A firm suspected a senior employee had taken confidential client and design files to a competitor shortly before resigning. Through their solicitor, they asked us to forensically examine the company laptop he’d handed back. Working to court standards — write-blocked imaging, verified hashes and a documented chain of custody — we recovered deleted files and built a timeline of what was copied to USB and when, and set it all out in an evidential report.
A company came to us, through their solicitor, with a concern familiar to a lot of businesses: a senior employee had resigned to join a competitor, and there were signs he may have taken confidential material with him — client lists, pricing, and design files — deleting traces from his company laptop before returning it. They needed to know, reliably and defensibly, whether that had happened. Two things made this a legitimate forensic instruction: the laptop was the company’s own device, issued to the employee for work, so the business had the authority to examine it; and it came through the proper legal channel, with the investigation aimed at a potential civil claim. We confirm authority and the basis for any examination before we begin — forensic work is for legitimate, authorised investigations, not for accessing devices or accounts someone isn’t entitled to.
Recovering data so it can be relied on as evidence is a different discipline from simply getting files back. Evidence has to be demonstrably authentic and unaltered, or it’s worthless in a tribunal or court — so the work follows established digital-forensics principles. In practice that means three things run through the whole job: nothing on the original is changed; every step is documented so the process can be explained and repeated by another examiner; and the findings are reported objectively, showing whatever the evidence shows — including, in some cases, that nothing improper happened. The goal isn’t to prove a theory; it’s to establish the facts in a way that stands up to scrutiny.
The first step was preservation. The laptop’s drive was imaged through a hardware write blocker, which makes it physically impossible to alter the original while it’s read, producing a bit-for-bit forensic image. At acquisition a cryptographic hash (SHA-256) of the drive was calculated and then re-verified against the image — a digital fingerprint that proves the copy is identical to the original and that nothing has changed since. Every movement of the device was recorded in a chain-of-custody log: who received it, when, how it was stored and handled, from the moment it arrived to its return. All examination was then carried out on the verified image, never the laptop itself — the foundation that lets the findings be trusted.
With a sound image, the analysis could begin. Deleted files were recovered — deletion only unlinks a file until its space is reused, so a great deal of what had been ‘removed’ was still present and was carved back, including confidential documents and design files. Beyond the files themselves, Windows keeps a rich set of forensic artifacts that record activity, and these were examined to reconstruct events: USB device history (Windows logs every storage device connected, with identifiers and timestamps), file-access traces (shortcut/LNK files, jump lists and recent-item records showing which files were opened and from where), timestamps from the file system (creation, modification and access times), and traces of cloud-sync and webmail use. Individually each is a fragment; together they build a timeline.
The artifacts were correlated into a clear sequence of events: which confidential files were accessed in the employee’s final days, that an external USB drive was connected during that window, that files were copied to it, and that deletions followed shortly before the laptop was returned — each point tied to a timestamp and to the underlying evidence. This was set out in a formal forensic report written for a non-technical legal audience: the methodology used, the findings, the supporting exhibits, and the limits of what could and couldn’t be determined, prepared to a standard suitable for court and capable of being supported by an expert statement. The recovered data and the report were delivered securely to the instructing solicitor, giving the company a factual, defensible basis on which to take advice and decide their next step.
Write-blocked forensic imaging with SHA-256 hash verification · documented chain of custody · deleted-file recovery · analysis of USB device history, LNK/jump-list and recent-item artifacts, file-system timestamps and cloud/webmail traces · timeline reconstruction · court-standard evidential report. Confidential handling, all work in-house at our Belfast lab.
For legitimate, authorised investigations — suspected data theft, employee misconduct, insurance or dispute matters — we provide forensic imaging, deleted-data recovery and evidential reporting to court standards, with full chain of custody. Get in touch for a confidential, no-obligation discussion; we’ll confirm scope and put a fixed price in writing. Forensic work for businesses and solicitors across the UK.
Often, yes, when the device is the company’s own and the investigation is properly authorised. By forensically imaging the machine and analysing deleted files alongside artifacts like USB connection history, file-access records and timestamps, it’s frequently possible to establish what was accessed, copied or deleted and when — and to report it in a form that stands up as evidence. We confirm authority before undertaking any examination.
That’s the point of doing it forensically. The original is preserved unaltered behind a write blocker, the image is hash-verified to prove it’s identical, a chain of custody is documented, and the findings are reported objectively with their methodology and limits — the standards that allow evidence to be relied on and supported by an expert statement. Recovery done without these safeguards generally can’t.
Only where there’s a legitimate right to — typically a company’s own equipment, or devices covered by a proper legal instruction. We confirm ownership and authority before starting, handle everything confidentially, and are ICO-registered and GDPR-compliant. We won’t access devices or accounts that someone isn’t entitled to investigate.