When email evidence matters — whether you need to prove an email is genuine, recover deleted messages, or organize a large set of messages for a court case — we handle the work from start to finish.
Every email carries hidden routing information that proves where it came from and when. We examine that information to confirm whether an email is genuine or has been faked, altered, or backdated.
We search through saved email archives from Outlook, Apple Mail, Thunderbird and Gmail — including in other languages — to find specific conversations, attachments, or evidence.
For Microsoft 365 and Google Workspace accounts: we reconstruct sign-in history, mailbox activity and any tampering — useful when an account may have been broken into or used without permission.
When someone breaks into a company email account and uses it to redirect a payment or steal information, we figure out how they got in, what they did and how to prove it.
When one party says an email is fake, altered, or sent at a different time than claimed, we examine the evidence and produce a clear report a court can rely on.
Workplace chat platforms — Slack, Microsoft Teams and similar tools — also contain evidence. We collect and organize that content so it can be used like email evidence.
Messages emptied from Trash, purged from Recoverable Items, or wiped from a mailbox during an investigation. We recover them where the underlying storage still holds the artifacts — workstation mailboxes, server-side journals, cloud audit logs and cached copies.
We gather email and digital files from laptops, phones, cloud accounts and shared drives in a way that protects them as legal evidence — from the moment we receive them to the moment they reach the courtroom.
We process large volumes of email and documents into searchable form so lawyers can review only the messages that actually matter, instead of all of them. Predictable pricing based on data size.
Before lawyers spend time reading every document, we use software to filter out duplicates and identify what's likely relevant — usually cutting the review pile by more than half.
We deliver the final set of documents in the format the court requires — properly numbered, redacted where needed and accompanied by everything counsel needs to use them as exhibits.
A lawsuit or investigation is starting and you need to protect the relevant emails across multiple people and accounts — before anything gets deleted or changed.
An email is being used as evidence and the other side says it's fake or altered. We examine it forensically and produce a clear report on whether it's genuine.
A Microsoft 365 or Google account has been broken into. You need to know what happened, how it happened, what they accessed and how to prove it.
A court, regulator, or opposing counsel has asked for emails as evidence. We collect them properly, organize them and deliver them in the format required — on deadline.
You have tens of thousands of emails to go through. We filter, deduplicate and identify which ones are actually relevant — saving most of the review time.
A fraudulent wire transfer traces back to a compromised executive mailbox. We reconstruct the intrusion, identify the attacker's persistence and produce reports for insurer and counsel.
Plain-language answers to the questions clients ask about email evidence, deleted messages and court-required email production.
Mostly yes, but not always. DKIM signs the body and selected headers — anything outside that is not protected. SPF verifies the sending IP matches the From-domain's policy, but doesn't cover forwarding paths. DMARC ties them together with reporting.
We cross-verify the full Received: chain, the source IP's reputation, the message-ID structure and infrastructure pivots. An email can pass authentication and still be compromised (via OAuth abuse or mailbox takeover) — that's a different question than "is the signature valid."
Often, yes. PST and OST files contain internal slack and journal structures that retain deleted messages until the file is compacted. We use aid4mail, OST/PST viewers and custom parsing to extract deleted items.
If the user emptied the Recoverable Items folder and the file was compacted, recovery becomes file-system-level — we'd carve the host disk for PST fragments.
Sequential exhibit numbering applied to every page of a litigation production (e.g., DRL-0000001 through DRL-0001247). It lets opposing counsel and the court refer to specific pages unambiguously.
Required for almost all civil and commercial litigation productions in Canada and the US. We stamp Bates ranges per document with branded prefixes and produce a load file (DAT, OPT, LFP) compatible with Relativity, Everlaw, Reveal, Logikcull and Casepoint.
Yes — both have native eDiscovery exports.
Slack: enterprise plans support the Discovery API, exporting messages, threads, DMs, channel files and Huddle metadata in JSON. Teams: covered by M365 eDiscovery (Standard or Premium) — messages, attachments, meeting recordings and 1:1 calls. We collect, dedupe, threading-reconstruct and Bates-stamp.
Two layers. Legal Hold: a documented preservation notice to custodians and IT. Technical Hold: enable Litigation Hold in M365 (preserves indefinitely even if user deletes), or Vault Hold in Google Workspace, or platform-specific holds in Slack / Teams.
Once the hold is in place, collection happens through licensed export tooling that preserves metadata. We document each step for defensibility under Sedona Canada principles.
Forensic analysis asks: is this email what it claims to be? Did the sender actually send it? Was it altered? Answers authenticity, reconstruction, source attribution.
eDiscovery asks: among these 84,000 emails, which are responsive to the litigation issues? Answers volume reduction, relevance, privilege and production format.
We do both, often together — forensic-grade preservation feeding an eDiscovery review.
Partially. We pull the full header chain and identify the X-Originating-IP, mail-from path and infrastructure pivot. From there we cross-reference threat-intelligence databases for known phishing-kit infrastructure.
Tracing to a specific individual usually requires law-enforcement cooperation with the upstream provider (since the attacker often uses anonymized infrastructure). We give counsel the technical pivot points and document everything for an MLAT request or civil subpoena.
