time was 23 days. During this period, the attacker: mapped Active Directory, escalated to domain admin, deleted all backup snapshots and exfiltrated 120 GB of data - before deploying the ransomware payload at 03:17 IST on a Sunday morning.

Reducing dwell time requires:

• MFA to prevent credential-based initial access
• Universal EDR deployment across all endpoints and servers
• SIEM-based log correlation and anomaly detection
• Network segmentation to limit lateral movement
• 24/7 SOC monitoring or a managed detection and response (MDR) service
• Proactive threat hunting - actively searching for attacker presence rather than waiting for alerts

ISECURION's DFIR retainer includes proactive threat hunting engagements specifically designed to reduce dwell time between incidents.

An insider threat originates from within the organisation - a current or former employee, contractor or partner who misuses legitimate access to cause harm. Insider threats are among the hardest to detect because the actor uses authorised credentials and their activities initially appear legitimate.

The Bangalore FinTech case study illustrates a malicious insider: a senior data analyst who systematically exfiltrated 2.4 million customer records over 31 days through their legitimate database access - exporting through a personal mobile hotspot to evade corporate DLP monitoring entirely.

Forensic investigation techniques for insider threats:

• Database query log analysis - reconstructing who queried what, when and how much
• User Behaviour Analytics (UBA) - identifying anomalous patterns against historical baselines
• Endpoint activity correlation - USB usage, print logs, cloud upload activity, application usage timelines
• Cloud storage access logs - personal cloud service upload/download records
• Network traffic metadata - volume anomalies, unusual destination analysis
• Device forensics - recovering artefacts from corporate laptops (browser history, recently accessed files, connected devices)
• Communication forensics - messaging app and email analysis where legally permissible on corporate devices

ISECURION prepares admissible forensic evidence packages for submission to Cyber Crime Police Stations and civil courts under the IT Act 2000, IPC provisions and DPDP Act 2023.

Cyber insurance claims in India require detailed forensic documentation of the incident, its root cause, scope, business impact and remediation actions. Insurers frequently dispute claims lacking adequate technical documentation - or where the organisation cannot demonstrate reasonable security controls were in place pre-incident.

ISECURION produces insurer-grade forensic investigation reports specifically structured to meet the evidentiary requirements of cyber insurers. Our documentation covers:

• Complete attack timeline and root cause analysis
• Full inventory of affected systems and compromised data
• Containment and recovery actions taken with timestamps
• Regulatory notifications made (CERT-In, DPDP, RBI/SEBI)
• Evidence of pre-incident security controls
• Quantified business impact assessment
• Remediation roadmap demonstrating future risk reduction

In the Mumbai logistics case study, ISECURION's forensic report supported the cyber insurance claim, recovering a significant portion of the ₹9.2 crore total incident cost. We recommend notifying your insurer immediately upon detecting a potential incident and engaging ISECURION before taking any recovery actions that could compromise the forensic record.

A DFIR retainer is a pre-negotiated agreement with a specialist incident response firm - like ISECURION - that guarantees defined response time SLAs, pre-agreed commercial rates, and access to proactive pre-incident readiness services.

Retainer benefits for Indian organisations:

• Guaranteed response SLAs - critical given CERT-In's 6-hour notification window and the time-sensitivity of ransomware containment
• Pre-agreed commercial rates - ad-hoc emergency engagements during active incidents cost 2–4× retainer rates
• IR plan review - ISECURION reviews and stress-tests your incident response plan before you need it
• Tabletop exercise facilitation - rehearsing your team's response to realistic attack scenarios
• Forensic logging prerequisites - ensuring the logging infrastructure needed for forensic investigation is in place before an incident occurs
• Proactive threat hunting - actively searching for attacker presence between incidents
• Priority deployment - retainer clients receive priority during major incidents when DFIR capacity is under simultaneous pressure

For any Indian organisation with material cyber risk - particularly in regulated sectors (banking, FinTech, healthcare, legal) - a DFIR retainer is the single most commercially rational security investment available.

Based on ISECURION's DFIR engagement patterns and published threat intelligence, the highest-risk sectors in India include:

ISECURION has active DFIR capabilities across all these sectors and cities.

Both are essential: VAPT reduces the likelihood of a successful attack. DFIR limits the damage when an attack succeeds. ISECURION provides both - and DFIR retainer clients often receive proactive VAPT services as part of their overall engagement.

Admissibility in Indian legal proceedings - whether before Cyber Crime Police Stations, IT Appellate Tribunals, High Courts or regulatory bodies - requires adherence to established forensic principles throughout the investigation.

ISECURION's evidence integrity protocol:

• Write-blocking hardware is used for all forensic disk imaging, ensuring no modification to original evidence
• Cryptographic hash values (MD5 and SHA-256) are generated and recorded for all forensic images at acquisition - any subsequent modification would produce a different hash, proving tampering
• Chain-of-custody documentation records every person who handled each piece of evidence, the time and circumstances of handling, and where evidence was stored
• Analysis on forensic copies only - original evidence media is never used for analysis
• Tool validation - forensic tools used (FTK, Magnet AXIOM, Volatility, Wireshark) are industry-standard and their methodology is documented to withstand expert challenge
• Contemporaneous notes - analysts record their observations and methodology in real time, not retrospectively

ISECURION's forensic reports are structured to meet the admissibility requirements of the Indian Evidence Act (specifically Section 65B for electronic records), proceedings before the Data Protection Board of India, and regulatory submissions to RBI, SEBI, IRDAI and other sector regulators. Our certified forensic examiners are available as expert witnesses in civil and criminal proceedings.