Digital Forensics & Evidence Recovery
Host, network, cloud, and mobile forensics to ACPO and ISO 27037 standards. Courtroom-ready evidence packages produced by certified practitioners.
Written by Simon Lynge, Director DFIR — ChCSP, CREST IR | Last updated: March 2026
Evidence That Withstands Scrutiny
Whether you are building a legal case, satisfying ICO obligations, or determining the full scope of a breach — the quality of your forensic evidence determines the outcome. Poorly acquired or mishandled evidence gets challenged in court and thrown out.
Our forensic practitioners are ACPO-trained and have given evidence in criminal and civil proceedings in England and Wales. Every acquisition follows documented chain-of-custody procedures from the moment we touch a device.
Forensic Capabilities
- Host forensics — Windows, Linux, macOS: disk imaging, artefact analysis, deleted file recovery, and user activity reconstruction
- Network forensics — PCAP analysis, lateral movement mapping, C2 traffic identification, and NetFlow investigation
- Cloud forensics — Microsoft 365 (Exchange, SharePoint, Teams, OneDrive), Azure AD, AWS CloudTrail, and Google Workspace
- Mobile forensics — iOS and Android logical and physical acquisition, app data, and communication records
- Memory forensics — volatile memory capture to detect fileless malware and credential harvesting
- Email forensics — BEC investigation, header analysis, and account compromise timeline
- Database forensics — access logs, exfiltration evidence, and SQL Server artefacts
Evidence Standards
All forensic work follows the ACPO Good Practice Guide for Digital Evidence and ISO 27037. We use EnCase, FTK, Axiom, and Velociraptor, and maintain write-blockers, verified hash documentation, and a full chain of custody for every acquisition.
Our practitioners serve as expert witnesses and have prepared court reports for criminal and civil proceedings in England and Wales.
Common Instruction Scenarios
- Post-breach root cause analysis for insurers or regulators
- Employee misconduct or data theft investigations
- HR and employment tribunal support
- Litigation support — civil fraud, IP theft, breach of contract
- Regulatory breach investigation (FCA, ICO, CQC)
- Criminal proceedings support for law enforcement
Deliverables
- Forensic acquisition report with hash verification — proving evidence integrity
- Technical investigation report with timeline, artefacts, and findings
- Expert witness statement (CPR Part 35 compliant) ready for court use
- Executive summary your board and legal team can act on immediately
- Preserved evidence package that satisfies courts, insurers, and regulators
Frequently Asked Questions
How quickly can you acquire evidence?
Emergency acquisitions start within hours for active incidents. Standard instructions are scoped and commenced within 24–48 hours. Remote acquisitions using Velociraptor or KAPE are often the fastest starting point.
Does forensic acquisition affect system availability?
Rarely. Remote acquisition tools operate without taking systems offline. Physical imaging requires the device, but live acquisition is standard practice for servers that cannot be shut down.
Can your evidence be used in court?
Yes. Our practitioners are trained to give evidence in court and have done so in criminal and civil proceedings. All work is documented to expert witness standard from the outset — we never back-fit documentation.
Do you work with law enforcement?
Yes. We liaise directly with police digital forensics units (RCCU, Action Fraud, NCA) and provide evidence packages in the formats they require. We also refer matters for criminal investigation where appropriate.
What if data has been deleted or encrypted?
We recover deleted files and analyse artefacts left behind even when data has been deliberately destroyed. We are transparent about what is and is not recoverable at the scoping stage.