Court-admissible DFIR. Daubert-ready.

Digital incidents become legal proceedings. Our forensic methodology is engineered to produce evidence that survives expert challenge in court — ISO/IEC 27037 acquisition, unbroken chain of custody, scientifically validated techniques, and analyst testimony where required.

ISO/IEC 27037ISO/IEC 27035ISO/IEC 27041NIST SP 800-86Daubert principlesGDPR Art. 33/34NIS2 / DORASEC Cyber
ACTIVE INCIDENT?

Do not power off systems or delete files. Our emergency response team is available 24/7/365 — contact us immediately to preserve evidence and limit adversary dwell time.

Emergency Contact →
STANDARDS, LAW & REGULATION

Documentation that survives a courtroom.

International Standards

  • ISO/IEC 27037:2012 identification, collection, acquisition, and preservation of digital evidence
  • ISO/IEC 27035-1:2023 incident management principles and structured response process
  • ISO/IEC 27041:2015 assurance for digital evidence investigation methods and tools
  • NIST SP 800-86 integration of forensic techniques into incident response
  • RFC 3227 guidelines for evidence collection, archiving, and order of volatility
  • SWGDE Standards Scientific Working Group for Digital Evidence best practices

Court & Legal Admissibility

  • Reproducible methodology peer-reviewed, scientifically validated techniques aligned to Daubert principles — defensible under expert challenge in EU and common-law jurisdictions alike
  • Expert witness capability qualified to provide testimony in civil, criminal, and regulatory proceedings across jurisdictions
  • Legal hold & preservation notices drafting support, litigation hold procedures, and e-discovery coordination
  • International tribunal readiness documentation suitable for ICC, ICSID, and cross-border arbitration proceedings
  • Attorney-client privilege engagement under privilege where directed by counsel, shielding findings from compelled disclosure

Regulatory Notification

  • GDPR Art. 33 / 34 72-hour supervisory authority notification and data subject communication support
  • SEC cyber disclosure material incident determination and 8-K / 10-K factual summary preparation
  • NIS2 / DORA significant incident reporting to competent authorities and financial regulators
  • HIPAA Breach Rule 60-day notification preparation and breach risk assessment documentation
  • US state notification laws multi-jurisdiction compliance mapping for incidents with cross-state impact
  • Direct liaison with internal and external legal counsel throughout all notification timelines and regulator correspondence
EVIDENCE INTEGRITY

Chain of custody, end to end.

Every item of evidence is handled under a documented, auditable protocol from first contact to certified disposal. Designed to withstand adversarial scrutiny by opposing counsel in any jurisdiction.

Acquisition

  • Hardware write-blockers on all physical media — forensic acquisition never modifies source evidence
  • Bit-for-bit forensic imaging using validated, court-accepted tools
  • Dual cryptographic hash verification SHA-256 (authoritative) and MD5 (retained only for legacy-tool interoperability) computed and recorded at acquisition and at every subsequent transfer
  • Volatile memory acquired before any shutdown using platform-appropriate acquisition tooling
  • Full acquisition metadata logged: analyst identity, UTC timestamp, hardware identifiers, tool name and version

Custody & Storage

  • Tamper-evident seals and unique evidence reference numbers applied to all physical media immediately upon acquisition
  • AES-256 encrypted evidence containers with access restricted to named analysts — no shared credentials
  • Air-gapped analysis workstations — investigation infrastructure is never connected to client production networks
  • Immutable audit trail every access, transfer, and analysis action logged with analyst identity and UTC timestamp
  • Physical evidence stored in access-controlled, environmentally monitored secure storage for the duration of the engagement

Verification & Disposition

  • Hash re-verification at each analysis phase confirms evidence integrity has not been altered since acquisition
  • Working copies used for all analysis — originals are never directly examined
  • Formal evidence receipt and transfer documentation signed by all parties at each handoff
  • Retention schedule defined per engagement agreement or court order; no open-ended storage
  • Certified secure destruction of evidence copies at end of retention, with witnessed destruction certificate provided to client
WHAT WE INVESTIGATE

Every incident type, every evidence source.

Incident Types

  • Ransomware & extortion including double-extortion, ransomware-as-a-service operators, and data leak site negotiation
  • APT / nation-state intrusion long-dwell, living-off-the-land, supply chain implant, and espionage campaigns
  • Business Email Compromise (BEC) account takeover, wire fraud redirection, and executive impersonation
  • Insider threat & data exfiltration privileged abuse, intellectual property theft, and sabotage investigations
  • Data breach & unauthorised access lateral movement mapping and complete scope determination for notification purposes
  • Financial & cryptocurrency fraud blockchain tracing, transaction forensics, and asset recovery support
  • Industrial & OT incidents ICS/SCADA impact assessment and evidence preservation in operational technology environments

Forensic Capabilities

  • Memory forensics live acquisition, malware detection, process injection, code injection, and rootkit identification
  • Disk & file system forensics deleted artefact recovery, anti-forensic detection, and deep multi-source timeline reconstruction
  • Cloud forensics cloud provider audit logs, SaaS platform event analysis, and control-plane investigation
  • Network forensics full-packet capture analysis, C2 beacon identification, and lateral movement reconstruction from flow and PCAP data
  • Mobile forensics iOS and Android acquisition (physical, logical, file-system) using validated mobile forensics tooling
  • Malware analysis static disassembly, dynamic sandbox execution, C2 infrastructure mapping, and detection rule development
  • Threat actor attribution TTP analysis mapped to MITRE ATT&CK, adversary infrastructure pivoting, and threat intelligence correlation
DELIVERABLES

Reports for engineers, lawyers, and regulators.

Technical Report

  • Complete attack timeline with UTC-anchored events across all evidence sources
  • Confirmed and assessed initial access vector(s)
  • Full lateral movement, privilege escalation, and persistence path reconstruction
  • Scope determination: confirmed affected vs. ruled-out systems and data
  • Structured IOC package hashes, IPs, domains, TTPs in STIX 2.1 / MISP format
  • Custom YARA and Sigma detection rules for identified malware families and TTPs
  • MITRE ATT&CK navigator layer with full TTP mapping and threat actor profile

Legal & Regulatory

  • Court-ready evidentiary report with documented methodology, tool validation records, and signed analyst declaration
  • Complete chain of custody log and evidence register for all acquired items
  • Expert witness brief and supporting affidavit prepared upon instruction of counsel
  • Breach scope determination and data subject impact assessment for notification obligations
  • Regulatory notification factual summary (GDPR, SEC, NIS2, HIPAA) suitable for direct submission
  • Forensic examination certificate with cryptographic hash verification record

Executive & Remediation

  • Executive summary — non-technical narrative suitable for board, regulator, and insurer communication
  • Root cause analysis and contributing security control failures
  • Prioritised containment and eradication checklist
  • Strategic remediation roadmap with risk-ranked recommendations to prevent recurrence
  • Post-incident lessons-learned facilitation session with technical and leadership teams
  • Cyber insurance claim support documentation where applicable
HOW WE ENGAGE

Emergency or retainer.

Emergency Engagement

  • Immediate triage severity assessment and routing to a senior responder within 15 minutes; stakeholder identification and emergency NDA executed within the first hour
  • Out-of-band comms established encrypted communication channel activated immediately; no incident-related information transmitted via client infrastructure
  • Volatile evidence preservation immediate guidance on preservation actions; remote or on-site acquisition initiated to capture memory and live state before it degrades
  • Parallel containment guidance containment recommendations issued concurrently with evidence collection to limit adversary dwell and blast radius without destroying evidence
  • Encrypted status cadence secure briefings at agreed intervals throughout the incident; no gaps in communication during active crisis
  • Final delivery & handover complete technical and legal deliverable package with structured remediation handover and debrief

Retainer Engagement

  • Contractual SLAs defined acknowledgement, analyst assignment, and on-site response times guaranteed in writing
  • Pre-executed documentation NDA, engagement letter, and evidence handling agreements signed before any incident occurs
  • Environment familiarisation asset inventory, crown jewels register, and network architecture reviewed and held in readiness prior to any incident
  • Annual tabletop exercise IR simulation included; validates playbooks and stakeholder readiness against realistic threat scenarios
  • Priority queuing retainer clients are always mobilised ahead of ad-hoc engagements during surge conditions
  • Unused hours credit unconsumed retainer hours roll over or credit future engagements per contract terms
ACTIVE INCIDENT?