Computer Forensics

Computer forensics services for Canadian law firms and businesses.

Forensic acquisition and examination of laptops, desktops, and servers, across Windows, macOS, and Linux, including encrypted volumes. Reports are written for Canadian courts.

Book a consultation about computer forensics See our methodology

Computer Forensics — editorial illustration

When this service is needed

Typical scenarios where counsel and corporate clients retain us.

Departing employee investigations
IP and trade secret theft
Internal fraud and policy-violation matters
Litigation hold preservation and collection
Expert witness engagements
Civil and criminal proceedings

How we approach it

A defensible, repeatable process.

Intake and scoping

We agree on the matter type, the custodians, the devices, the timeline, and the deliverable format. Engagements taken through counsel are documented to support a litigation-privilege claim. We sign NDAs as standard.

Forensic acquisition

We use a hardware write-blocker for all conventional drives. The image is captured to a sterile target, hashed with both MD5 and SHA-256, and verified before any analysis begins. Encrypted volumes (BitLocker, FileVault, VeraCrypt, LUKS) are decrypted in a working copy only, never on the original. Live acquisition (memory and running processes) is used where the matter requires it.

Analysis

We examine the working copy with industry-standard tools and document every step. Common artifacts include user activity (Windows Event Logs, macOS Unified Logs, Linux journals), file access (MFT, USN journal, fseventsd), program execution (Prefetch, Amcache, Background Activity Moderator, BAM), browser history, USB connection records, cloud-sync activity (OneDrive, Dropbox, Google Drive, iCloud), and email (Outlook PST and OST, Apple Mail, Thunderbird).

Reporting

The deliverable is a written examiner report, written for the audience that will read it. Counsel reports include affidavit-style structure, exhibit indexing, and clear methodology disclosures. Corporate reports include executive summaries, technical appendices, and recommendations.

Archive and chain of custody

The original evidence is sealed and retained under documented chain of custody. Working copies are retained in encrypted storage with a defined retention period. We can produce custodian declarations and chain-of-custody affidavits on request.

Tools we apply

Named, current, and listed in every report.

OpenText EnCase Forensic
Magnet AXIOM and AXIOM Cyber
X-Ways Forensics
Exterro FTK (formerly AccessData)
KAPE (Kroll Artifact Parser and Extractor) for triage
Volatility for memory analysis
Autopsy and The Sleuth Kit for open-source verification work

Why named tools matter: opposing counsel and triers of fact often want to know exactly how an examination was performed. A vendor-neutral tool list, supported by methodology documentation, holds up better than a "proprietary process" claim.

Standards we follow

Aligned to Canadian and international guidance.

Section 31.1 to 31.8 of the Canada Evidence Act (electronic documents)

What you receive

Deliverables built for counsel, the regulator, and the court.

A forensic image of each examined device, hash-verified, retained on encrypted storage.
A written examiner report covering scope, methodology, findings, exhibits, and limitations.
An exhibit index linking each finding to its source artifact.
An affidavit or expert affidavit if the matter requires sworn evidence.
A chain-of-custody record from intake through archive.
A consultation with counsel or in-house teams to walk through the report before any production.

Common questions

Computer Forensics questions from Canadian counsel and corporate clients.

Can deleted files be recovered from a Windows laptop?

Often, yes. Deleted file recovery depends on whether the underlying clusters have been overwritten. Even when file content is lost, residual artifacts (file system metadata, MFT entries, link files, Prefetch, Amcache, USN journal records) can establish that a file existed, when, and how it was accessed.

Can BitLocker-encrypted drives be examined?

Yes, when we have the recovery key, the user credentials, the BitLocker recovery file, or live access during the imaging window. Without one of those, the encrypted image can be preserved for future analysis. Microsoft account recovery options often surface the key.

How long does a computer forensic examination take?

A single-laptop matter typically moves from intake to draft report in two to four weeks. Multi-device matters and matters requiring decryption, deduplication, or extensive timeline reconstruction take longer. We give a written timeline at the consultation.

Is metadata admissible in Canadian civil court?

Generally yes, under section 31.1 of the Canada Evidence Act, when the metadata is collected through a defensible process and the integrity of the underlying record is documented. Metadata is often the strongest evidence available in cases where document content alone is contested.

What is the difference between forensic imaging and a regular backup?

A regular backup copies user-visible files. A forensic image captures every bit of the source media, including unallocated space, slack space, and file system metadata. A backup is for restoring data. A forensic image is for proving what happened on the device.

Can a forensic examiner detect data theft after a factory reset?

Sometimes, depending on the device, the reset method, and the timing. On Windows and macOS systems, residual artifacts (cloud sync logs, registry hives, browser sync state, recovery partitions) often survive a "reset this PC" or "erase all content" operation. On purpose-wiped drives written over with random data, recovery is unlikely.

Browse all forensic FAQs

Related services

Have a matter that needs computer forensics?

Tell us about it. Our team will reach out as soon as possible.

Book a consultation Call (604) 800-9060