A resignation to a competitor, a returned laptop, and one question: did company data leave with them? An evidential investigation in OSForensics.
A Bristol company contacted us after a salesperson resigned to join a direct competitor. They suspected — but couldn't prove — that the client database and current price lists had been copied before the laptop was handed back. They needed a defensible answer to one question: had company data left the building, and if so, how? Our job was to find out and to document it to a standard their solicitors could rely on.
Forensic work lives or dies on the integrity of the evidence, so the first step was to image the returned Windows 10 laptop through a hardware write-blocker, producing a hash-verified .E01 image (we use the PC3000 for acquisition where a drive is at all unstable). The original was bagged and stored; every subsequent step was performed against a mounted, read-only copy. We ran the whole investigation in OSForensics with its case audit trail switched on, so that every action we took was logged and tamper-evident.
OSForensics builds a “super timeline” of user and system activity, and that is where the picture came together. Its USB history — reconstructed from the Windows event logs and the USBSTOR registry keys — showed a SanDisk flash drive connected on the evening two days before the resignation, with its serial number and its first and last connection times. The file-activity timeline placed the export of the client database and several price-list spreadsheets minutes before that connection. Indexing the user's mailbox (the OST archive) surfaced two messages sent to a personal address with a price list attached, and the browser history showed a sign-in to personal webmail and an upload to personal cloud storage in the same window.
The user had also deleted the local copies afterwards — but “deleted” rarely means gone. Using OSForensics' deleted-file carving, including recovery from carved MFT records, we pulled the removed database export back out of unallocated space, confirming exactly what had been copied.
OSForensics produced a full, hash-verified report: the USB device and its timestamps, the file-copy timeline, the outbound emails, the cloud upload and the recovered deleted exports, all tied to a secure audit trail. We handed it to the company's legal team as the evidence base for their next steps. Five working days, start to finish. We carry out workplace investigations only for the owner of the equipment, under written instruction.
OSForensics · PC3000 — imaging and recovery carried out in-house. Every job is imaged before any recovery work begins, and the original media is never written to.
Send us your device for a free diagnostic, and tell us a little about what happened — an engineer will review it and confirm your exact quote in writing before any work begins.
Recovering your data starts with getting the device to us. Pack it safely, add your contact details, and send it over — after we run a free diagnostic, we’ll confirm your exact price in writing before any work begins.
Posting it in? We recommend a tracked, insured service. Prefer to drop it off? You’re welcome Monday–Friday, 9am–5:30pm — please still package the device as above.
If you need more information on our data recovery service, fill out the form with more detail about your issue and an engineer will review it and give you a custom quote.
We’ll be in touch shortly. For anything urgent, call 0117 332 1137.
Yes — USB-device history, file-activity timelines, email analysis and deleted-file recovery, all preserved to an evidential standard.
We work on a hardware write-blocked, hash-verified image with a full audit trail, and produce a report suitable for solicitors or a tribunal.
From £800 plus VAT. We carry out workplace investigations only for the owner of the equipment, under written instruction.
Start with an instant online quote, or call and talk it through with us first. You'll have a clear, fixed price before any work begins.