I’ve stood in front of a judge holding up a hash value printout, and I’ve sat with an HR director walking them through exactly why a deleted file isn’t actually gone. Digital forensics is the bit of my job that most people never see, but it’s often the part that decides the outcome. At its core, it’s about working out what actually happened on a computer, a phone, a network, or a cloud account — and doing it in a way that holds up when someone tries to pick it apart, whether that’s a defence barrister, an opposing solicitor, or an employee who insists they never touched the file in question.
I get instructed on this for all sorts of reasons. Criminal cases where someone’s device activity is central to what they’re accused of. Employment cases where I’m asked to look into what a staff member actually did on the company system. Civil disputes where the data on a computer is the crux of a commercial disagreement. Regulatory cases where an organisation’s systems are under the microscope. And increasingly, cyber incident cases, where my job is to work out exactly how an attacker got in and what they did once they were there.
What Digital Forensics Actually Means
In plain terms, it’s the process of finding digital evidence, locking it down so it can’t be tampered with, working out what it actually shows, and then presenting that in a way that stands up to scrutiny. There are a few rules I never bend on: I preserve evidence in its original state before I touch anything analytically. I document every single step I take, so someone else could follow my work and get the same result. I have to be able to stand up and give expert evidence about exactly how I reached my conclusions. And whatever I find, I have to be able to explain it to someone who’s never opened a command line in their life.
None of that is box-ticking for its own sake. It’s how I make sure that what I find can actually be trusted — that nothing’s been altered, that my process is sound, and that anyone challenging my findings has something solid to challenge, not guesswork. If I can’t meet that standard, the evidence is vulnerable, and a vulnerable piece of evidence can unravel an entire case.
The Different Types of Work I Do
Computer Forensics
This is examining laptops, desktops, servers, and storage devices for anything relevant to the case in front of me. I’m looking at file systems, the operating system itself, application data, deleted files, browsing history, messages — basically anything stored on or reachable from that machine.
This is the one I get called in for most often, particularly in employment and civil cases. People are often shocked at just how much a proper examination can recover: every file that’s been opened, every site visited, every message sent or received, every USB stick ever plugged in — and a good chunk of what someone thought they’d deleted.
Mobile Forensics
Phones and tablets give me a completely different picture from a laptop. They carry location history, messages spread across half a dozen different apps, photos and videos with location and timestamp data baked in, and a record of where someone’s actually been that a desktop simply can’t match.
This work needs the right tools — kit that can pull data off a device without changing anything on it, and software that can actually make sense of how different phones and apps store their data. It’s become a much bigger part of my caseload over the years, simply because so much of how people communicate now happens through apps on their phone rather than email.
Network Forensics
This is digging through network traffic, system logs, and device data to work out what happened across a network — who went where, what they touched, and what left the building. In a cyber attack, this is how I trace an intruder’s path through a system and work out what they got their hands on. In an employment case, it’s how I establish what an employee accessed, what they moved, and how they moved it.
How I Actually Run an Investigation
Scoping. Before I touch anything, I work out exactly what I’m being asked to find out — which systems, which devices, what time period, what questions need answering. Get this wrong and the investigation either misses what matters or sprawls into territory it has no business being in.
Acquisition. I make a forensic copy of everything relevant before any analysis starts. For a device, that’s a bit-for-bit image of the storage. For cloud or network data, it’s capturing logs and records in a way that keeps them intact.
Verification. I run a cryptographic hash on everything I’ve collected. Think of it as a fingerprint for the data — if anyone ever questions whether the evidence has been touched since I collected it, I can recalculate that hash and prove it hasn’t.
Analysis. This is where I actually answer the questions the case is asking. I always work on copies, never originals, so there’s zero risk of altering the one thing everyone’s relying on.
Reporting. I write it all up — methodology, what I examined, what I found, what it means — alongside a formal witness statement.
Why Preservation Comes First, Always
If there’s one thing I drum into anyone I work with, it’s this: digital evidence is fragile. Switching a computer on and off can change dozens of timestamps. Just connecting to a network can shift the system state. Even running antivirus software can quietly delete or quarantine something that mattered. That’s why forensic imaging exists — to capture everything exactly as it was before any of that can happen.
I create a bit-for-bit copy of the storage, including the bits most people don’t know are recoverable — deleted files, fragments sitting in unallocated space. The original device doesn’t get touched again. Everything I do from that point happens on the copy.
Whether It Holds Up in Court
In my experience, digital forensic evidence is accepted in both civil and criminal courts in England and Wales, provided it meets the standards expected of expert evidence. For civil cases that means satisfying Part 35 of the Civil Procedure Rules — my report has to show my expertise, set out exactly how I reached my conclusions, and be clear about what’s fact and what’s my professional opinion.
The challenge I see most often isn’t about what I found — it’s about how I found it. Was the evidence untouched when I got it? Did I keep a proper chain of custody? Can I prove the analysis was done on a verified copy, not the original? If I’ve done my job properly, with everything documented and every piece of evidence hash-verified, that challenge doesn’t get very far.
Need expert digital forensic investigation? Get in touch with iSpy Detectives for professional, court-admissible forensic analysis.