Technical Forensics Services

Evidence that holds up. Investigation that answers the hard questions.

Digital forensic investigation across live systems, static media, network devices, cloud, mobile, and memory. Evidence preserved to criminal standards with documented chain of custody. Framework-agnostic methodology informed by leading digital evidence standards. Senior investigators, peer-reviewed analysis, and reports structured for legal, regulatory, and insurance use.

Digital evidence, handled correctly.

Digital forensics is the discipline of recovering, preserving, and investigating evidence from digital systems related to a security incident, insider event, or other matter that may require formal investigation. The work has been a recognized branch of forensic science since the early 1990s, and the standards that govern it (including ISO 27037 through 27043, ACPO guidelines, and evidentiary chain of custody requirements) exist because the consequences of getting it wrong are real: evidence excluded from legal proceedings, claims denied by insurance carriers, regulatory findings overturned on procedural grounds.

Armour Cybersecurity's Technical Forensics service is built around those standards. The team conducts forensic data collection across all major device types (live servers, desktops, and laptops with memory capture; cloud platforms; network devices including switches and routers; static computers and hard drives; mobile phones and smart devices). Investigation methodology spans the eight standard phases: first response, search and seizure, evidence collection, evidence preservation, data acquisition, data analysis, evidence assessment, and documentation and reporting. Every action is documented contemporaneously, every case is peer-reviewed, and every finding is delivered to evidential rigor sufficient for criminal proceedings.

Investigations are led by experienced senior consultants. Specialties include Microsoft, Linux, and Apple operating systems; memory analysis; file system analysis; mobile and smart device analysis; and data recovery. Many of the team have experience executing or being present at the execution of both criminal and civil warrants, and understand the practical realities of evidence handling beyond the textbook procedure. The result is forensic work that does what forensic work is supposed to do: answer the hard questions with evidence that holds up.

Multi-Standard
Methodology informed by the leading digital evidence standards (ISO 27037, ISO 27041, ISO 27042, ISO 27043, ACPO guidelines)
Criminal
Evidential rigor to criminal standards in all cases, with chain of custody discipline and peer review of all work

Improvised forensics vs. evidence that holds.

The difference between forensic work that delivers answers and forensic work that compromises the case usually comes down to whether the team had the discipline, the experience, and the methodology to handle the evidence correctly from the first action.

The Problem

Evidence that gets excluded. Investigation that does not deliver answers.

Internal IT shuts down the affected system before evidence is captured. Memory is gone. The attacker's tools left no trace on disk. Disk imaging is done without write-blockers. Chain of custody is not documented. The system administrator who first noticed the activity logged in to investigate, contaminating the evidence. The forensic report shows what the investigation found, but cannot establish how the evidence was preserved between event and analysis. The carrier rejects the claim. Counsel cannot use the findings in litigation. The investigation does not deliver the answers the organization needed.

The Solution

Evidence preserved to criminal standards, investigated by experienced specialists, peer-reviewed before delivery.

First response captures volatile evidence before it is lost. Acquisition is performed using forensically sound techniques with documented chain of custody. Memory, disk, network, cloud, and mobile evidence are collected with methods appropriate to each medium. Analysis is conducted in a controlled forensic environment. Every action is documented contemporaneously, and the investigation is peer-reviewed before the final report is delivered. The findings answer the hard questions with evidence that holds up to scrutiny from courts, regulators, carriers, and counsel.

What the engagement covers.

Nine integrated forensic capabilities across the investigation lifecycle. Each draws on the team's expertise in operating systems, memory analysis, file system analysis, mobile and smart device analysis, and data recovery.

01 / FIRST RESPONSE

First Response & Triage

Action taken immediately after the occurrence of a security incident, tailored to the nature of the event. Preservation of volatile evidence before it is lost. Identification of the systems and data in scope.

02 / LIVE COLLECTION

Live System Forensics

Forensic data collection from servers, desktops, and laptops while running, including memory capture to preserve volatile evidence (running processes, network connections, encryption keys, malware artifacts in memory).

03 / STATIC

Static Media Forensics

Forensic acquisition of computers, hard drives, and storage media using forensically sound techniques with write-blockers, hash verification, and full chain-of-custody documentation.

04 / CLOUD

Cloud Forensics

Forensic acquisition and analysis across major cloud platforms. Recovery of cloud audit logs, identity events, configuration history, and data access records appropriate to the platform and the investigation.

05 / NETWORK

Network Device Forensics

Acquisition and analysis of network device data including switches, routers, firewall logs, and traffic data, supporting reconstruction of network-level attack progression and lateral movement.

06 / MOBILE

Mobile & Smart Device Forensics

Forensic acquisition and analysis of mobile phones, tablets, and smart devices. Recovery of communications, location data, application artifacts, and deleted content where technically feasible.

07 / MEMORY

Memory Analysis

Specialist memory analysis to extract running processes, network artifacts, malware in memory, encryption keys, and indicators that disk-based forensics cannot recover after a shutdown.

08 / MALWARE

Malware Analysis & Reverse Engineering

Static and dynamic analysis of malicious software including Trojans, viruses, worms, APTs, ransomware, and blended threats. Identification of capabilities, persistence mechanisms, and indicators of compromise.

09 / REPORTING

Investigation Reporting & Testimony

Court-ready investigation reports with adequate and acceptable evidence for legal proceedings. Expert witness testimony support where required. Documentation structured for use with internal teams, regulators, and counsel.

Who this service serves.

Built for organizations and counsel whose matter requires digital forensic investigation conducted to a standard that holds up under scrutiny.

Organizations Responding to a Cyber Incident

Companies experiencing a security incident requiring forensic investigation to understand attack scope, identify exfiltrated data, and produce evidence for legal, regulatory, and insurance use.

Legal Counsel & Litigation Support

External counsel, internal legal teams, and breach counsel requiring forensic evidence preservation and investigation for civil, criminal, or regulatory matters.

Cyber Insurance Carriers & Policyholders

Cyber insurance claim investigations requiring documented forensic evidence to support coverage determinations, attribution, and claim quantum analysis.

Insider Threat & Workplace Investigations

Organizations conducting investigations involving employee misconduct, data theft, intellectual property disputes, or other matters where digital evidence supports the investigation.

A disciplined methodology across the eight standard forensic phases.

The investigation methodology follows the eight standard phases recognized in digital forensic science, mapped to leading digital evidence standards. The six methodology phases below consolidate those eight investigation phases into the engagement workflow.

1

First Response

Action performed immediately after a security incident. Identification of systems and data in scope. Preservation of volatile evidence (memory, network state, active sessions) before it is lost. Coordination with the broader response team.

2

Search, Seizure & Evidence Collection

Identification of devices and data sources involved in the incident. Forensically sound collection using established methods appropriate to each medium (live, static, network, cloud, mobile). Chain of custody initiated from first action.

3

Evidence Preservation & Acquisition

Secure storage of evidence in controlled forensic environment. Verification that collected data is accurate, authentic, and accessible. Retrieval of Electronically Stored Information (ESI) using methods that preserve evidential integrity.

4

Data Analysis

Examination, identification, separation, conversion, and modeling of acquired data to transform raw information into useful evidence. Analysis of attack vectors, malicious software, data access patterns, and indicators of compromise.

5

Evidence Assessment

Relating evidential data to the security incident or matter under investigation. Thorough assessment based on the scope of the case. Peer review of findings before they appear in the final report.

6

Documentation & Reporting

Comprehensive reporting and documentation of all findings. Report structured to provide adequate and acceptable evidence for legal proceedings, regulatory submissions, insurance claims, or internal use as appropriate to the engagement.

What the organization walks away with.

Nine integrated deliverables from the forensic engagement. Each is produced with chain-of-custody discipline, peer review, and evidential rigor sufficient for the use the engagement was scoped to support.

DELIVERABLE 01

Forensic Investigation Report

Comprehensive report covering the investigation methodology, evidence collected, analysis conducted, findings, and conclusions. Report structured to provide adequate and acceptable evidence for legal proceedings.

DELIVERABLE 02

Evidence Acquisition Documentation

Detailed documentation of evidence acquisition including methods used, tools applied, hash verification, and the specific procedures followed for each medium collected.

DELIVERABLE 03

Chain of Custody Records

Complete chain of custody documentation from first acquisition through analysis and reporting, structured to support evidential standards required by courts, regulators, and counsel.

DELIVERABLE 04

Malware Analysis Report

Static and dynamic analysis report for any malicious software identified, including capabilities, persistence mechanisms, indicators of compromise, and remediation guidance.

DELIVERABLE 05

Memory Analysis Report

Memory analysis findings including running processes, network artifacts, malware in memory, encryption keys, and other volatile evidence that disk-based forensics cannot recover.

DELIVERABLE 06

Data Loss & Exfiltration Analysis

Analysis of data accessed or re-routed through the network using log analysis, memory dumps, and open-source intelligence techniques to identify evidence of stolen data.

DELIVERABLE 07

Root Cause & Attack Vector Report

Identification of the attack vector and methods used, supporting both incident understanding and the organization's ability to prevent recurrence.

DELIVERABLE 08

Court-Ready Documentation Pack

Complete documentation pack suitable for use in legal proceedings, regulatory submissions, or insurance claims, with all evidence handled to criminal standards.

DELIVERABLE 09

Expert Witness Testimony Support

Where required, expert witness testimony support from the senior consultant who led the investigation, with the report and underlying evidence prepared for examination and cross-examination.

The numbers behind the work.

Founded by military intelligence veterans with senior advisors from PwC, KPMG, Deloitte, EY, and Mandiant. The track record reflects the discipline.

260+

Clients Served

Organizations across finance, healthcare, technology, energy, legal, and government trust Armour Cybersecurity to protect what matters.

97%

Client Retention Rate

Long-term engagements built on consistent quality, predictable delivery, and consulting relationships that compound in value over time.

52+

Industries · Worldwide Reach

Cross-sector experience spanning every major regulated industry, with operations supporting clients across North America, Latin America, and beyond.

80+

Cybersecurity Technology Solutions

A vetted catalogue of forensic tools and proprietary methods deployed in support of digital evidence acquisition, malware analysis, memory analysis, and investigation reporting.

Engage forensics that delivers evidence holding up to scrutiny.

Schedule a discovery call to scope an investigation, or contact us directly if you require immediate forensic engagement. Protecting What Matters starts with evidence preserved correctly.

Book Discovery Call

Frequently asked questions.

Common questions from CISOs, General Counsel, breach counsel, insurance carriers, and HR leaders evaluating a Technical Forensics engagement.

How is Technical Forensics different from Breach Response?
Breach Response is the broader incident handling engagement (triage, containment, eradication, recovery, communications). Technical Forensics is the specialized investigation workstream within or alongside that engagement, focused on evidence acquisition, preservation, analysis, and reporting to evidential standards. Many engagements involve both, with the Breach Response team handling containment and recovery while the Technical Forensics team handles the evidence and investigation.
What standards do you work to?
ISO 27037 (identification, collection, acquisition, and preservation of digital evidence), ISO 27041 (investigation process assurance), ISO 27042 (analysis and interpretation), ISO 27043 (incident investigation principles and processes), and ACPO guidelines (Association of Chief Police Officers, the foundational UK guidance still widely referenced internationally). Every engagement maintains evidence continuity and integrity throughout, with peer review of all work and documentation to criminal evidential standards.
What types of evidence can you acquire?
Live systems (servers, desktops, laptops with memory capture), cloud platforms across major providers, network devices (switches, routers, firewalls), static computers and hard drives, mobile phones and smart devices, and specialist memory analysis. The team handles Microsoft, Linux, and Apple operating systems, plus mobile platforms. Acquisition is non-destructive and uses forensically sound techniques appropriate to each medium.
Can your findings be used in legal proceedings?
Yes. Investigation reports are produced to a standard intended to provide adequate and acceptable evidence for legal proceedings. Chain of custody is maintained from first action, all evidence handling is documented contemporaneously, and the work is peer-reviewed before the final report is delivered. The senior consultant who led the investigation is available to support expert witness testimony where required.
Do you work with our breach counsel or insurance carrier?
Yes. Forensic engagements frequently coordinate with breach counsel (whether internal counsel, panel counsel from the cyber insurance carrier, or external firm) and with the cyber insurance carrier directly. Documentation is structured to support legal privilege requirements that counsel applies and the claim evidence the carrier requires. The team can also support carrier-led investigations where the carrier's panel forensics arrangement is in place.
How long does a forensic investigation take?
It depends on scope. A targeted single-device investigation can complete in days. A multi-device, multi-platform investigation typically runs weeks. Complex investigations involving cloud platforms, multiple time zones, or specialized analysis (memory, reverse engineering) can run longer. Scope and timeline are confirmed during engagement intake, with clear milestones and reporting cadence agreed before work begins.
Can you identify who was responsible for the incident?
In certain circumstances, yes. Attribution is most reliable in insider incidents or where the attacker leaves identifying artifacts. For external attacks, the investigation can typically identify the tactics, techniques, and procedures used (often mapping to known threat actor profiles), though identifying the specific individual or entity behind an external attack is rarely possible without coordinated law enforcement involvement. Realistic attribution scope is discussed during engagement intake.

Engage forensic investigation when it matters.

Reach out to scope a forensic engagement or engage emergency investigation support. Discovery calls are scheduled within two business days. Active incidents are escalated immediately.

Talk to Armour Cybersecurity.

📞
✉️
📍
Headquarters
77 Bloor St West, Suite 600
Toronto, ON, Canada

Request a discovery call.

Tell us about your situation. Indicate whether this is an active incident, an ongoing investigation, or proactive engagement scoping.