The Answers You Need After an Alert
Attacks often start 11 days before detection.
You need to know what happened before an EDR alert:
- Exfiltration: Was IP or sensitive data stolen?
- Lateral Movement: Were other hosts involved?
- Command and Control: Does the attacker have remote access?
Our service gives you all the answers you need in one report.
How it works
You Upload
- After payment, we will send you the Collector program along with instructions and a video.
- You will copy the program to the endpoint and launch it. It does not need to be installed.
- The program automatically collects hundreds of critical forensic artifacts and files.
- The data is securely uploaded to our servers.
- See FAQs for more information.
We Analyze
- Your data is ingested into our automated investigation platform, Cyber Triage, which is used by leading forensic teams around the world.
- The data is analyzed using 40+ malware scanning engines, sandbox analysis, Yara rules, and dozens of other AI and machine learning-based techniques.
- An analyst from our team will review the findings to generate a report focused on key questions, such as data exfiltration and lateral movement.
You Decide
- We will send you a secure link to your report for your review.
- If purchased, we will meet with you to answer additional questions.
- You can then have the data needed to decide what to do with this host.
Why Sleuth Kit Labs
The team behind Autopsy, Cyber Triage, and Sleuth Kit Labs has been conducting investigations and building digital forensics tools for over 20 years.

Brian Carrier, CEO
Brian leads the company and has been involved with national security investigations, built leading open source tools, and wrote the popular book, File System Forensic Analysis.

Mike Wilkinson, Head of Services and Training
Mike leads services efforts with knowledge from over two decades of experience conducting digital investigations and helping people recover from cyber security incidents.
Pricing and Delivery
Pricing | Fixed price of $2,000 for each endpoint* |
Delivery | 1 business day target.** |
*Additional support post-report is billed at an hourly rate.
**Estimated date subject to change based on workload. An estimate will be provided upon purchase.
Bulk discounts available for MSSPs and MDRs.
White labeling is possible.
Request Information:
FAQ
We can analyze all versions of Windows. Please let us know if you have Windows XP or Vista and we’ll send you a special version of the Collector.
The computer will need to be powered on to run the Collector. If you cannot turn it back on, then please contact us and we will determine if we can help you.
This varies depending on the target system. Generally collections are between 2GB and 5GB. However systems with many files that have been in use for years may be considerably larger.
The collection is encrypted using RSA-4096 and AES-256. The private key is stored on our server and not shared outside the analysis network.
In order to run the collector for you we would need remote administrative access to the system. It is much safer for you to run the collection directly.
We will provide you with a single .exe file to run on the target system. Once launched this program will collect key forensic artifacts and save them to an encrypted file. Once collection is complete the file will be uploaded to a AWS S3 bucket, or saved to the local system if it is not possible to connect to S3.
We aim to complete analysis by the next business day after receiving the data. Delays may occur due to complexity of analysis or volume of requests.
Unfortunately modern attacks are frequently (if not always) using a mix of malware and legitimate tools. Legitimate tools will not be reported by AV and sometimes AV will fail to detect recently developed malware. Our approach uses a number of DFIR approaches (including signatures, heuristics, machine learning and AI) to identify evidence of recent malicious activity on the system. The automated results are then analysed by expert investigators with years of experience dealing with cyber intrusions.
Our tool (Cyber Triage) has been developed over the years to rapidly identify the most relevant artifacts and information on systems under investigation.
Certainly, you can buy it here. Just be aware that although it makes the investigation thousands of times easier than using other tools, completing an investigation still requires some expertise in operating systems, their vulnerabilities and modern attack techniques.