Digital Forensics

Our forensics team facilitate a quick and timely response in all incident scenarios.

Recovering data and retrieving evidence from damaged and protected devices is a specialist skill. Sapphire’s experienced team of investigators can work with you in the case of an incident or critical system compromise, ensuring business continuity and guaranteed resilience.

Laptops, iPads and Computers

Mobile and Smartphones

Hard Drives / USB Drives

Digital Cameras


Cloud Environments

Networks & Servers

On-Line Storage


Our clients utilise a wide range of forensic services. Examples include: 

  • Unauthorised release of corporate information.
  • Destructive malware attacks, such as ransomware.
  • Theft of trade secrets or intellectual property.
  • Violations of policy.
  • Internet abuse.
  • Workplace misconduct.
  • Sexual harassment, deception, or negligence.
  • White-collar crime or criminal fraud.
  • Industrial espionage.
  • Damage assessment and analysis.

how we do it

An investigation conducted by one of our digital forensics experts typically consists of:

Scope: determine the objective of the investigation and ensure that the client’s unique search requirements are documented.

Data: image the data to protect and preserve evidence – safeguarding the integrity of your investigation.

Investigation: Relevant files are identified, data analysis is performed, evidence is collated, and your goals are achieved.

Reporting: comprehensive technical reports are provided with access to Sapphire’s team of investigators for insights into the findings.

what rules Sapphire follows

Sapphire’s forensic investigators follow the Association of Chief Police Officers (ACPO) guidelines.

The Sapphire forensic team was one of the first to be ISO 27001 certified in the UK, and our response procedures help organisations comply with required standards such as Mandatory Requirement No.37 of the Security Policy Framework (SPF), which is relevant to the public sector. Our team of expert investigators have a wealth of experience in supporting Local Government Authorities, NHS and Utilities.

What we look for during an investigation.

  • Deleted, hidden, or encrypted computer files. 
  • Passwords for encrypted or protected files.
  • Visited websites and internet history.
  • Uploaded, downloaded, deleted or accessed files.
  • Login & access timestamp.
  • Attempts to hide, destroy, or fabricate evidence.
  • Anomalies on network & servers.