EnCE / GCFA / EnCEP examiners · court-tested · SWGDE-aligned

Computer forensics with a chain of custody that holds up in court

Civil litigation, internal investigations, insurance claims, regulatory matters. Court-tested examiners with EnCase, FTK, Magnet Axiom, and Cellebrite. Sworn declarations, deposition support, expert witness testimony when it goes to trial.

284 court-admitted reports 18 yrs avg examiner tenure Zero custody challenges sustained 12 day median report turnaround

Request a forensic preservation hold Or call (888) 574-5120 →

Same-day preservation engagements available. We can issue a written hold notice and deploy remote agents within hours. Physical imaging in-region (FL/GA/TN/Carolinas) inside 8 hours.

Court-defensible · under privilege · same-day scoping

Scope a forensics engagement

Tell us the matter type and how many devices. A senior examiner will reply with a fixed-fee scope, timeline, and engagement letter inside one business day.

All inquiries from counsel are handled under attorney work-product privilege. We can countersign your retainer or operate under your firm's standard engagement letter.

Court-admitted reports
federal and state, last 4 years

18 yrs

Average examiner tenure
across our senior bench

Zero

Chain-of-custody challenges
sustained against our work

Median report turnaround
single-device examinations

Service tiers

Three engagement shapes. One forensic standard. Pricing that doesn't change after acceptance.

A flat-fee single-device exam for HR or insurance work. Per-device pricing for larger investigations with timeline analysis. Custom litigation support when you need eDiscovery, depositions, and trial testimony. Every tier follows the same SWGDE and NIST SP 800-86 acquisition standards, with the same chain-of-custody discipline.

Single-Device Examination

One phone or one workstation. Flat fee, written report, sworn affidavit included.

$2,400/flat fee

12-day median turnaround

Forensic image with verified MD5 + SHA-256 hashes
Targeted exam scoped to your specific questions
Written report (typically 8 to 16 pages) suitable for HR action or insurance claim
Sworn affidavit attesting to methodology and findings
Original device returned with hash-verified copy retained for 7 years
Up to 1 hour of follow-up call with examiner included

Scope a single device →

Most chosen

Multi-Device Investigation

Built for the case where you have 10+ devices, a real timeline, and a brief that has to land.

$850/device

10-device minimum · 3 to 5 week typical scope

Forensic imaging of all in-scope endpoints, mobile devices, and cloud accounts
Cross-device timeline analysis with synchronized event correlation
Keyword and pattern searches with documented protocol
Sworn declarations ready for filing in support of motions
Examiner availability for one deposition included
Project lead with weekly status calls until report delivery

Scope a multi-device matter →

Litigation Support

Full eDiscovery, expert witness, deposition and trial testimony for matters that go the distance.

Custom

Scoped by data volume + trial calendar

Everything in Multi-Device Investigation
FRCP Rule 26(f) consultation and ESI protocol drafting
Relativity, Reveal, or Nuix-hosted review platform with hosting included
Expert witness reports under FRE 702 with full Daubert/Frye briefing support
Deposition and trial testimony by an EnCE / EnCEP / GCFA-credentialed examiner
Mock-cross preparation sessions before testimony

Discuss a litigation matter →

The forensic stack we actually run · court-tested, vendor-known

EnCase OpenText forensics FTK Exterro forensics Magnet Axiom Endpoint + cloud Magnet Outrider Triage scanner Cellebrite UFED Mobile extraction Cellebrite Inseyets Mobile analytics Oxygen Forensic Detective Mobile + cloud Belkasoft Evidence Center All-source analysis Volatility Memory forensics Autopsy Open-source corroboration X-Ways Forensics Deep file-system Velociraptor Live remote acquisition

Matter type / typical evidence / deliverable / timeline

What it actually looks like for the seven engagement types we run most often.

These are the patterns we see week in, week out. Pricing scales from the Single-Device flat fee for the simplest matters up through Litigation Support custom pricing for full trial work.

Matter type	Typical evidence	Deliverable	Timeline
Civil litigation	Workstations, phones, cloud accounts (M365, Google Workspace, Slack)	Sworn report + deposition support	4 to 8 weeks
Insider investigation	Employee device, email, USB activity, browser history	Written findings memo	2 to 4 weeks
Insurance claim	Ransomware-encrypted drives, log files, backup metadata	Chain-of-custody report for carrier	2 to 3 weeks
Wage / hour / non-compete	Laptop, USB activity, cloud sync logs, after-hours timestamps	Sworn declaration for filing	3 to 5 weeks
Regulatory matter	Full-disk images, log files, communications archives	Regulator-formatted report (HHS, SEC, state AG)	6 to 10 weeks
Criminal defense	Full-disk imaging, mobile device imaging, cloud account preservation	Expert witness report + trial testimony	8 to 16 weeks
IP theft	Workstation, email, cloud accounts, version control, build artifacts	Detailed timeline + expert testimony	4 to 8 weeks

For matters where evidence is at imminent risk of destruction, we offer same-day preservation engagements. Call (888) 574-5120 directly.

Case file · anonymized

Departing VP, 78GB to a personal Dropbox, and a TRO inside two weeks.

A 1,400-employee manufacturer in Detroit, MI suspected their VP of Engineering had taken proprietary CAD files and supplier pricing to a competitor. Counsel called us at 9:14 AM. We were on site by 2:30 PM the same day. Names changed, file sizes and outcome real.

Civil · IP theft · Resolved · $4.2M settlement

"Cordova Manufacturing" · 1,400 employees · Detroit, MI

Tuesday 09:14 EST · matter type: trade-secret misappropriation · subject: VP of Engineering, resigned 6 days earlier to join named competitor

09:14 Outside counsel calls. Engagement letter countersigned by 09:42 under attorney work-product privilege. Preservation hold notice issued by 10:00.
14:30 Senior examiner on site at Cordova HQ. MacBook Pro M2 and iPhone 15 Pro received from IT under signed custody form, photographed, hashed, sealed.
15:08 Imaging begins. MacBook via target disk mode and Magnet Axiom, iPhone via Cellebrite UFED full file-system extraction. Both with verified MD5 + SHA-256 hashes.
20:46 Imaging complete in 5 hours 38 minutes. Original devices re-sealed and returned to client custody. Working copies shipped to Tampa lab via tracked custody chain.
Day 3 Analysis identifies 78.4 GB transferred to a personal Dropbox account between Sept 12 and Sept 21. Files include CAD source files, supplier pricing, and a customer pipeline export.
Day 5 Sworn declaration delivered to counsel. 32-page exhibit with file-level evidence, transfer timestamps, and IP geolocation. Counsel files for TRO and expedited discovery the same afternoon.
Day 11 TRO granted. Competitor agrees to forensic inspection of subject's new work device. Magnet Axiom Cyber pulls remote image; analysis confirms presence of Cordova IP on competitor's machine.
Day 47 Settlement reached: $4.2M paid to Cordova, all infringing materials destroyed under court-supervised wiping with our examiner overseeing. Subject barred from competitor for 18 months.

✔

Outcome: Imaging on the same day, declaration in counsel's hands by Day 5, TRO granted by Day 11, $4.2M settlement by Day 47. Total forensic engagement billed: $87,400, all of which was recovered as part of the settlement under the prevailing-party fee provision in Cordova's employment agreement.

Standards, certifications, frameworks

The acronyms judges, opposing counsel, and regulators actually look at.

Forensic work that doesn't survive cross-examination is worse than no work at all. Every report we deliver is built on the standards below, and every senior examiner on our bench holds the certifications that opposing counsel will cite in their challenge.

FRCP Rule 34

Federal Rules of Civil Procedure governing production of electronically stored information. Our protocols align with Rule 34(b) form and reasonable accessibility analysis.

FRE 702 expert

Federal Rule of Evidence 702 admissibility standard for expert testimony. Our examiners qualify as experts under the four-prong test.

Daubert standard

Methodology testable, peer-reviewed, with known error rates and accepted in the relevant scientific community. Zero successful Daubert challenges to date.

EnCE certification

EnCase Certified Examiner. The OpenText vendor certification opposing counsel knows by name. All senior examiners hold current EnCE.

GCFA

GIAC Certified Forensic Analyst. SANS-issued credential focused on advanced incident response and forensic analysis.

EnCEP

EnCase Certified eDiscovery Practitioner. Distinct from EnCE, focused on eDiscovery workflow and ESI handling.

SWGDE guidelines

Scientific Working Group on Digital Evidence. Best-practice guidance for acquisition, examination, and reporting that courts cite directly.

NIST SP 800-86

NIST Guide to Integrating Forensic Techniques into Incident Response. The standard our acquisition workflow is built against.

The humans who testify

The examiners whose names show up on the report, and on the witness stand.

Our forensics bench sits across Tampa, Orlando, Chicago, Atlanta, and Detroit. Three of our senior examiners have sworn deposition or trial testimony in 47 matters over the past three years. Each examiner CV is available for vetting before engagement.

Marcus Chen

Director of Forensics · Atlanta

EnCE EnCEP GCFA CCSP

Miguel Santos

Senior Forensic Examiner · Orlando

EnCE GCFA CISSP

Priya Venkatesh

Mobile & Cloud Forensics Lead · Tampa

CCO CCPA GCFA OSCP

Deandre Williams

eDiscovery Project Lead · Chicago

EnCEP CISA RCA

Aisha Khan

Forensic Analyst · Orlando

GCFE GREM CIPP/US

Jordan Reyes

Counsel Liaison & Expert Witness · Tampa

EnCE CFE CPA

FAQ · the questions counsel asks first

Five questions. Honest answers.

Will your reports actually hold up in court?

Yes. We've had 284 reports admitted into evidence over the past four years across federal and state courts, and zero chain-of-custody challenges sustained against us. Our examiners are EnCE-certified, GCFA-credentialed, and follow SWGDE and NIST SP 800-86 acquisition standards.

Every action against evidence is logged with cryptographic hashes (MD5 + SHA-256), examiner signatures, and timestamped custody transfers. We have never had a Daubert challenge succeed against one of our examiners' methodology. Pre-engagement CVs are available so opposing counsel can vet our credentials before deposition.

How fast can you image a device under chain of custody?

For an in-region device (Florida, Georgia, Tennessee, Carolinas) we can be on site within 4 hours and have a forensic image with verified hash inside 8 hours of the call. For out-of-region work we partner with a network of certified examiners and can typically have someone on site within 12 hours nationwide.

Cloud-based imaging starts within 1 hour of credential handover. M365 mailbox + OneDrive collection via Magnet Axiom Cyber, Google Workspace via Vault, Slack via enterprise export. We can issue a written preservation hold notice the same hour we are engaged.

Can you handle cloud accounts (M365, Google Workspace, Slack)?

Yes. Cloud forensics is a major and growing share of our work. We pull defensible exports from Microsoft 365 (mailboxes, OneDrive, Teams, SharePoint, M365 audit log, Purview eDiscovery), Google Workspace (Gmail, Drive, Vault), Slack (full workspace exports under enterprise agreement), Dropbox, Box, GitHub, and most major SaaS platforms.

We use Magnet Axiom Cyber as our primary unified cloud collection tool, with Cellebrite Cloud and the native vendor tools as cross-checks. All outputs are hash-verified and produced under chain-of-custody documentation that matches our physical-device workflow.

Do you provide expert witness testimony?

Yes. Three of our senior examiners (Marcus Chen, Priya Venkatesh, Jordan Reyes) have provided sworn deposition or trial testimony in 47 matters over the past three years across federal and state courts. We provide pre-engagement CVs for vetting, work directly with retaining counsel on declaration drafting, and prepare for depositions and trials with full mock-cross sessions.

Daubert/Frye briefing materials available on request. We can also provide rebuttal-expert services if opposing counsel has retained their own forensic examiner and you need a credentialed second opinion on their methodology.

What if we need to act today before evidence is destroyed?

Call (888) 574-5120 immediately. We treat preservation as a same-day engagement. We can issue a written preservation hold notice, deploy remote agents (Magnet Outrider, Velociraptor) to capture volatile data, and dispatch an examiner for physical imaging within 4 to 12 hours depending on geography.

Evidence destruction (whether deliberate, routine spoliation, or innocent rotation of laptops) is the most common reason a case falls apart. Acting in the first 24 hours dramatically changes what's recoverable. If counsel is not yet engaged, we can operate under a preservation-only retainer until counsel is in place.

Don't let evidence walk out the door.

The best forensic work in the world cannot recover what was wiped, factory-reset, or rotated out of a backup window. If you suspect evidence is at risk, the first 24 hours are the difference between a winnable matter and a stalled one. We can issue a written preservation hold notice and have remote acquisition agents deployed inside one hour of engagement.

Request a forensic preservation hold Or call (888) 574-5120