Desktop & laptop01
Windows 7 → 11
NTFS, ReFS, registry hives, $MFT, USN, Event Logs, ShimCache, AmCache and SRUM analysed end-to-end.
- NTFS
- Registry
- Event Logs
Windows Forensics,
reconstructed in order.
We image Windows desktops, laptops and servers, parse the registry and Event Logs, recover deleted records and reconstruct user activity — with reports that withstand cross-examination.
- Coverage
- Windows 7 → 11 · Server
- Method
- Write-blocked · Live
- Reports
- Hash-verified, court-ready
What We Examine
Every record Windows keeps,
Every record Windows keeps,
on a single timeline.
Windows leaves traces in dozens of places — registry hives, Event Logs, $MFT, USN journal, ShimCache, AmCache, SRUM and browser history. We work each one and reconcile them chronologically.
Layer01
Forensic disk imaging
Bit-for-bit acquisition of HDDs, SSDs, NVMe and removable media — write-blocked, hash-verified, defensible.
Layer02
Live RAM capture
Memory acquisition for credentials, encryption keys, running processes and malware indicators that vanish on shutdown.
Layer03
Registry & journal
Registry hives, $MFT, USN journal, ShimCache, AmCache and SRUM analysed for execution and access history.
Layer04
User-activity timeline
Logon/logoff, shellbags, jumplists, prefetch, browser history and Recents reconstructed chronologically per user.
Layer05
Email & document review
PST, OST, mbox and Exchange archives parsed and searched at scale, with full metadata and attachments preserved.
Layer06
USB & device history
Every USB stick, external drive and connected peripheral documented — when, where and by which account.
Windows Coverage
Workstation, laptop, server —
Workstation, laptop, server —
all imaged in lab or onsite.
From a single laptop through to clustered virtual servers, we work to the highest forensic standard the platform and security state allow.
Server02
Windows Server
Onsite imaging of running servers, Active Directory artefacts, IIS and SQL Server logs preserved.
- AD
- IIS
- SQL Server
Virtual03
ESXi & Hyper-V
Snapshot acquisition of virtual Windows hosts — minimal disruption to production environments.
- ESXi
- Hyper-V
- Snapshot
Encrypted04
BitLocker
Lawful examination where the recovery key, TPM unlock or credentials are available — including AD-recovered keys.
- BitLocker
- TPM
- AD recovery
The Approach
Court-grade software,
Court-grade software,
written-into-record practice.
Our Windows examinations are built around industry-standard forensic platforms — write-blocked acquisition hardware, validated imaging tools, and analytical suites used by Australian law enforcement.
Every step is documented. Every file is hashed. Nothing is opened on a live drive without a documented reason. The output is an exhibit pack a magistrate, judge or arbitrator can rely on.
Versions
Windows 7 → 11
RAM capture
Live & paged
Encryption
BitLocker
Reports
Hash-verified
The Process
Calm, methodical,
Calm, methodical,
court-grade from intake.
Step01
Intake & scoping
Confidential brief, lawful authority confirmed, devices and custodians scoped, fixed-fee quote provided.
Step02
Forensic acquisition
Write-blocked imaging onsite or in our lab. Hashes captured. Chain of custody opened.
Step03
Analysis & reconstruction
Registry, logs and journals parsed; deleted data carved; timelines and user activity reconstructed across systems.
Step04
Court-ready report
Plain-English findings with annotated exhibits. Expert testimony available where required.
Frequently Asked
Windows forensics, plainly explained.
Request A Consultation
Send A Brief.
Send A Brief.
We'll Take It From There.
Every enquiry is read by a licensed investigator and treated in strict confidence.
Step01
You send a brief
A short note about your matter — no detail required upfront.
Step02
We reply within one business day
From a licensed investigator, not a chatbot or call centre.
Step03
If we're the right fit, we book a call
Confidential. No obligation. Fixed-fee quote where possible.