What can be recovered from a computer?

Deleted files, browsing history, USB device history, login records, document edits, email, chat logs, encrypted container hints, network connections and many other artefacts. The exact picture depends on the operating system, storage type and how long ago the activity occurred.

Can you recover deleted files after a drive has been emptied or formatted?

Frequently, yes. Until storage is overwritten, deleted records remain on disk and can be carved back using forensic tools. SSD TRIM and full-disk wipes reduce success — we'll tell you what's realistically recoverable before you commit.

Do you handle encrypted drives like BitLocker or FileVault?

Yes — where there is lawful authority and either the recovery key, the user's credentials or a viable forensic path. We do not perform brute-force attacks on third parties' personal devices outside lawful scope.

Can you image a running server without taking it offline?

In most cases, yes. We perform live, write-controlled imaging of physical and virtual servers, including ESXi and Hyper-V snapshots, with minimal disruption to operations.

Will the evidence stand up in an Australian court?

Yes. Every acquisition is hash-verified, write-blocked where applicable, and documented with chain of custody to Australian court evidentiary standards. We provide expert witness testimony when required.

How long does a computer forensic examination take?

Simple matters can be turned around in a few business days. Complex, multi-system investigations or large data volumes take longer. We provide an estimated timeframe after intake.

How do I get started?

Send a brief through our contact form. A licensed investigator will reply within one business day with a clear scope, fixed-fee quote and timeframe.

Computer Forensics · Australia & New Zealand

Hard drives, memory,
network traces —
pieced together.

We image computers and servers, recover deleted records, reconstruct user activity and produce reports that withstand cross-examination — across Windows, macOS, Linux and virtualised infrastructure.

Request a free consultation +61 498 881 303

Coverage: Windows · macOS · Linux
Capacity: Petabyte-scale matters
Reports: Hash-verified, court-ready

What We Examine

Every artefact a system leaves,
on a single timeline.

Modern computers leave traces in dozens of places — disk, memory, registry, logs, sync services. We work each one methodically and reconcile them into a single chronological view a court can follow.

Layer01

Forensic disk imaging

Bit-for-bit acquisition of HDDs, SSDs, NVMe and removable media — write-blocked, hash-verified, defensible.

Layer02

Live memory capture

RAM acquisition for credentials, encryption keys, running processes and malware indicators that vanish on shutdown.

Layer03

Deleted file recovery

Carving, MFT and journal analysis recover deleted documents, images and records — even after wipe attempts.

Layer04

Network & endpoint logs

Firewall, proxy, DNS, EDR and Windows event logs reconstructed into a single defensible timeline.

Layer05

Encrypted volume analysis

BitLocker, FileVault, VeraCrypt and APFS encrypted containers — examined where lawful keys or recovery is possible.

Layer06

Email & document review

PST, OST, mbox and Exchange archives parsed and searched at scale, with full metadata and attachments preserved.

Platform Coverage

Whatever the system,
we have a method.

From a single laptop to a clustered virtual environment — we work to the highest forensic standard the platform and its security state allow.

Windows01

Windows 7 → 11 · Server

NTFS, ReFS, registry hives, $MFT, USN journal, Event Logs, ShimCache, AmCache and SRUM analysed end-to-end.

NTFS
Registry
Event Logs

macOS02

Intel & Apple Silicon Macs

APFS imaging, FileVault handling where lawful, Unified Logs, KnowledgeC, Spotlight metadata and Time Machine analysis.

APFS
Unified Logs
Time Machine

Linux & Unix03

Servers & workstations

ext4, XFS, ZFS, journald, auditd and bash history — with LVM and encrypted volume reconstruction.

ext4 / XFS
journald
auditd

Servers04

Physical, virtual & RAID

Onsite imaging of running servers, ESXi and Hyper-V snapshots, RAID 0/1/5/6/10 reconstruction.

ESXi
Hyper-V
RAID

The Toolkit

Court-grade software,
written-into-record practice.

Our examinations are built around industry-standard forensic platforms — write-blocked acquisition hardware, validated imaging tools, and analytical suites used by Australian law enforcement and corporate investigators.

Every step is documented. Every file is hashed. Nothing is opened on a live drive. The output is an exhibit pack a magistrate, judge or arbitrator can rely on.

File systems

30+

RAM capture

Live & paged

Encrypted volumes

BitLocker · FileVault

Reports

Hash-verified

The Process

Calm, methodical,
court-grade from intake.

Step01

Intake & scoping

Confidential brief, lawful authority confirmed, devices and custodians scoped, fixed-fee quote provided.

Step02

Forensic acquisition

Write-blocked imaging onsite or in our lab. Hashes captured. Chain of custody opened.

Step03

Analysis & reconstruction

Artefacts parsed, deleted data carved, timelines and user activity reconstructed across systems.

Step04

Court-ready report

Plain-English findings with annotated exhibits. Expert testimony available where required.

Frequently Asked

Computer forensics, plainly explained.

Request A Consultation

Send A Brief.
We'll Take It From There.

Every enquiry is read by a licensed investigator and treated in strict confidence.