Digital Forensics FAQ

Digital forensics is the process of identifying, preserving, analysing and reporting on digital evidence from devices and online systems. This can include mobile phones, computers, laptops, tablets, USB drives, memory cards, cloud accounts, email systems, CCTV systems and online platforms. The aim is to examine data in a reliable, structured and explainable way.

Digital evidence can include:

• Text messages and instant messages
• WhatsApp, Messenger, Signal, Telegram and other chat data
• Call logs and contact records
• Emails and attachments
• Photos and videos
• Deleted files and deleted messages
• Internet history
• Location data
• App usage records
• Documents and spreadsheets
• USB activity
• File metadata
• System logs
• Cloud account activity
• Social media evidence
• CCTV and image files
• Cyber incident artefacts

Digital forensic services are used by solicitors, businesses, HR teams, compliance teams, private individuals, insurers, investigators, security teams, local authorities, enforcement professionals and victims of cybercrime. Digital forensics is not only for criminal cases. It is often used in workplace disputes, civil matters, fraud reviews, harassment cases, data breaches, insurance claims and commercial disputes.

We are based in London and can assist clients across the UK depending on the nature of the matter. Some cases can be handled remotely, while others may require secure device handling, collection or in-person arrangements.

Digital evidence can potentially be used in court if it has been collected, preserved, analysed and reported properly. The key issue is integrity. Evidence should be handled in a way that avoids alteration, contamination or uncertainty about its source.

A forensic report is a structured document that explains the findings of a digital investigation. It may include the purpose of the examination, devices or data reviewed, methods used, relevant findings, screenshots, timelines, metadata, limitations, conclusions and recommended next steps.

In some cases, yes. Deleted text messages may be recoverable depending on the phone model, operating system, app used, storage condition, encryption, backups and how long ago the data was deleted. Modern smartphones are heavily encrypted, so recovery is never guaranteed.

Sometimes. WhatsApp recovery depends on whether the messages still exist in the app database, whether local or cloud backups exist, whether deleted records have been overwritten, whether the device is iPhone or Android, and whether lawful account access is available.

Possibly. Deleted photos or videos may be recoverable from recently deleted folders, app caches, cloud backups, device backups, thumbnail databases, messaging app storage or synced accounts. If the data has been securely deleted or overwritten, recovery may not be possible.

Yes, iPhones can often be examined, but the level of access depends on the device model, iOS version, passcode availability, iCloud settings, backup access and security restrictions.

Yes. Android devices can often provide useful evidence, although results vary depending on manufacturer, Android version, lock status, encryption, app permissions, storage type and backup availability.

In most cases, yes. Having the passcode or lawful access to the device greatly improves the chance of extracting and reviewing useful evidence. Without the passcode, options may be limited. We do not assist with unlawful access or bypassing security on devices you are not authorised to examine.

A locked phone may be difficult or impossible to examine without proper lawful authority, access credentials or backup data. Modern phones are designed to protect user data. If cloud backups or synced accounts are available, there may still be alternative evidence sources.

Often, yes. Call history may be available from the device, backups, cloud accounts, billing records or telecoms records. Device call logs may not contain everything, especially if records have been deleted or overwritten.

Sometimes. Some apps store edit history, deletion indicators, sync states, timestamps or database artefacts. Others do not. A forensic review may identify signs that messages were removed, changed or are missing from a sequence, but this depends on the app and available data.

Yes. A Windows forensic examination may include user activity, file access history, deleted files, USB device history, internet history, email data, downloads, recently opened documents, logon activity, installed software, system logs, cloud sync folders, malware indicators and data transfer evidence.

Yes. Mac systems can be examined for user activity, files, deleted data, browser history, app data, iCloud artefacts, external device usage, logs and metadata. Access may depend on FileVault encryption, user credentials, device condition and macOS version.

In many cases, yes. Deleted files may be recoverable from the Recycle Bin or Trash, file system remnants, shadow copies, backups, temporary files, application caches, cloud sync folders, email attachments and external drives. SSDs, encryption, secure deletion and TRIM can reduce or eliminate recovery chances.

Often, yes. Windows and macOS systems may store artefacts showing USB device connection history, file access, shortcuts, registry entries, logs and timestamps. Proving exactly what was copied can be harder unless supporting artefacts exist.

Possibly. A forensic review may examine login records, remote access tools, system logs, recently opened files, browser history, security logs, malware indicators, account activity and file access timestamps.

Yes. Digital forensic analysis can assist with workplace investigations involving data theft, unauthorised access, misuse of company systems, inappropriate downloads, confidential data transfer, USB copying, deletion of company files, breach of policy, suspicious communication, fraud or misconduct.

Yes. Suspicious emails can be reviewed for signs of phishing, spoofing, malware, fraud, impersonation and account compromise. A review may include header analysis, sender verification, domain checks, attachment review, link inspection, timeline reconstruction and account activity review.

Sometimes. Email headers, server routing, DKIM, SPF, DMARC, timestamps, metadata and account logs can help assess whether an email appears genuine, spoofed, forwarded, altered or suspicious.

Possibly. Deleted emails may still exist in deleted items, archive folders, mail server retention, local mail files, backups, synced devices, cloud account exports, legal hold systems or email clients such as Outlook and Apple Mail.

Yes, where proper authority and access are available. Cloud accounts may contain emails, files, photos, messages, login history, device activity, shared documents, deleted items, backup data, location records and security alerts.

Yes. A compromise investigation may examine login locations, suspicious rules, mail forwarding, deleted emails, OAuth app access, security settings, password reset activity, recovery settings and suspicious inbox behaviour.

Yes. Social media evidence should be captured carefully because posts can be edited, deleted, hidden or restricted. A proper preservation process may include screenshots, URLs, timestamps, account identifiers, metadata where available, export records and an evidence log.

Yes. Digital evidence can assist with cases involving harassment, threats, stalking, impersonation, blackmail, malicious communication and online abuse.

Sometimes, but this can be difficult. Open-source information, metadata, reused usernames, linked accounts, communication patterns, email traces, phone numbers and platform records may help. In some cases, platform disclosure may require legal process or law enforcement involvement.

Screenshots can be useful, but they are not always enough on their own. Screenshots are easy to crop, edit or take out of context. Where possible, screenshots should be supported by original device data, URLs, metadata, account exports, timestamps and forensic notes.

Yes. A digital forensic review can help identify what happened, what systems were affected, what data may have been accessed and what steps should be taken next. A breach investigation may include log review, account activity analysis, malware checks, cloud access review and timeline reconstruction.

Yes. Business email compromise is a common form of fraud where attackers gain access to or imitate email accounts to redirect payments, steal data or deceive staff. An investigation may review suspicious login activity, forwarding rules, deleted emails, inbox changes and financial communication trails.

Yes. A forensic review can look for indicators of malware, suspicious processes, persistence mechanisms, unusual network activity, unknown applications, browser hijacking, remote access tools and system changes.

Yes. Ransomware investigations may involve identifying the attack timeline, infection vector, affected systems, encrypted files, ransom notes, attacker communication and possible data exfiltration indicators.

Yes. Phishing incidents can be reviewed by analysing the original email, links, attachments, sender infrastructure, account activity and any resulting compromise. The original email with full headers is usually more useful than a screenshot.

No. Deleted data may be recoverable if it still exists somewhere on the device, in a backup, in a cache, in cloud storage or in an app database. If it has been overwritten, securely deleted, encrypted or removed from all available sources, it may not be recoverable.

Stop using the device as much as possible. Continued use can overwrite deleted data. Do not install recovery apps, reset the device, update the operating system, delete more files or attempt repeated DIY recovery.

Usually, factory reset data is very difficult or impossible to recover from modern encrypted smartphones. Backups, cloud accounts, synced devices or external storage may provide better recovery routes.

Sometimes. Recovery may be possible from damaged phones, laptops, drives, memory cards or USB devices depending on the type of damage. Physical damage, water damage, controller failure and encryption can make recovery more complex.

Chain of custody is the documented history of evidence handling. It records who had access to the evidence, when it was received, where it was stored, what was done to it and how it was transferred.

Digital evidence is fragile. Files can change automatically, devices can sync, logs can overwrite, apps can update, messages can disappear and metadata can be altered. Proper preservation reduces the risk of evidence being challenged later.

Hashing creates a unique digital fingerprint of a file or data set. If the file changes, the hash value changes. Hashes are commonly used to confirm that evidence has remained unchanged during the investigation process.

A proper forensic approach aims to minimise changes wherever possible. In some cases, simply turning on or unlocking a device can cause changes, especially on modern smartphones. Any unavoidable limitations should be recorded.

Digital forensics is legal when carried out with proper authority, consent, ownership rights or lawful instruction. We do not assist with hacking, unauthorised access, spying, password bypassing, stalking or accessing accounts or devices that you have no right to examine.

Only if you have lawful authority or clear legal rights to do so. Ownership, employment context, consent, court orders and organisational policies all matter. If there is any doubt, obtain legal advice before requesting an examination.

Yes. Digital forensic services can support solicitors and legal teams by preserving evidence, reviewing devices or data, preparing reports and explaining technical findings in clear language.

Depending on the case requirements, forensic findings can be presented in a professional report. If formal expert witness evidence is required, this should be discussed at the start so the work can be scoped correctly.

Yes. Digital forensic work often involves highly sensitive personal, business, legal or security-related information. Confidentiality, careful handling and limited disclosure are essential.

No. No reputable forensic provider should guarantee a specific result before examining the evidence. What can be guaranteed is a careful, structured and honest review explaining what was found, what was not found, and what the limitations are.

Yes. A forensic investigation may look for evidence of file copying, USB use, cloud uploads, email forwarding, unauthorised access, deletion of files or use of personal accounts. The investigation must be properly authorised and proportionate.

Yes. Email misuse investigations may involve reviewing sent items, deleted items, forwarding rules, mailbox access logs, suspicious attachments, external communications and account activity.

Often, yes. File system artefacts, recent document lists, application logs, shortcut files, cloud sync records, email attachments and access timestamps may help establish whether files were opened or interacted with.

Potentially. Evidence may exist in browser history, sync folders, installed cloud applications, logs, file access records, network artefacts or account activity. Examples include Google Drive, OneDrive, Dropbox, iCloud, WeTransfer and similar services.

Yes. Digital evidence can support HR investigations involving misconduct, harassment, policy breaches, data misuse, inappropriate communications or unauthorised activity. The work should be carefully scoped to avoid unnecessary intrusion into private information.

Sometimes. Digital evidence may help preserve messages, call records, photos, social media posts, location information or communication timelines. Evidence must be obtained lawfully.

Yes. Harassment evidence may include messages, call logs, voicemails, emails, social media posts, fake profiles, screenshots, account data and timestamps. Preserving the evidence early is important because online content can be deleted quickly.

Yes. Fraud and scam investigations may involve reviewing emails, messages, payment requests, bank communication trails, websites, domain information, phone numbers, cryptocurrency wallet references and account activity.

Yes. Photos and videos can be reviewed for metadata, timestamps, file history, device information, edits, location data and consistency with other evidence. Not all files contain useful metadata, especially if they have been shared through messaging apps or social media platforms.

Sometimes. Photo metadata may include creation date, modification date, camera model, GPS coordinates and software details. Metadata can be stripped, changed or lost when images are edited, uploaded or sent through apps.

Possibly. Some edits leave metadata traces or visual inconsistencies. A forensic review may look at file structure, metadata, compression, timestamps and image artefacts. Not every edit can be proven.

Some improvements may be possible, such as adjusting brightness, contrast, stabilisation, cropping or extracting still frames. CCTV enhancement has limits. It cannot create detail that was never captured.

A typical process includes an initial discussion, confirmation of lawful authority and scope, secure receipt of the device or data, preservation of relevant evidence, analysis, identification of key findings, preparation of a clear report or summary, and next-step recommendations where appropriate.

It depends on the device, data volume, complexity and required report detail. A focused review of a small evidence set may be quicker. A full phone, laptop, cloud account or business incident review may take longer.

Costs depend on the work required, number of devices, type of analysis, urgency and whether a formal report is needed. A simple evidence preservation task will usually cost less than a full investigation with timelines, recovery work and reporting.

Some clearly defined tasks may be suitable for a fixed price. More complex investigations may require an initial review before accurate pricing is possible.

Stop using the device where possible. Do not delete anything, install recovery tools, reset the device, update the operating system or change account settings unless advised. Keep the device charged if safe to do so and write down what happened and when.

Yes, screenshots can be reviewed, organised and reported on, but they are weaker than original data. Where possible, screenshots should be supported by device data, account exports, original URLs, metadata or message database records.

Some work can be handled remotely, especially document review, screenshot preservation, cloud account export review, email header analysis and consultation. Device-level forensic work may require secure physical access to the device or storage media.

Useful information includes what happened, when it happened, what device or account is involved, what evidence already exists, whether anything has been deleted, whether the device is locked, whether you have lawful access, whether the matter is urgent and what you need to prove or understand.

No. A professional forensic review should be scoped to what is relevant and necessary. In many cases, the aim is to answer specific questions, not unnecessarily review private material.

Data should be handled carefully, stored securely and only reviewed for the agreed purpose. Sensitive material should not be shared unnecessarily. Reports should include relevant findings, not irrelevant private information.

Data retention can be discussed at the start of the matter. Depending on the nature of the case, some records may need to be retained for a defined period, especially where legal or evidential requirements apply.

No. Digital forensics can provide strong evidence, but it cannot always answer every question. Evidence may be missing, deleted, overwritten, encrypted, incomplete or unavailable.

Sometimes, but not always. A device may show account activity, login records, typing patterns, location data or app use, but proving the exact person behind an action can be difficult.

Timestamps are useful but must be interpreted carefully. Devices may have incorrect time zones, clock changes, sync delays, app-specific timestamps or server-side times. A forensic review should consider timestamp context.

Yes, digital data can sometimes be altered, staged, edited or misrepresented. That is why forensic context matters. A proper examination may look for consistency across multiple sources, metadata, logs, backups and timelines.

Yes. We develop digital investigation tools designed to help investigators, analysts and professionals organise digital evidence, build case records, review data and prepare structured reports.

No. Software can help organise, review and report evidence, but it does not replace professional interpretation. Digital forensic tools are most useful when combined with sound investigative practice and proper evidence handling.

Yes. The app can help structure case notes, evidence references, timelines, device records, analysis outputs and report drafts. This can make a case easier to review and present.