The way evidence is collected and analyzed determines whether it stands up later. Data Rescue Labs performs forensically sound acquisitions and deep examinations of Windows, macOS and Linux systems — producing findings that survive scrutiny in court, in arbitration and in front of regulators.
From a single laptop in a civil dispute to a multi-server breach investigation — we have a workflow built for it.
Computer forensics applies whenever a device's storage, activity logs, or memory hold evidence that must be preserved and presented with legal integrity.
No outsourcing, no gaps when a case spans platforms. Windows, macOS and Linux examined by the same credentialed examiners using the same court-tested methodology.
Common questions about Windows, macOS and Linux forensic examination in Canadian matters.
With the recovery key, yes — fully. We decrypt the image in place during analysis without modifying the original drive.
Without the key: limited to physical-level imaging plus memory forensics if the system was running when seized. RAM may contain decryption keys we can extract with court-validated memory-forensics tooling. If the device was powered off, key derivation requires the user passphrase, recovery key, TPM access (BitLocker), or device-specific T2/M-series exploit (Mac).
A lot more than disk forensics alone:
Running processes (including injected DLLs and rootkit-hidden processes), active network connections with remote IPs, encryption keys in memory (BitLocker, FileVault, VeraCrypt, encrypted messaging apps), browser session tokens and decrypted cookies, recently-typed commands in shell history, cleartext passwords from poorly-cleared memory and artifacts of deleted files still mapped by running processes.
Yes — multiple paths.
$MFT carving recovers files whose metadata still exists. USN Journal shows file creation, modification and deletion events. Volume Shadow Copies (snapshots) may contain older versions of deleted files. Pagefile / hiberfil.sys can yield fragments of recent documents. File-signature carving recovers files whose metadata is gone but data blocks remain on disk.
Shellbags are Windows Registry entries that track which folders a user has opened in Explorer and when. They persist even after the folder is deleted or the external drive is unplugged — meaning we can prove a user navigated to a specific path on a USB drive that's no longer connected.
Huge value in IP-theft cases: we can show which folders on a corporate share were accessed in the days before an employee left.
Several signals. CCleaner / BleachBit traces (registry entries, prefetch files, installer artifacts). Timeline gaps where logs were deleted but adjacent system journals show activity. Secure-delete tool execution (SDelete, Eraser, srm) detected via prefetch and registry MRU. Anti-VM / anti-debug artifacts in installed software. Disabled telemetry, audit, or restore points set inconsistently with normal user behavior.
The act of cleaning often leaves a more incriminating trail than the original artifacts would have.
Yes. APFS introduced new artifact sources: APFS snapshots (point-in-time filesystem state), FSEvents (filesystem change journal), Time Machine local snapshots, the Spotlight metadata index and unified logs (replacement for syslog with much richer detail).
For Macs with the T2 or M-series Secure Enclave, full-disk decryption requires the user password (or admin recovery). Live memory imaging with court-validated tooling can grab keys before shutdown.
Partially. We can do live forensics: memory capture, running-process snapshot, network connection state, syslog / journald extraction and command history. That covers most active-incident scenarios.
For a full forensic image of the disk, we need the system offline — or we use copy-on-write LVM snapshots to image while running, accepting that some inconsistency may exist for actively-written files.
