← All case files // case file · Forensic

Investigating a departing employee’s company laptop.

A firm suspected a senior employee had taken confidential client and design files to a competitor shortly before resigning. Through their solicitor, they asked us to forensically examine the company laptop he’d handed back. Working to court standards — write-blocked imaging, verified hashes and a documented chain of custody — we recovered deleted files and built a timeline of what was copied to USB and when, and set it all out in an evidential report.

DeviceCompany laptop · NTFS / Windows
ScopeDeleted data & exfiltration timeline
AuthorityCompany-owned · via solicitor
TurnaroundReport in 7 days
OutcomeEvidential report delivered

The situation

A company came to us, through their solicitor, with a concern familiar to a lot of businesses: a senior employee had resigned to join a competitor, and there were signs he may have taken confidential material with him — client lists, pricing, and design files — deleting traces from his company laptop before returning it. They needed to know, reliably and defensibly, whether that had happened. Two things made this a legitimate forensic instruction: the laptop was the company’s own device, issued to the employee for work, so the business had the authority to examine it; and it came through the proper legal channel, with the investigation aimed at a potential civil claim. We confirm authority and the basis for any examination before we begin — forensic work is for legitimate, authorised investigations, not for accessing devices or accounts someone isn’t entitled to.

Why forensic recovery is different from ordinary recovery

Recovering data so it can be relied on as evidence is a different discipline from simply getting files back. Evidence has to be demonstrably authentic and unaltered, or it’s worthless in a tribunal or court — so the work follows established digital-forensics principles. In practice that means three things run through the whole job: nothing on the original is changed; every step is documented so the process can be explained and repeated by another examiner; and the findings are reported objectively, showing whatever the evidence shows — including, in some cases, that nothing improper happened. The goal isn’t to prove a theory; it’s to establish the facts in a way that stands up to scrutiny.

Preserving the evidence: imaging and chain of custody

The first step was preservation. The laptop’s drive was imaged through a hardware write blocker, which makes it physically impossible to alter the original while it’s read, producing a bit-for-bit forensic image. At acquisition a cryptographic hash (SHA-256) of the drive was calculated and then re-verified against the image — a digital fingerprint that proves the copy is identical to the original and that nothing has changed since. Every movement of the device was recorded in a chain-of-custody log: who received it, when, how it was stored and handled, from the moment it arrived to its return. All examination was then carried out on the verified image, never the laptop itself — the foundation that lets the findings be trusted.

Recovering deleted data and reading the artifacts

With a sound image, the analysis could begin. Deleted files were recovered — deletion only unlinks a file until its space is reused, so a great deal of what had been ‘removed’ was still present and was carved back, including confidential documents and design files. Beyond the files themselves, Windows keeps a rich set of forensic artifacts that record activity, and these were examined to reconstruct events: USB device history (Windows logs every storage device connected, with identifiers and timestamps), file-access traces (shortcut/LNK files, jump lists and recent-item records showing which files were opened and from where), timestamps from the file system (creation, modification and access times), and traces of cloud-sync and webmail use. Individually each is a fragment; together they build a timeline.

Building the timeline and reporting the findings

The artifacts were correlated into a clear sequence of events: which confidential files were accessed in the employee’s final days, that an external USB drive was connected during that window, that files were copied to it, and that deletions followed shortly before the laptop was returned — each point tied to a timestamp and to the underlying evidence. This was set out in a formal forensic report written for a non-technical legal audience: the methodology used, the findings, the supporting exhibits, and the limits of what could and couldn’t be determined, prepared to a standard suitable for court and capable of being supported by an expert statement. The recovered data and the report were delivered securely to the instructing solicitor, giving the company a factual, defensible basis on which to take advice and decide their next step.

Tools & techniques on this job

Write-blocked forensic imaging with SHA-256 hash verification · documented chain of custody · deleted-file recovery · analysis of USB device history, LNK/jump-list and recent-item artifacts, file-system timestamps and cloud/webmail traces · timeline reconstruction · court-standard evidential report. Confidential handling, all work in-house at our Belfast lab.

Need a device examined for an investigation?

For legitimate, authorised investigations — suspected data theft, employee misconduct, insurance or dispute matters — we provide forensic imaging, deleted-data recovery and evidential reporting to court standards, with full chain of custody. Get in touch for a confidential, no-obligation discussion; we’ll confirm scope and put a fixed price in writing. Forensic work for businesses and solicitors across the UK.

Common questions

Can you find out if an ex-employee took company data?

Often, yes, when the device is the company’s own and the investigation is properly authorised. By forensically imaging the machine and analysing deleted files alongside artifacts like USB connection history, file-access records and timestamps, it’s frequently possible to establish what was accessed, copied or deleted and when — and to report it in a form that stands up as evidence. We confirm authority before undertaking any examination.

Will the findings hold up in court or a tribunal?

That’s the point of doing it forensically. The original is preserved unaltered behind a write blocker, the image is hash-verified to prove it’s identical, a chain of custody is documented, and the findings are reported objectively with their methodology and limits — the standards that allow evidence to be relied on and supported by an expert statement. Recovery done without these safeguards generally can’t.

Whose devices can you examine?

Only where there’s a legitimate right to — typically a company’s own equipment, or devices covered by a proper legal instruction. We confirm ownership and authority before starting, handle everything confidentially, and are ICO-registered and GDPR-compliant. We won’t access devices or accounts that someone isn’t entitled to investigate.

Call us — 028 9002 0144
Mon–Fri · 9am–5:30pm · No fix, no fee
Start a free diagnostic →
028 9002 0144