Frequently asked questions.

Often, yes. Deleted file recovery depends on whether the underlying clusters have been overwritten. Even when file content is lost, residual artifacts (file system metadata, MFT entries, link files, Prefetch, Amcache, USN journal records) can establish that a file existed, when, and how it was accessed.

Yes, when we have the recovery key, the user credentials, the BitLocker recovery file, or live access during the imaging window. Without one of those, the encrypted image can be preserved for future analysis. Microsoft account recovery options often surface the key.

A single-laptop matter typically moves from intake to draft report in two to four weeks. Multi-device matters and matters requiring decryption, deduplication, or extensive timeline reconstruction take longer. We give a written timeline at the consultation.

Generally yes, under section 31.1 of the Canada Evidence Act, when the metadata is collected through a defensible process and the integrity of the underlying record is documented. Metadata is often the strongest evidence available in cases where document content alone is contested.

A regular backup copies user-visible files. A forensic image captures every bit of the source media, including unallocated space, slack space, and file system metadata. A backup is for restoring data. A forensic image is for proving what happened on the device.

Sometimes, depending on the device, the reset method, and the timing. On Windows and macOS systems, residual artifacts (cloud sync logs, registry hives, browser sync state, recovery partitions) often survive a "reset this PC" or "erase all content" operation. On purpose-wiped drives written over with random data, recovery is unlikely.

Often, yes. iMessage and SMS messages remain in the SQLite database in WAL (write-ahead log) and journal files even after deletion, and unallocated database pages can preserve content for an extended period. Recovery depends on iOS version, device model, and how recently the deletion occurred. A full file system extraction recovers the most.

Yes, in many cases. WhatsApp stores messages in a SQLite database that exhibits the same WAL and journal behaviour as iMessage. WhatsApp's local backups and iCloud or Google Drive backup history often preserve content well past local deletion.

Less often than iMessage or WhatsApp, but sometimes. Snapchat is engineered to delete content quickly, but cached media, database fragments, and notification artifacts can survive on the device. Server-side preservation requires legal process directed at Snap Inc.

Screenshots can be tendered, but their weight is often challenged. A forensic acquisition of the source device is the more defensible path because it preserves message metadata, attachment hashes, and the raw database, which together establish authenticity under section 31.1 of the Canada Evidence Act.

Sometimes. iOS "Erase All Content and Settings" deletes the encryption key and renders most content unrecoverable, but residual artifacts in cloud-sync state, recovery partitions, or paired-device backups may survive. Android factory resets vary widely by manufacturer and patch level. Forensic feasibility is matter-specific.

Often yes, when the device itself can be acquired. Both apps store decrypted message databases on the device for the user's own access. The challenge is acquiring the device with a high-fidelity method (full file system or physical), which our advanced extraction capabilities support.

By default, 90 days for E3 licences and 180 days for E5 with Purview Audit Premium, depending on the event type. Some events (such as Exchange mailbox audit) have separate retention. The window is short, so preservation should begin as soon as a matter is anticipated.

Sometimes. Slack's native retention depends on the workspace plan. Pro and Business+ plans support legal hold with retention overrides. Free and Standard plans do not, and content can be hard-deleted after retention windows expire. We assess plan-level capability at intake.

Yes, when the backup is preserved through a defensible process and authenticated under section 31.1 of the Canada Evidence Act. Source-tenant audit logs supporting the backup's integrity strengthen admissibility.

We document tenant access, query parameters, export tool versions, output file hashes, transport storage, and post-export handling. Every step is timestamped and signed. The chain begins when we are authorized and ends when evidence is archived.

Yes. Cloud collections are by definition remote. We need administrator-level access to the relevant tenants (or the assistance of someone who has it), and a clear scoping document. Onsite presence is not required.

Immediately. The default M365 audit retention window starts counting down from the moment the event occurs. Each day of delay risks losing relevant log entries. We can begin preservation within hours of engagement when a matter is urgent.

There is no statutory licensing scheme. Courts assess qualification on the *Mohan* criteria (specialised knowledge, relevant credentials, prior testimony). Industry-recognized certifications (EnCE, CCE, CFCE, Cellebrite CCO/CCPA, Magnet MCFE, Vound Intella, AceLab PC-3000, AccessData FTK, BTL1) and a documented record of prior court testimony are the strongest credibility signals.

*White Burgess* clarifies that an expert's duty to the court overrides any duty to the retaining party. An expert who cannot or will not give independent testimony is not admissible. Our reports are written to that standard, and the methodology is documented so a triggering inquiry can be answered without ambiguity.

Established in *R. v. Mohan*, [1994] 2 SCR 9. Expert evidence is admissible if it is (1) necessary, in the sense of being likely to assist the trier of fact beyond ordinary experience; (2) relevant; (3) given by a properly qualified expert; and (4) not subject to an exclusionary rule.

Yes. Joint expert reports are common in BC family law and civil matters where parties want to avoid duelling-expert cost and complexity. We are willing to serve as a single expert when both parties consent and counsel agree to the protocol.

An affidavit is sworn evidence, typically used for interlocutory applications (injunctions, preservation orders, interim relief). An examiner report is a non-sworn document that explains methodology and findings. Many matters use both, with the affidavit attaching the examiner report as an exhibit.

Cost depends on scope. A single-device examination with a Rule 11 report is typically a defined-scope engagement. Multi-custodian, cloud-heavy, or trial-testimony matters are typically billed hourly with an estimate at scoping. We give a written estimate before any work begins.

When the breach involves personal information and creates a "real risk of significant harm" to one or more affected individuals. The notification must go to the Office of the Privacy Commissioner of Canada, to affected individuals, and to other organizations that can help mitigate harm.

A risk that, if realized, would cause significant harm to an affected individual. Significant harm includes humiliation, damage to reputation or relationships, loss of employment, financial loss, identity theft, negative effects on credit record, or damage to or loss of property. The standard is fact-specific and depends on the sensitivity of the information and the probability that it will be misused.

Through endpoint forensics (file access logs, browser uploads, USB writes, cloud sync), network log analysis, cloud audit log analysis (M365 unified audit log, Google Workspace audit data), and where available, threat-actor leak-site monitoring. Access without exfiltration is a different determination from exfiltration, and the report must distinguish them clearly.

A description of the breach, the date and circumstances, the personal information involved, the number of individuals affected, the steps taken to reduce or mitigate the risk of harm, the steps taken to notify affected individuals, and any other information required by the regulator. We structure the forensic findings to map to the OPC reporting form by default.

Yes. Engagements taken through counsel are structured to support a litigation-privilege claim, with retention agreements, communication channels, and work-product handling designed for that purpose. The same forensic record can support the regulator notification and any subsequent litigation defence, as long as the privilege framing is set up correctly at the start.