Computer and Mobile Forensics – Digital Forensics

Our services are designed to conduct thorough workplace investigations. We are a leading name in computer and mobile forensics. Below are the details of our services:


It is a highly technical discipline requiring a combination of unique skills relating to computer technology and software, an investigative mind and experience in law enforcement as well strict handling methods and judgment. Digital Forensics follows the electronic trail, a critical component, allowing all the pieces of the puzzle to be put together.

In recent years, there has been a massive rise in computer and Internet-related crime.

How can we help you?

CEO, Directors, HR Managers, legal counsels are often not aware of the information available on computer systems or the resources at their disposal to capture this information.

Although recovering digital evidence is part of a routine police investigation, many companies and organisations use Computer Forensics Experts to investigate incidents such as inappropriate computer use, inappropriate email use, unauthorised data duplication or disloyal employees. Choosing the right Exert is critical in order to keep evidence that can be used in Court. An impartial third party is the best forensic expert. Internal IT staff may think they have necessary technical skills to perform and investigation, however, proper evidence handling, investigative credibility and impartiality often make the difference in court.

Digital Forensics can help you to:

  • Discover evidence
  • Recover loss of data
  • Analyse the data
  • Produce a full report for use in mediation or in Court
Our team likes to say that ” if the information exists, we will find it!” and then produce it for inclusion as evidence. Our experts have years of experience in recovering data from a large number of devices, many of which are in a poor condition or damaged.

We use the same methods and investigative tools as law enforcement agencies to locate and reconstruct each file or fragment while preserving the integrity of electronic evidence.

How can we help you?

We can recover electronic evidence during a computer forensic investigation from the following types of devices:

Hard drives
Backup storage media/USB memory cards
Web servers
Internet/intranet sites
Smart phones/Blackberries
SD cards and other camera type memory cards
Tape media

The law specifies that should evidence be collected the wrong way or handled incorrectly, it may not be admissible in court, rendering the evidence worthless. In every case where evidence is contained on some form of electronic storage media it is important to seek advice from a Computer Forensic Expert first.

We investigate on the following devices:

Mobile Phones
USB Memory Cards
SD Cards and Other Camera Type Memory Cards
Tape media

  • Investigating managers or staff who have acted inappropriately.
  • Employees communicating with the competition
  • Employees who have set up their own business in competition with their employer whilst still in employment with that company.
  • Copy of trade secrets or other sensitive information,

With internet use pervading more aspects of our everyday life, there are increasing instances of breaches of confidentiality, intellectual property or other aspects of the employment contract.

How Can we help you?

With appropriate authority, we can forensically image staff computers, covertly if necessary, and investigate and reveal what is occurring. We are able to:

  • Recover deliberately deleted documents, databases, emails, or text messages
  • Prove an employee or associate or another party accessed the computer and what they did during each session
  • Identify files downloaded or copied to a USB key, external drive or emailed,Information leaks to competitors, suppliers, the media or others
  • Analyse mobile phones to identify call history, deliberately deleted text messages, emails, images & recordings
  • Uncover internet activity and those websites visited, determine the level of activity with social networking sites such as Facebook, Twitter, blogging, etc.
  • Locate spyware monitoring programs left behind by past employees or network administrators
  • Prove fraud, misconduct or improper activity: email abuse, Internet misuse ( like child pornography, illegal downloading, gambling…)
  • Discover the real identity of those behind threatening or anonymous emails
  • Uncover malicious campaigns and identify those behind
The difference between success and failure in a fraud investigation is good management. A fraud investigation project has to be planned and managed. IT’S A BIT LIKE FIGHTING A WAR with an unknown enemy and request constant change of tactics.

Collecting Data

Electronic evidence plays a crucial role in corporate crime investigation. The proper handling of such volatile evidence can be the key factor in stopping a fraud and recovering losses. Experienced Computer Forensic experts can ensure the integrity of the data and the analysis tools can recover information that appeared lost or deleted. The computer forensic part of a fraud investigation involves searching and/or recovering documents such as invoices, statements, order forms, spreadsheets and databases.  E-mails can be a good source of information and can contain information concerning contact between fraudsters, the passing of information such as credit card and bank account details.

The initial stage of a Digital Forensics Investigation is the capturing of the data. Information can be obtained from servers, workstations, laptops, usb keys, mobile phones and other handheld devices.  The collection of data should be carried out by a trained and experienced person, in a manner which does not allow the original data to be altered in any way. The process of capturing the data in such a secure manner is known as ‘acquisition’ or ‘imaging’.  It allows the investigator a view of the contents of the computer including those areas that would not normally be visible to a user. This is known as a forensic image.

These tools also allow the investigator to view the content of the images, conduct searches and potentially retrieve hidden and deleted data such as social networking chat logs that  can show communication between culprits via instant messaging or ‘Chat’ on websites such as ‘Facebook’. Additionally, a record of the Internet history can provide information that would be very useful for example:  the Internet history on a suspect computer has entries referring to various online banking websites could indicate that a user has been visiting accounts of their targets.


No-one should do a major fraud investigation these days without sophisticated computer support. Every document collected in the course of the investigation must be summarised under a number of key headings – author, recipient, date, brief description, other parties named, when seized, how seized, location etc. It is a serious mistake in a major fraud investigation to delay introducing the computer classification of documents.

It is a simple process nowadays to create an email address. Since no authentication of the creator ever takes place, it is very easy to create an email address under a false name or identity. Millions of emails are exchanged and deleted every day. Deleted emails can often be recovered, even if intentionally erased, and metadata, such as email addresses, time stamps and can be useful in an investigation.


Company emails

Email clients and servers are often saved on database applications, with documents, contacts, time managers, calendars, backups and many other features, all of which might be accessed forensically. Digital Forensics can help you to recover email evidence from computers, email & webmail servers, from smartphones, tablets….



It is possible to forensically recover emails created or received by web-based email systems (like Hotmail, Gmail, Yahoo Mail, even Outlook Web Access…). These types of mail systems use a browser to interface with the email server, which caches information to the disk and saving a copy on the disk. These webmail services also have calendar services, contact managers…Anytime these services are accessed, they may be cached to the disk as well.

Tracking the IP address

In most cases we will identify the IP address of the sender’s computer, the sender’s location, and the Internet service (or ISP) for the IP address.
Reports for email abuse — such as spam, email-borne viruses and email threats – can then be directed to the sender’s ISP who can be identifies once we have the actual IP address. But sometimes more tests and investigation are required to find the true IP address.

Having a digital forensics practitioner conduct these types of investigations is essential, as these types of investigations can become a criminal matter and mishandling of the evidence could become a critical factor in the case of a prosecution.

Hackers are people who try to gain unauthorised access to your computer. This is normally done through the use of a ‘backdoor’ program installed on your machine. A hacker can see everything you are doing, can access any file on your disk, can write, delete, edit files, and could install several programs on to your system without your knowledge that could also be used to steal personal information such as passwords and credit card information.

Internal or External Attacks on a Company Network

External attacks: the intruder has no privileges on the network or access from outside the network perimeter (usually the firewall). External attacks can be made against the internal network, using the target’s own computers. This is often done with the active or passive collusion of staff.

Internal Attacks: the intruder has legitimate privileges on the target network. Access is obtained using existing privileges, privileges the intruder has extended without permission, or stolen from other users. The objective is to gain access to data and resources to which the intruder is not authorised.

Internal attacks are typically far more common than external ones.

How can you become a victim of a Cyber attack?

• via a virus attack: An insider activates a “Trojan Horse” program, intentionally or unintentionally, that opens access to their network.

• via a staff member being compromised: theft or unauthorised access by threatening or subverting an employee; via IT personnel who are most likely to have high-level computer security privileges; via Non-IT staff with high-level privileges through hacking, persuasion, bribery, threats or just theft.

Low security on networks: Some systems are not given sufficient protection and can be compromised by intruders without high level privileges or with weak, stolen or lost credentials; or compromise of remote access systems; or Wireless: some Wi-Fi are cheaply set up on networks by users without the knowledge of IT staff.

Third-party: the attacker hacks an individual known to have access to the target’s systems. For instance an IT consultant.

The company premises: directly entering the company office.

Be Aware!

IT staff and employees should pay attention to any changes in their computer or network behaviour. It could be a sign of hacking like:

any disturbance on the network i.e. unexplained system failures (“crashes) or low performance; : unauthorised system access or user account requests; activity on dormant user accounts; change in log files; deleted files, firewall, router and intrusion detection systems; deterioration in performance.

disturbance on a staff computer : unexplained access to users’ e-mail accounts, Repeated lock-outs, unexplained modifications to users’ personal file storage,

Suspicious staff behaviour:  increase in helpdesk password change requests, forbidden internet website access.

Suspicious Internet browsing activity : corruption of data or new windows unexpectedly popping up; anti-virus/anti-malware alerts on multiple computers

How to prevent as much as possible cyber attacks while preserving forensic material that we can use for the investigation?

Install good Antivirus/Anti-spyware software and keep software up-to-date

• have a strict policy of “privilege” across your network.

• Teach staff out to use complex passwords. Explain to them the importance of proper password procedures.

Use Wireless technology with care. Perform regular sweeps to identify rogue wireless connections on your network. of both internal and external systems

Hire a hacker! (an IT consultant to check if he can get in! )

Prohibit unauthorised software on your computer systems

• Have in place a file integrity checking systems, perform regular scans

Maintain a knowledge base in event of an attack: a list of security websites, the phone numbers of incident response specialists (like our contact number!), locations of key log files, document all network and computer behaviour daily.

What to do in case of a cyber attack?  

while preserving data so we are able to create a forensic image for investigation

Identify and secure affected systems and the point of intrusion and close it off, assess the loss or corruption, check security status on all computers- if necessary by powering systems down; sweep affected systems for backdoor software or root kits.

Preserve all key log files on computers, firewalls and other network devices: they will be very useful for a Digital Forensic Expert to find the intruder.

Change all passwords and other access, replace all certificates; disable any user accounts suspected of hacking

Increase physical security measures, no access to offices to external people

and Contact Us!

Cyber stalking, cyber bullying, false posts, defamation, copyright theft, passing off and IP theft are just some of the areas that fall under this type of investigation.

Some Internet-based investigations are more complex as the website may be based offshore in the Cloud overseas. However, advice and assistance is available to determine what can be done towards completing an investigation.

Family Law investigations that Digital Forensics carries out can be related to:

Infidelity matters
Evidence of hidden assets on separation
Inappropriate behaviour or content
Identification of Digital photos

 Expert Witness is an expert, who, through education, training, skills and experience, has expertise and knowledge in a particular subject beyond that of the average person, sufficient that others may officially and legally rely upon the witness’s specialised (scientific, technical or other) opinion about an evidence or fact issued within the scope of their expertise, referred to as the expert opinion. Expert witnesses may be asked to write a report or called to give evidence in civil and criminal courts, tribunals, arbitrations and mediations.

An Expert Witness is required to be independent and address his or her expert report to the court. A witness may be jointly instructed by both sides if the parties agree to this, especially in cases where the liability is relatively small. Expert witnesses are usually instructed to produce a joint statement detailing points of agreement and disagreement to assist the court or tribunal. The meeting is held quite independently of instructing lawyers, and often assists in resolution of a case, especially if the experts review and modify their opinions.

To be effective as a digital forensic professional a person must not only be highly competent when it comes to the capturing, preservation and analysis of computer based evidence. They must also be able to use the most appropriate language to impart the complex IT concepts and methodologies in a court so that the jury can make an informed decision.

Digital Forensics Experts have many years’ experience with cases in a wide range of areas including:

Theft and fraud, including intellectual property theft
Sexual offences, including cases that involve indecent images
Drug related offences
Murder and assault
Matrimonial ancillary relief

Our expert witnesses are Post Graduate qualified, have experience of High, Crown, Magistrates and Tribunal Court and have experience of dealing with a wide range of clients.

An Anton Piller order is a court order that provides the right to search premises and seize evidence without prior warning. This prevents destruction of relevant evidence. Anton Piller orders are referred to as “‘search orders’”. The order also assists a plaintiff to quickly discover infringing items. Information seized might form evidence in an action or proposed action against the defendant.

In some cases it may be necessary in an investigation to use the Force of the Law to obtain evidence in support of your case.

How is an Anton Piller order obtained?

The plaintiff must meet 3 criteria:

– There must be an extremely strong prima facie case against the defendant

– The potential or actual damage to the plaintiff must be very serious,

– There must be clear evidence that the defendants have incriminating documents or things in their possession, and there is a real possibility that they may destroy such material if they were to become aware of the plaintiff’s application.


Because the defendant is not in court to argue against the granting of the order, the plaintiff must disclose all known material facts or facts that would have been discovered by proper enquiries.

Further information on Anton Piller Orders and Search Warrants is available from your legal practitioner. However, we can provide non-legal advice in regard to Anton Piller Orders and Search Warrants.