Digital Forensics and Breach Response, Built for Court

Digital forensics is the scientific process of identifying, preserving, analyzing, and presenting electronic evidence in a manner that is legally admissible and technically defensible. Every modern legal dispute and security incident involves digital evidence - emails, server logs, packet captures, cloud-account activity, browser history, financial records, ransomware notes, on-chain transactions, and the artifacts that operating systems write to disk without users ever knowing. The question is not whether digital evidence exists, but whether it can be collected, analyzed, and presented in a way that courts, regulators, and cyber insurance carriers will accept.

Petronella focuses where our credentialed bench is strongest: incident response for active and post-breach environments, network and server forensics for breach timeline reconstruction, malware reverse-engineering for ransomware and persistence-mechanism analysis, cloud-account compromise investigation across Microsoft 365 and Google Workspace, crypto forensics for theft, pig butchering, and SIM-swap-enabled fraud, BYOD breach response on corporate-owned and managed mobile devices, and expert testimony for matters our team has personally worked. Our forensic posture is conservative by design - we collect and document what is defensible, and we say so explicitly when a request falls outside our credentialed scope.

When a matter requires services we do not offer in-house (consumer iPhone extraction, traditional large-firm e-discovery with Relativity or Everlaw, custody-litigation phone imaging, licensed private investigation), we refer to vetted partners. That referral discipline is part of why our findings hold up - we do not stretch our credential to cover work our toolchain was not built for. Honest scope is admissible scope.

If your matter sits in the "We Do Not Do" column, we will tell you immediately and route you to a partner whose tooling fits. Our refusal to overstep is a feature, not a limitation.

Hour 0 - 2 (intake and scoping). An initial scoping call within two business hours of contact (24 / 7 for confirmed active incidents). Counsel, IT lead, and insurer (if applicable) on the line. We confirm what is happening, what is at stake, and the immediate evidence-preservation steps to take before our team arrives or remote-connects. No engagement letter required for the first call - we will not sit on advice you need now.

Hour 2 - 24 (preservation and triage). Engagement letter and forensic-services agreement signed. Remote evidence capture begins immediately where the environment supports it; on-site arrival within one business day for matters that require physical imaging in our Raleigh, NC lab. Volatile-memory capture, host imaging, log preservation, and chain-of-custody opening all happen in this window.

Day 2 - 14 (analysis and timeline). Forensic analysis on imaged evidence. We work on copies, not originals. Findings are correlated across host, network, and cloud sources before they are recorded. Status calls cadence to client preference - daily for high-pressure matters, twice-weekly for standard investigations.

Day 14 - 30 (reporting and remediation). Technical findings report and executive summary delivered. If the matter requires regulator notification, the supporting evidence pack is produced in parallel. Hardening recommendations - tied to our cybersecurity, penetration testing, and compliance practice areas - close out the engagement and feed into any post-incident control upgrade.

Long-tail (testimony and follow-up). If the matter heads to litigation, deposition, or arbitration, Craig provides expert-witness testimony on the findings. We accept testimony engagements only on matters our team personally worked - a posture that has held through every cross-examination.

Evidence destruction by good intentions. The most common way evidence dies is not malice. It is an IT team trying to restore service. A helpdesk admin who reboots a compromised server because it is acting strange has just wiped volatile memory - the only place certain rootkits, in-memory implants, and credential-theft artifacts live. A sysadmin who copies log files to investigate has changed their access times. A well-meaning controller who hits "restore from backup" on a ransomware-encrypted host has eliminated the encryption key recovery path. None of those people intended to destroy evidence. All of them did. DFE discipline begins with telling the IT team, in the first phone call, what not to touch.

Chain of custody is a documentation problem, not a technology problem. The court does not care which forensic suite was used. The court cares whether the examiner can prove, by documentation, that the bits on the analysis disk are the same bits that were on the source disk at the moment of collection. That requires write-blocking hardware (so the source cannot be modified), dual-hash baselining (so the integrity can be proven), and a continuous custody log (so every touch is recorded). Get any of those three wrong and the opposing counsel has a Daubert challenge. Get them right and the methodology does not become the issue.

The "preserve everything" instinct is wrong. The opposite is also wrong. Either extreme breaks an investigation. Preserving everything ($) and then asking what to look for ($$$$$) is how forensic budgets balloon to seven figures and produce nothing useful. Preserving only what someone thought to look for is how the smoking gun ends up overwritten by a routine rotation. Forensic scoping is a triage skill - know the realistic data-loss volumes, the realistic retention windows, the cost of imaging this versus that source, and the realistic value of what each source can prove. That triage is the DFE credential's day job.

Insurance and regulatory deliverables have specific formats. Cyber insurance carriers want a specific evidence pack to validate a claim. State breach-notification laws have specific 4-factor risk-assessment frameworks. The HIPAA Breach Notification Rule has a specific risk-of-compromise standard. The 72-hour DFARS 252.204-7012 reporting clock has a specific DIBNet submission template. PCI DSS has a specific Card Brand reporting path. A generic IT investigation memo does not meet any of these formats. The forensic deliverable has to be built to the downstream audience or the engagement was wasted budget.

Testimony is the final filter. An expert witness who cannot defend the methodology under cross-examination has destroyed the case the firm spent six months building. Craig's testimony posture is conservative on purpose - he will testify on what he investigated, with the documentation he produced, against the methodology he can defend. He will not "borrow" credentials, will not stretch a finding past what the evidence supports, and will not testify on matters we did not personally work. That posture is why we win cross-examinations more than we lose them.

Counsel preparing for litigation. Attorneys at NC law firms reach us when a client matter hinges on digital evidence: a misappropriated customer list, an employee who took source code, an insurer dispute over a breach claim, a regulator inquiry. We work directly with law firms and litigation counsel, often under privilege, with deliverables structured for the case's downstream needs.

CFOs and controllers after a wire-fraud event. Business Email Compromise is now one of the most common entry points to our practice. A controller gets a "vendor banking-change" email, the wire goes out, and within hours the money is gone. We work the Microsoft 365 or Google Workspace side to identify the mailbox compromise, the malicious rules, and the OAuth grants that let the attacker watch the conversation - findings that support insurance claims, FBI IC3 reports, and any civil action against the recipient bank or mule.

IT leadership during an active ransomware or breach incident. CIOs and IT directors reach us when an incident has outgrown what the internal team can run alone. Our role: bring forensic discipline to a response that is already in motion, preserve evidence the response is at risk of destroying, and produce the documentation insurers and regulators will demand.

HIPAA covered entities facing a breach determination. Healthcare providers, dental practices, and behavioral-health groups reach us when an event raises the question of whether a reportable HIPAA breach occurred. Our work covers the forensic determination, the 4-factor risk assessment evidence pack, and coordination with HIPAA counsel on the 60-day notification clock. See our HIPAA compliance practice for the prevention layer.

DoD contractors triggering a CMMC or DFARS incident report. A contractor with CUI in scope hits an incident, and the 72-hour DFARS 252.204-7012 reporting clock starts. Our DFE-led forensics work supports the DIBNet submission, the CMMC remediation path, and our broader CMMC compliance consulting on the post-incident posture.

Individuals and family offices after a crypto-theft or SIM-swap event. Crypto theft is rarely a single-event problem - SIM-swap, pig butchering, romance scam, exchange hack, wallet drain. We work the on-chain and account-side of the incident, identifying destination wallets, mixer hops, exchange chokepoints, and the realistic ceiling on recovery. See crypto forensics and scam recovery for engagement detail.

"It is too late, the system has been rebooted." Sometimes. Often not. Reboots destroy volatile memory and running-process state, but the on-disk evidence - logs, registry entries, file-system journals, application artifacts, browser history, cloud-tenant audit records, network telemetry on adjacent devices - is still there in most cases. The right question is not "has anything been touched" but "what is the realistic evidence picture given what has happened so far." We answer that question on a scoping call, not on a flat assumption.

"We have backups, so we have the evidence." Backups are not forensic copies. A backup captures intentional data; a forensic image captures every sector including allocated, unallocated, slack, and journal regions where the most useful forensic artifacts live. Backups also typically rotate the original data out of the analysis window. Backups are useful for recovery. They are rarely sufficient for forensic causation analysis.

"The IT team can handle this." Sometimes. For low-impact, non-litigation, non-regulator matters where no insurer is involved, internal IT response is often appropriate. The moment any of the following appears - litigation hold, regulator inquiry, insurance claim, HIPAA / DFARS / GLBA reporting obligation, employee misconduct dispute, intellectual-property theft, wire fraud over a meaningful threshold - the answer flips. At that point the question is not whether IT can do the work. It is whether the work can survive Daubert.

"You can recover the crypto we lost." Sometimes, partially. More often, the realistic ceiling is on-chain attribution, exchange-chokepoint identification, and a defensible loss documentation pack that supports an IRS theft-loss filing, an insurance claim, an FBI IC3 report, or civil action. The recovery-rate claims that flood crypto-theft search results are often misleading. We will give you an honest read on feasibility before we ask for a retainer.

"This is the same as IT security." Different disciplines, overlapping toolchains. Security is about preventing the bad event. Forensics is about reconstructing the bad event after it happened, in a way that holds up to scrutiny. The two practices share infrastructure - we run our forensic lab inside our broader cybersecurity and managed XDR practice - but the credentials, methodology, and deliverable formats are different. Treating forensics as a side-project of an IT engagement is how findings get challenged at the worst possible moment.