A company suspected a departing employee had taken client data with him to a competitor. The evidence, if it existed, was on the laptop he had just handed back — and it had a shelf life. This is what a lawful forensic examination actually looks like: whose device, on whose authority, what the machine remembered, and where we drew the line.
Before a single sector was read, the question that decides whether forensic recovery can happen at all: who owns the device, and who has authority over it?
Here the answers were clean. The laptop was company property, issued to the employee, covered by the company’s own IT and acceptable-use policy, and handed back on his last day. The instruction came from the company, with their solicitor involved from the outset. That is company equipment examined under company policy — the textbook lawful basis, and the reason we could take the job.
The scope was then agreed in writing before any analysis began, which matters more than people expect. A forensic examination is not a fishing expedition; it answers defined questions. Ours were narrow: had client data been copied off this machine, by what means, and when?
The laptop was logged into a documented chain of custody the moment it arrived — who had it, when, and what was done to it, recorded at every step. It was connected through a write-blocker, so the original could be read but never altered, and a full forensic image was taken and hash-verified: a cryptographic fingerprint computed over the image and the source, proving the copy is identical to what arrived and that nothing changed under our hands.
Every subsequent step ran against a working copy of that image. The original drive was sealed and never touched again. That discipline is not ceremony — it is the difference between findings that survive a challenge in a tribunal and findings that are thrown out because the other side’s expert can show the evidence was altered while you looked at it.
What emerged was not one smoking gun but a pattern, drawn from the ordinary bookkeeping a Windows machine does without being asked. USB device history — the registry and setup logs record every mass-storage device ever connected, with first and last connection times. File and folder access artefacts — shortcut files, jump lists and shell records that show what was opened, and from where. Cloud client logs and browser history, showing what was synced and to which accounts. Installed software, including the arrival of a disk-wiping utility that had no business being on a work machine. Where files were password-protected or encrypted, they were opened with Passware Kit Forensic — the decryption suite we run for investigations, which searches the drive and, where a machine is seized while still running, its live RAM for keys and passwords that physically exist — strictly within the company’s authority over its own device. (Had this laptop been captured powered on rather than handed back shut down, a memory capture would have come first, before a restart could lose it.) And deleted-file recovery from unallocated space, which is where the wiping utility’s own good intentions ran out.
The timeline told the story: bulk access to client folders in the final fortnight, out of normal working hours; an external drive connected repeatedly in the same window; a wiping tool installed days before resignation and run shortly before the machine was handed back. Deleted material recovered from free space corroborated it.
The report was written in two parts, as they always are: a findings section in plain English that a manager or a tribunal panel can read, and a technical appendix recording the methodology, the hashes, the artefacts relied on and the raw evidence behind each conclusion. Where the evidence was ambiguous, it says so. Where an innocent explanation was possible, it says that too.
That last part is the whole job. A forensic examiner who tells the instructing client what they want to hear is not an expert — they are a liability, and the first competent cross-examination will prove it.
What we did not do: touch his personal phone, or his private email and cloud accounts. Those are not company property, no policy covers them, and accessing them without authority would be an offence. When asked, we said no — and the case was stronger for it.
The commonest way this evidence gets destroyed is not malice — it is IT re-imaging the laptop for the next starter, three days after the employee left. Take it out of service, power it down, and put it in a drawer. Every hour it runs, artefacts age out and free space gets overwritten.
Then talk to your solicitor, and let the examination be instructed properly. We work with business clients under NDA as standard, to a scope agreed in writing, under our ICO registration (ZC173784). The free diagnostic tells you whether there is anything worth examining before you spend a penny.