Forensic scoping
Custodian and source mapping done with an evidentiary lens: what can be captured, what can be preserved, what would survive challenge.
Our eDiscovery practice was built by digital forensic examiners. Every collection is hash-verified, every workflow is documented, and every senior practitioner is qualified to give evidence on how the work was done.
Plate · ForensicCounsel and in-house teams who have learned - usually the hard way - that the way evidence is collected determines what can later be argued with it. If your last matter turned on the collection methodology, this page describes the alternative.
Preparing for disclosure where the process itself may be tested.
Handling suspected fraud, data theft or misconduct by senior custodians.
Coordinating cyber incident handling with downstream litigation and regulatory response.
Needing an independent forensic third party for statutory investigations.
Every failure mode below has been the deciding point in real cases we've been brought into after the fact.
Copy-paste from a live mailbox, drag-and-drop from a laptop, or an IT-led PST export destroys metadata and message integrity. It cannot be undone.
Evidence handled by an unbroken series of unnamed IT staff, without hash values, cannot be traced to its source when the source is challenged.
A witness who cannot speak to standards, tooling and methodology under cross-examination weakens the party they act for.
Non-forensic tooling misses deleted items, shadow copies, mobile app databases and cloud audit logs - often the material the matter turns on.
Every phase executed by qualified practitioners.
Custodian and source mapping done with an evidentiary lens: what can be captured, what can be preserved, what would survive challenge.
EnCase, FTK, X-Ways. Logical or physical, live or dead. Hash-verified at acquisition.
Cellebrite Premium, GrayKey, Magnet AXIOM. Full file-system where permitted; logical where not.
M365, Google Workspace, Slack, Teams, Box, Dropbox - captured with metadata and audit-log context preserved.
Timeline analysis, communications mapping, data-theft investigation, artefact recovery.
CPR Part 35 reports on methodology, findings and opinion, prepared by the supervising practitioner.
Because we are the eDiscovery arm of a digital forensics practice - not the other way around.
Every collection is done by a practitioner trained on the tools they use, not by a technician following a runbook.
Senior practitioners have given evidence in criminal and civil proceedings and produced Part 35 reports.
Every acquisition follows ACPO Good Practice Guide principles for digital evidence.
Signed acquisition notes, hash values and handling log on every capture.
Where a matter starts as an incident and becomes litigation, we handle both without breaking the evidence chain.
We do not act for either party on the merits. The evidence handling is neutral by design.
Where the forensic dimension is central.
Evidence-grade outputs, ready for a proceeding.
Hash-verified acquisition of the source in a preserved, portable format.
Signed acquisition notes, hash log and handling documentation.
Timelines, communications maps and reconstructed activity records for use in evidence.
Factual account of collection and processing methodology.
Where an expert opinion on methodology or findings is required.
Referenced, paginated and cross-referenced to production bates ranges.
Whether you are responding to a regulator, preparing for disclosure, or scoping an internal investigation, start the chain of custody with a short, confidential conversation.