A comprehensive suite of forensic disciplines — all conducted to Forensic Science Regulator standards and aligned with ISO 17025 quality principles, ready for criminal and civil proceedings.
Device examination underpins the majority of digital forensic instructions. CTM Consulting carries out full forensic acquisition and analysis using the same tools employed by law enforcement.
Full forensic acquisition of smartphones and tablets — physical, logical, and file-system extractions depending on the device and instruction. Recovers messages, call records, app data, geolocation artefacts, and deleted material. Covers all major platforms and applications including WhatsApp, Signal, Telegram, iMessage, and social media.
Write-blocked forensic imaging of laptops, desktops, and external storage, followed by thorough artefact analysis. Internet browsing history, Windows registry, prefetch files, USB connection records, user activity timelines, email forensics, and deleted document recovery. All imaging is hash-verified for evidential integrity.
Data can be collected on-site at premises or remotely over a secure connection — whichever is appropriate for the matter. Both methods produce the same quality of forensic output with a complete chain of custody.
On-site attendance at premises to carry out forensic imaging of computers, servers, and storage media. All acquisition is write-blocked and hash-verified. Suitable for corporate investigations, situations where devices cannot leave site, or where a witnessed acquisition is required. Chain of custody documentation provided from first contact.
Forensically sound acquisition of data from computers, servers, and cloud accounts over an encrypted connection — no site visit required. A lightweight forensic agent is deployed to the target system by an authorised person. The collection is targeted, auditable, and produces hash-verified output of identical evidential quality to an in-person acquisition.
Devices, date ranges, and data targets confirmed. Legal basis agreed and collection plan documented before any work begins.
Forensic agent launched on the target system by an authorised person on-site. No technical expertise required to run it.
Data acquired over an encrypted connection. All activity is timestamped and logged throughout in the audit trail.
Hash verification on completion. Chain of custody document and acquisition report provided before examination begins.
Lawful Instructions Only. All password recovery and decryption work is carried out pursuant to a formal legal instruction with confirmed lawful authority. CTM Consulting does not accept instructions without a proper legal basis.
Encryption is encountered routinely in digital forensic casework — on devices, files, archives, and cloud accounts. Where lawful authority exists, CTM Consulting can attempt recovery using specialist hardware and software.
Password-protected documents, encrypted disk volumes, and locked devices can prevent legal teams from accessing material that may be critical to their case. CTM Consulting provides forensic password recovery using targeted and brute-force techniques, applied lawfully and proportionately.
Where full recovery is not possible, a report can confirm the encryption type and the steps taken — which may itself be of evidential value in assessing what was being concealed.
Before work begins, we will assess and advise on the realistic prospects of recovery based on:
Password recovery from Word, Excel, PowerPoint, and PDF. Success rates are high for older encryption standards and predictable passwords.
Recovery of passwords on compressed archives — commonly used to conceal collections of files in a single protected container.
Examination of devices protected by whole disk encryption. Recovery prospects depend on encryption type and available key material from the investigation.
Forensic bypass and recovery techniques for PIN, pattern, and biometric-protected handsets. Feasibility is assessed per device model and OS version.
Access to local databases of encrypted messaging apps where the device is in forensic possession, including protected app containers.
Where lawful authority exists, CTM Consulting can assist with technical access to and preservation of cloud-stored data and online accounts.
Beyond device examination and collection, CTM Consulting provides a range of analytical services that sit at the core of most defence and civil instructions.
Advanced file carving from unallocated disk space, slack space, and volume shadow copies. Identifies material that has been deliberately deleted, overwritten, or concealed.
Correlating device timestamps, application logs, communication records, and system events to produce a precise, defensible chronology for use in proceedings.
Systematic independent review of prosecution digital evidence — assessing methodology, completeness, chain of custody, and the validity of conclusions drawn by the opposing expert.
Data exfiltration, IP theft, and insider threat. Targeted acquisition and analysis of employee devices and accounts in support of HR, legal, and disciplinary proceedings.
End-to-end ESI collection, processing, de-duplication, and review for civil litigation, employment, and regulatory matters. Full details →
Preliminary advice before formal instruction — identifying whether digital evidence is likely to assist, what examination might reveal, and what a realistic scope and fee looks like.
Every instruction that requires court evidence is supported by a structured expert witness report prepared under Criminal Procedure Rules Part 19 or Civil Procedure Rules Part 35.
All reports are written to be understood by non-technical readers — judges, jurors, and opposing counsel — without sacrificing accuracy or rigour. Technical findings are explained clearly, conclusions are properly qualified, and the methodology is fully disclosed.
Court attendance for oral evidence and cross-examination is available as part of any instruction. Pre-hearing conferences with counsel and attendance at joint expert meetings can also be arranged. See the Expert Witness page for full detail.
Confidential initial consultations at no obligation. Describe your matter and we will confirm whether digital forensics can assist and provide a clear fee estimate.