Digital forensics

Digital forensic investigation

Our digital forensics experts preserve and analyse digital evidence with strict chain of custody protocols, with a free 3-hour diagnosis. Court-admissible reports.

Free diagnosis in 3 hours
Guaranteed chain of custody
Court-admissible reports
Absolute confidentiality
Free diagnosis Estimate your recovery
Free diagnosis Quote within 3 hours Your data stays in Switzerland
Entrust My Drive
or
Estimate the cost online

What is digital forensic investigation?

Digital forensic investigation (or computer forensics) is the discipline of collecting, preserving and analysing digital evidence within a legal or dispute resolution context. It is required whenever digital data must serve as evidence in court proceedings, arbitration or internal investigations.

Since 2006, SOS Data Recovery in Ins (Switzerland) has processed over 11,300 media and supported more than 8,000 clients. CyberSafe certified and CyberSafe partner and rated 4.5/5 on Avis Vérifiés (249+ reviews), our team ensures strict chain of custody compliance so that every piece of evidence is admissible in court.

Our areas of expertise cover internal fraud, industrial espionage, theft of sensitive data, malicious file deletion, as well as civil and criminal disputes requiring technical expertise. Our experts can be called to testify as expert witnesses before Swiss and European courts.

Our diagnosis is free and completed within 3 hours. You only pay if the data is successfully recovered (80% of cases). If you are facing a situation requiring a forensic investigation, contact us for a confidential consultation.

What types of forensic investigations do we perform?

Corporate computer fraud
Suspicious use of a workstation
Unauthorized copying of sensitive data
Issues during an inheritance or litigation
Industrial or competitive espionage
Malicious deletion of files or emails

What situations require a forensic investigation?

Are you facing one of these situations? Contact us for a confidential consultation.

Integrity

Altered or falsified evidence

Modified documents, manipulated metadata or backdated files. Our forensic analysis identifies any alteration and establishes the true chronology of events.

Encryption

Encrypted or locked device

Password-protected computer, BitLocker or FileVault encrypted disk, locked smartphone. Our specialised tools enable access to data within the legal framework.

Damaged media

Damaged storage media

Failing hard drive, broken USB stick or damaged server containing essential evidence. We recover data while preserving its evidentiary value.

Deletion

Deliberately deleted data

Erased files, emptied recycle bin, deleted browsing history or formatted disk to destroy evidence. Our advanced techniques can recover data even after deletion.

Traceability

Broken chain of custody

Digital evidence handled without protocol, uncertified copies or improperly stored media. We restore and document the chain of custody for court admissibility.

Urgency

Judicial emergency or litigation

Ongoing proceedings with tight deadlines, court-ordered computer seizure or urgent internal investigation. Our team intervenes as a priority to meet legal deadlines.

How does data recovery work?

From free diagnosis to secure delivery — a transparent 4-step process, entirely performed in our Swiss laboratory.

01

Free diagnosis within 3 hours

Send your media by secure post, drop it at one of our 30 collection points across Switzerland, or bring it directly to our laboratory in Ins. Our team performs a full analysis within 3 hours of receipt — free and with no commitment.

02

Transparent quote before any work

You receive a detailed quote outlining the type of failure, recovery chances and exact cost. You approve before any work begins. Full payment on success — only attempt costs are charged if recovery fails.

03

Recovery under ISO 5 laminar flow

Our technicians work under ISO 5 certified laminar flow with specialised tools (PC-3000). Your data never leaves our CyberSafe-certified and CyberSafe partner Swiss laboratory. Duration: 2 to 10 business days depending on complexity.

04

Secure delivery of your data

Your recovered data is delivered on a new encrypted drive, or via secure download according to your preference. Original media can be destroyed on request to guarantee confidentiality.

Frequently asked questions

Our specialists answer the most common questions.

Can data recovered during a forensic analysis be used as evidence in court?

Yes, provided that the analysis has been conducted according to recognized forensic standards. For digital evidence to be admissible in a Swiss or European court, several conditions must be met:

  • Guaranteed data integrity — the original media has not been modified (use of a hardware write blocker during acquisition)
  • Traceability of the chain of custody — documentation of each manipulation from seizure to analysis
  • Cryptographic hashing — MD5 and SHA-256 hash calculated at acquisition to prove integrity
  • Certified expert report — written by an expert who can testify to their methodology

Our forensic reports are written according to ISO/IEC 27037 standards (identification and collection of digital evidence) and can be presented before Swiss and French jurisdictions.

How much does a data forensics analysis cost and what are the turnaround times?

The cost of a forensic analysis depends on the scope of the investigation, the type of media, and the level of urgency:

  • Forensic acquisition only (cloning + integrity report): billed per media processed
  • Complete analysis (acquisition + investigation + expert report): billed according to the complexity and volume of data to be analyzed
  • Expert testimony in court: quoted based on duration and preparation required

Standard turnaround times are:

  • Forensic acquisition: within 24 hours
  • Standard analysis report: 5 to 10 business days
  • Urgent report (imminent legal proceedings): 24 to 72 hours

A detailed quote is provided after a free evaluation of the case. Our rates are transparent and detailed in our quote — no hidden fees.

Is forensic analysis confidential? Who has access to the analyzed data?

Confidentiality is a fundamental principle of our forensic practice. We apply strict rules:

  • Restricted access — only the technicians in charge of the case have access to the data. Each access is logged.
  • Confidentiality agreement — an NDA (non-disclosure agreement) can be signed on request before any intervention
  • Secure destruction — after submitting the report and with the client's agreement, the working copies are destroyed by certified secure erasure
  • Hosting in Switzerland — all data remains in our laboratory in Ins (BE), subject to Swiss data protection law (LPD)
  • CyberSafe Certification — our security practices are audited and certified by the CyberSafe label recognized by the Swiss Confederation

Is it possible to recover deleted data from a partially overwritten hard drive?

Partially, yes. Overwriting a hard drive does not instantly destroy all data. Several mechanisms allow for partial recovery:

  • Partially overwritten files — if only the header or end of a file has been overwritten, the rest can often be reconstructed
  • File carving — a forensic technique that searches for file signatures (magic bytes) directly in the raw sectors, regardless of the file system. Effective even after reformatting.
  • Spare sectors and HPA zones — some drives keep copies in areas inaccessible during normal use
  • Magnetic remanence — on older HDDs, traces of previous writes can sometimes be detected with specialized equipment

A secure overwrite with multiple passes (DoD 5220.22-M or Gutmann standard) makes recovery practically impossible. A simple quick format or a standard deletion is not enough.

What is forensic data recovery and how does it differ from standard data recovery?

Forensic data recovery (or digital forensics) is a rigorous technical process that aims not only to recover deleted or hidden data, but also to preserve the chain of custody so that this data is admissible in court.

The main differences with standard data recovery:

Criterion Standard Recovery Forensic Recovery
Objective Recover data Recover + document + certify
Footprint on the media Minimal but undocumented None (write-blocker cloning)
Chain of custody Not required Mandatory (MD5/SHA hashing)
Report Optional Certified report required
Judicial value None Admissible in court
Tip

If you believe that data could serve as evidence in legal proceedings, do not handle the media yourself — any undocumented access can invalidate the digital evidence.

What is the procedure for a digital forensic investigation at SOS Data Recovery?

Our forensic procedure follows a strict 5-step protocol:

  1. Reception and documentation — recording of the media with photos, serial number, physical condition observed. Issuance of a signed acknowledgment of receipt.
  2. Forensic acquisition — bit-by-bit cloning of the original media via a certified hardware write-blocker. Calculation of MD5 and SHA-256 hashes on the acquired image. The original media is never modified.
  3. Analysis — investigation on the working copy: recovery of deleted files, analysis of metadata, reconstruction of the activity timeline, identification of artifacts (logs, history, registry).
  4. Documentation — each action is recorded in a time-stamped log. Relevant files are extracted and cataloged.
  5. Expert report — detailed report including the methodology, tools used, results and conclusions, accompanied by digital attachments.
Tip

In the event of a judicial emergency (imminent seizure, procedural deadline), our 24/7 priority intervention service guarantees immediate support.

When is a digital forensics expert called upon?

Digital forensics expertise is requested in many professional and legal contexts:

  • Commercial litigation — searching for evidence of embezzlement, breach of confidentiality clause, internal fraud
  • Criminal proceedings — judicial assistance on seizure of computer equipment, analysis of seized media
  • Security incidents — post-incident analysis of a cyberattack, identification of the intrusion vector, extent of the exfiltration
  • Labor law — searching for evidence of offenses committed on company equipment (harassment, data theft, abusive use)
  • Divorce or family proceedings — recovery of digital evidence in civil proceedings
  • Insurance — incident reconstruction for claims reporting

Yes, provided that the analysis has been conducted according to recognized forensic standards. For digital evidence to be admissible in a Swiss or European court, several conditions must be met:

  • Guaranteed data integrity — the original media has not been modified (use of a hardware write blocker during acquisition)
  • Traceability of the chain of custody — documentation of each manipulation from seizure to analysis
  • Cryptographic hashing — MD5 and SHA-256 hash calculated at acquisition to prove integrity
  • Certified expert report — written by an expert who can testify to their methodology

Our forensic reports are written according to ISO/IEC 27037 standards (identification and collection of digital evidence) and can be presented before Swiss and French jurisdictions.

The cost of a forensic analysis depends on the scope of the investigation, the type of media, and the level of urgency:

  • Forensic acquisition only (cloning + integrity report): billed per media processed
  • Complete analysis (acquisition + investigation + expert report): billed according to the complexity and volume of data to be analyzed
  • Expert testimony in court: quoted based on duration and preparation required

Standard turnaround times are:

  • Forensic acquisition: within 24 hours
  • Standard analysis report: 5 to 10 business days
  • Urgent report (imminent legal proceedings): 24 to 72 hours

A detailed quote is provided after a free evaluation of the case. Our rates are transparent and detailed in our quote — no hidden fees.

Confidentiality is a fundamental principle of our forensic practice. We apply strict rules:

  • Restricted access — only the technicians in charge of the case have access to the data. Each access is logged.
  • Confidentiality agreement — an NDA (non-disclosure agreement) can be signed on request before any intervention
  • Secure destruction — after submitting the report and with the client's agreement, the working copies are destroyed by certified secure erasure
  • Hosting in Switzerland — all data remains in our laboratory in Ins (BE), subject to Swiss data protection law (LPD)
  • CyberSafe Certification — our security practices are audited and certified by the CyberSafe label recognized by the Swiss Confederation

Partially, yes. Overwriting a hard drive does not instantly destroy all data. Several mechanisms allow for partial recovery:

  • Partially overwritten files — if only the header or end of a file has been overwritten, the rest can often be reconstructed
  • File carving — a forensic technique that searches for file signatures (magic bytes) directly in the raw sectors, regardless of the file system. Effective even after reformatting.
  • Spare sectors and HPA zones — some drives keep copies in areas inaccessible during normal use
  • Magnetic remanence — on older HDDs, traces of previous writes can sometimes be detected with specialized equipment

A secure overwrite with multiple passes (DoD 5220.22-M or Gutmann standard) makes recovery practically impossible. A simple quick format or a standard deletion is not enough.

Forensic data recovery (or digital forensics) is a rigorous technical process that aims not only to recover deleted or hidden data, but also to preserve the chain of custody so that this data is admissible in court.

The main differences with standard data recovery:

Criterion Standard Recovery Forensic Recovery
Objective Recover data Recover + document + certify
Footprint on the media Minimal but undocumented None (write-blocker cloning)
Chain of custody Not required Mandatory (MD5/SHA hashing)
Report Optional Certified report required
Judicial value None Admissible in court
Tip

If you believe that data could serve as evidence in legal proceedings, do not handle the media yourself — any undocumented access can invalidate the digital evidence.

Our forensic procedure follows a strict 5-step protocol:

  1. Reception and documentation — recording of the media with photos, serial number, physical condition observed. Issuance of a signed acknowledgment of receipt.
  2. Forensic acquisition — bit-by-bit cloning of the original media via a certified hardware write-blocker. Calculation of MD5 and SHA-256 hashes on the acquired image. The original media is never modified.
  3. Analysis — investigation on the working copy: recovery of deleted files, analysis of metadata, reconstruction of the activity timeline, identification of artifacts (logs, history, registry).
  4. Documentation — each action is recorded in a time-stamped log. Relevant files are extracted and cataloged.
  5. Expert report — detailed report including the methodology, tools used, results and conclusions, accompanied by digital attachments.
Tip

In the event of a judicial emergency (imminent seizure, procedural deadline), our 24/7 priority intervention service guarantees immediate support.

Digital forensics expertise is requested in many professional and legal contexts:

  • Commercial litigation — searching for evidence of embezzlement, breach of confidentiality clause, internal fraud
  • Criminal proceedings — judicial assistance on seizure of computer equipment, analysis of seized media
  • Security incidents — post-incident analysis of a cyberattack, identification of the intrusion vector, extent of the exfiltration
  • Labor law — searching for evidence of offenses committed on company equipment (harassment, data theft, abusive use)
  • Divorce or family proceedings — recovery of digital evidence in civil proceedings
  • Insurance — incident reconstruction for claims reporting
Page 1 / 2
Did you know?
Every action performed on a computer leaves digital traces, even after deletion. Why? Because operating systems automatically record metadata, system logs and temporary files that users cannot easily erase. This is why a digital forensics expert can reconstruct the complete chronology of events. This evidence is admissible before Swiss and European courts, provided the chain of custody has been respected from the moment the media is seized.
What should you absolutely avoid?
Do not turn on the suspect computer and never attempt to copy the files yourself, as each manipulation modifies metadata (access dates, system registers) and can invalidate evidence in court. Do not hand the media to a technician who is not specialised in forensics, as improper handling irreversibly breaks the chain of custody. Only a certified protocol guarantees the admissibility of evidence.
Is forensic investigation always possible?
Digital forensic investigation is not always conclusive. With encrypted devices (BitLocker, FileVault) without the owner's cooperation or decryption key, data access may be impossible. If data has been overwritten by new writes, the original evidence is irrecoverably lost. Similarly, a storage medium physically destroyed beyond recovery (shredded, melted, incinerated) will not yield any evidence. This is why it is crucial to act quickly and never handle the media before an expert's intervention.
Available 24/7

Need an urgent forensic investigation?

Fraud detected, urgent internal investigation, ongoing legal proceedings — our forensic experts respond in emergencies to preserve and analyse digital evidence. Diagnosis in 3 hours instead of the industry-standard 24-48h.

+41 840 440 840 Entrust My Drive Estimate the cost online