The Evidence That Proves What Happened, and Who Did It
Court-admissible forensic investigation for cyber breaches, ransomware attacks, insider threats, and data theft, integrated with our incident response capability from a single CREST-accredited team. If you have a confirmed or suspected incident, call us before your IT team touches the affected systems.
Digital Forensics for Breaches, Insider Threats, and Legal Disputes
Cyber Breach Investigation
Your security team or MSSP has confirmed a breach. Systems may be compromised, data may have been exfiltrated. You have 72 hours before your ICO notification decision and your insurer needs a forensic report.
We mobilise within 24 hours, preserve evidence before it is overwritten, and deliver a court-admissible forensic report identifying root cause, lateral movement, and data exposure scope.
Insider Threat Investigation
An employee has left with company data, a contractor has exceeded their access permissions, or you suspect a member of staff is stealing client records. Your legal team needs forensic evidence for Employment Tribunal proceedings or an emergency injunction.
We image work devices, extract file access and USB history, and analyse email export and cloud sync activity. Report delivered within 72 hours for urgent legal proceedings.
Ransomware and Data Extortion
Your systems are encrypted. The attackers are threatening to publish stolen data. Before you pay, negotiate, or restore from backup, you need to know: what did they take, what backdoors did they leave, and is your backup environment clean?
We answer those questions forensically, preserving evidence for your insurance claim, identifying persistence mechanisms before you restore, and establishing the full scope of the breach.
If You Suspect a Breach: Read This First
Do not reboot affected systems. Do not restore from backup before imaging. Contact us first for immediate evidence preservation guidance, at no charge. The most expensive mistake in digital forensics is not the investigation, it is the four hours before the investigators arrive.
“A UK professional services firm engaged us after discovering that a departing head of sales had copied 11,000 client records to a personal USB drive on his final day. Within 24 hours we had forensic images of his workstation and laptop. Within 72 hours we had produced a 47-page forensic report documenting every file access event, USB connection timestamp, and cloud sync activity from the preceding 30 days. The client's legal team used the report to obtain an emergency injunction preventing the ex-employee from sharing the data with his new employer.”
Professional services firm, 300 employees
Forensic Methodology: Court-Grade Evidence
Rigorous evidence collection and analysis following NIST SP 800-86 guidelines for computer security incident handling. Every step is documented for court admissibility.
Forensically Sound Evidence Collection
We acquire bit-for-bit forensic images of hard drives, memory dumps, and cloud workloads using write-blockers and cryptographic hashing to ensure evidence admissibility in court or regulatory proceedings.
Timeline Reconstruction
Building a definitive timeline of attacker activity from initial compromise to data exfiltration. We correlate events across endpoints, servers, cloud logs, and network traffic to answer: Who? What? When? Where? How?
Memory Forensics and Malware Analysis
Analysing RAM dumps to recover fileless malware, decrypted passwords stored in memory, and evidence of process injection or rootkits that leave no trace on disk.
Data Recovery and Carving
Recovering deleted files, analysing unallocated disk space, and carving fragmented data to identify what attackers accessed, exfiltrated, or attempted to destroy. File carving recovers fragments even when file system metadata has been overwritten.
Court-Admissible Reporting
Detailed forensic reports with chain-of-custody documentation, cryptographic hashes ( MD5 + SHA-256), and expert witness testimony available for legal proceedings, regulatory investigations, and insurance claims. Every piece of evidence is cryptographically hashed at acquisition and re-verified before analysis. If opposing counsel challenges evidence integrity, we produce the original acquisition hash alongside the analysis copy hash to prove zero modification.
Your Forensic Investigation Delivers
No-obligation scoping call to confirm the right investigation approach for your situation. All discussions are confidential.
From Evidence Collection to Expert Testimony
The four phases of a forensic investigation, with indicative timelines.
Evidence Identification and Preservation
0-4 hours: Identifying all systems potentially compromised and creating forensic images before evidence is lost. Chain-of-custody begins immediately to maintain evidence integrity for legal proceedings.
Forensic Analysis
1-5 days: Deep analysis of disk images, memory dumps, log files, and network captures. We use EnCase, FTK, Volatility, and custom scripts to extract artifacts: registry keys, browser history, email fragments, and malware samples.
Timeline and Attribution
2-7 days: Correlating thousands of timestamps to build a second-by-second timeline of the breach. We identify initial access vectors, lateral movement paths, data staging locations, and exfiltration methods.
Expert Reporting and Testimony
1-3 weeks total: Comprehensive forensic report documenting findings, methodology, and evidence. Our forensic analysts are available to provide expert witness testimony in court or regulatory hearings.
Cyber Security and Digital Forensics from a Single CREST-Accredited Team
Digital forensics does not begin after incident response ends, it runs in parallel from the moment we engage. Our cyber forensics and incident response teams operate under a single command structure. Containment decisions are made with evidence preservation as a co-equal priority.
Related Incident Response Services
Digital forensics investigation is one component of our full incident response capability.
Post-Incident Hardening
After forensic investigation, our offensive team assesses the vulnerabilities that enabled the breach and tests your hardened environment to confirm the gaps are closed. We also provide managed detection and response for ongoing post-incident monitoring, and threat hunting to identify residual attacker presence.
Penetration Testing ServicesFull Services Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
Ready to Find Out What Actually Happened?
Book a confidential scoping call with our forensic analysts. We will assess the evidence available, recommend the right investigation approach, and deliver a fixed-price quote within 24 hours.
Digital Forensics: Common Questions
Pricing, timelines, evidence handling, and what to expect from a forensic investigation.
Incident response focuses on containing and eradicating a threat to restore normal operations as quickly as possible. Digital forensics runs in parallel, focused on preserving and analysing evidence to establish what happened, what data was compromised, and who was responsible. In most breach scenarios both are required: incident response to stop the attack, digital forensics to produce the evidence needed for regulatory notifications, insurance claims, and legal proceedings. Precursor Security delivers both under a single engagement, preventing the evidence-destruction conflicts that arise when separate firms handle each discipline.
Digital forensics investigations in the UK typically range from £6,000 to £25,000+ depending on scope. A single-system investigation costs £6,000-£8,000. Multi-system breach investigations involving 10+ endpoints, servers, and cloud logs cost £12,000-£20,000+. Emergency on-site evidence preservation starts from £3,500 for rapid 24-48 hour response. Expert witness testimony is billed separately at £2,000-£3,000 per day. All work is quoted on a fixed-price basis after initial scoping. Precursor Security provides indicative pricing in the initial consultation call.
Yes. Insider threat investigations are a core part of our digital forensics workload. We image the suspect employee's work devices, extract USB connection history, analyse email exports and cloud sync activity, and recover deleted files to establish exactly what data was accessed, copied, or transmitted. The resulting forensic report includes timestamped evidence of each action, suitable for Employment Tribunal proceedings, High Court injunctions, or civil litigation. We can mobilise within 24 hours. In time-critical cases, for example where a departing employee will have unsupervised access to personal devices over a weekend, call us directly rather than using the contact form.
Digital forensics investigations typically range from £6,000 to £20,000+ depending on evidence volume, case complexity, and urgency. A single-endpoint investigation averages £6,000-£8,000 including forensic imaging, timeline reconstruction, and detailed reporting. Multi-system breach investigations typically cost £12,000-£20,000+. Emergency triage and evidence preservation starts from £3,500. Complex investigations involving memory forensics, malware reverse engineering, or encrypted systems typically cost £15,000-£25,000. Expert witness testimony is billed separately at £2,000-£3,000 per day. All forensic analysis is billed on a fixed-price basis after initial scoping.
While IT teams can preserve basic evidence, professional forensics requires specialised skills and tools IT departments typically lack: (1) Forensic imaging requires write-blockers and cryptographic hashing to ensure evidence admissibility in court. Copying files normally modifies timestamps and metadata, rendering evidence inadmissible. (2) IT teams often inadvertently destroy evidence by rebooting systems, running antivirus scans, or restoring from backups before imaging. (3) Timeline reconstruction requires correlating thousands of artifacts using specialised tools such as EnCase, FTK, and Volatility that IT teams typically do not have. (4) IT teams are often subjects of investigation in insider threat cases. Most organisations use IT for initial containment and external forensic specialists for evidence-grade investigation.
While uncommon with proper evidence preservation, some investigations yield limited findings due to evidence destruction, advanced anti-forensics techniques, or insufficient pre-incident logging. However, even when root cause is inconclusive, investigations provide value: we identify what systems were accessed, determine data exposure scope for GDPR reporting, eliminate false theories, and recommend forensic readiness improvements. In 90%+ of cases with proper evidence preservation, we establish root cause and attack timeline. If evidence was destroyed before we arrived, we clearly document what is unknowable versus what we determined.
Evidence integrity is protected by rigorous forensic methodology and certifications: (1) All evidence acquisition uses hardware write-blockers preventing any modification to original media. We create bit-for-bit copies and analyse those copies, never the original. (2) Every evidence item is cryptographically hashed at MD5 and SHA-256 immediately upon collection and verified before analysis to prove integrity. (3) Complete chain-of-custody documentation tracks every person who handled evidence, when, and why, meeting court admissibility standards. (4) We use forensically sound tools that are court-tested and accepted by law enforcement and judiciary. All procedures follow NIST SP 800-86 guidelines.
Yes. Our reports are produced by analysts following NIST SP 800-86 methodology with documented chain-of-custody and cryptographic hash verification. This is the standard cyber insurers require for breach claims. Insurer-commissioned investigations are a significant portion of our workload. If your insurer has specific reporting requirements, share them during scoping and we will ensure the report format meets their standards.
Digital forensics investigation is the process of collecting, preserving, analysing, and presenting digital evidence from computers, servers, mobile devices, and cloud environments to determine how a cyber incident occurred, what data was compromised, and who was responsible. The methodology ensures evidence is admissible in court.
Digital forensics is required for: cyber breach investigations, ransomware attacks, insider threat investigations, data theft incidents, regulatory compliance such as GDPR breach notification, insurance claims, and legal disputes involving electronic evidence.
Minimal disruption. We typically create forensic images of affected systems and perform all analysis offline in our lab. Critical servers can be analysed using live forensics techniques that do not require downtime.
Timelines vary based on scope. Emergency triage takes 24-48 hours. Complete forensic investigation with detailed timeline reconstruction typically takes 1-3 weeks depending on the number of systems and complexity of the attack.
Often, yes. Deleted files remain on disk in unallocated space until overwritten. We use file carving techniques to recover fragments even when file system metadata has been destroyed. However, if the drive has been securely wiped or encrypted, recovery may not be possible.
Yes. We follow strict forensic procedures including cryptographic hashing of all evidence, documented chain-of-custody, and use of forensically sound tools. Our analysts can provide expert witness testimony.
Sometimes. We can determine the attacker's tools, techniques, and procedures, and identify IP addresses, email accounts, and cryptocurrency wallets used. However, attributing cyber attacks to specific individuals or nation-states requires intelligence correlation and is often inconclusive without law enforcement involvement.