Digital Forensics & Incident Response · Kluetek
// kluetek.forensics / digital forensics & incident response

Digital forensics.
Evidence that holds up.

A disciplined DFIR practice for when something has already happened: incident response, forensic imaging, mobile and computer extraction, investigations, and chain-of-custody documentation — ending in plain-English findings that stand up to a court, an insurer, or a regulator. Cellebrite-certified.

Incident? Call now Start an investigation
// active incident (416) 827-1965 24/7 on-call escalation · ask for the IR desk

// two halves of one practice

// the response, and the investigation
// respond● IR

Incident Response

When something has already happened, the clock and the evidence both matter. We respond, contain, and preserve — stopping the spread without destroying what the investigation will need next.

  • ! Detect, triage, and scope the blast radius
  • ! Contain affected systems & identities
  • ! Evidence-safe acquisition under chain of custody
  • ! Eradication, recovery & root-cause report
// investigate● forensics

Forensics, Investigations & eDiscovery

Forensic imaging, mobile and computer extraction, and the analysis that turns raw artifacts into a defensible account of what happened — and who did it.

  • + Computer, mobile & media forensics · Cellebrite
  • + Deleted-data & slack-space recovery
  • + Investigations, OSINT & attribution
  • + e-Discovery & litigation support

// capability set

// from the first call to the final report
// 01

Incident response

A named responder, a runbook, and a clock. Detect, triage, contain — then keep the business moving while we work the incident.

// 02

Forensic imaging

Bit-by-bit, sector-by-sector acquisition — every file, deleted data, and slack space — working from copies while the original is preserved untouched.

// 03

Mobile & device forensics

Phones, computers, and digital media. Cellebrite-certified extraction and physical analysis of locked and damaged devices.

// 04

Evidence & chain-of-custody

Every artifact logged, hashed, and tracked from acquisition to handoff. Documentation that stands up to scrutiny — legal, insurer, or regulator.

// 05

Investigations & attribution

OSINT, account correlation, and intrusion analysis to surface who did what — from insider data theft to coordinated online harassment.

// 06

e-Discovery & reporting

Data validation and analysis for litigation, and a written root-cause report with expert support through trial and settlement.

// adjacent discipline Need it recovered, not investigated? Failed drives, RAID arrays, and deleted or corrupted data — recovered with the same evidence-safe handling. Data Recovery is the lab next door. open data recovery →

// the forensic process

// how an examination runs · collection through reporting
// 01

Collection

Evidence search, recognition, collection, and documentation. Forensic imaging takes a bit-by-bit, sector-by-sector copy — every file, deleted data, and slack space — while the original is preserved untouched as the backup.

// 02

Examination

Make the evidence visible: surface hidden and obscured information from the working copy, with the relevant documentation captured at every step.

// 03

Analysis

Weigh what the examination found for significance and probative value — what it means, and what it is worth to the matter.

// 04

Reporting

Document the process, the examination, and the findings in plain English — a record built to be read by counsel, an insurer, or a court.

// recent work

// case files · client details redacted
// CASE-DFIR-01● closed · clean

Business email compromise — ruling out the endpoint

A small creative firm reported a suspected breach: an email account had been taking actions no one recognised. We were brought in to answer two questions — what actually happened, and is anything still inside.

// finding

The compromise was cloud-side: a password-spray attack against a mailbox that had no multi-factor authentication. The attacker logged in from overseas IPs and ran mailbox automation from the cloud — never from a company computer. The “scripts” in the alerts were server-side mail commands, not malware on a laptop.

// the curveball

The disk image we were first handed turned out to be an empty rebuild scaffold — no user data at all. We proved it three independent ways rather than trust the label, then located the actual machine and acquired it properly.

// method

The endpoint was a modern Apple-Silicon Mac that can’t be imaged the usual way. We triaged it live and read-only over an isolated, air-gapped link — collecting persistence, processes, remote-access config and indicators without altering the scene, then removing every artifact afterward.

// result

The laptop was clean: no malware, no unauthorised remote access, no rogue admin, every startup item a legitimate vendor. We confirmed the breach lived entirely in the cloud account, closed the endpoint question, and handed over a remediation runbook — starting with MFA everywhere.

password-spray (T1110)M365 / identitymacOS DFIRread-only acquisitionchain-of-custody
// CASE-EDU-01● closed · scoped

Canadian university — breach scoping & data-exposure assessment

A post-secondary institution needed to know whether a confirmed intrusion had reached sensitive data, and how far.

// engagement

Participated in investigating a cyber breach to determine whether protected data had been exposed and to bound the affected systems.

// method

Leveraged forensic tools and techniques to establish the breach’s depth and scope across the environment.

// result

Delivered a containment and exposure report that let the institution act on a clear, evidence-backed picture.

breach scopingdata-exposure assessmentcontainmenteducation sector
// CASE-FIN-01● closed · reported

Bank — departed-employee data exfiltration review

A financial institution needed assurance about whether former employees had taken data on their way out.

// engagement

Evaluated possible data exfiltration from former employees for a banking client.

// method

Used forensic tools to perform an in-depth analysis of access, movement, and handling of sensitive data.

// result

Reported findings that ensured the client’s data protection posture and informed next steps.

insider riskdata exfiltrationfinancial sectorforensic analysis
// CASE-HEALTH-01● closed · investigated

Hospital — exfiltration investigation after a cyber-attack

A healthcare provider needed to understand whether a cyber-attack had moved data out of its systems.

// engagement

Investigated possible data exfiltration arising from a cyber-attack on a healthcare environment.

// method

Applied forensic tools and techniques to trace attacker activity and assess data movement.

// result

Provided the client with a clear read on what the attack did and did not reach.

healthcare sectorexfiltration analysisDFIRdata protection
// CASE-GOV-01● closed · led

Canadian municipality — incident response & breach investigation

A municipal government faced a suspected breach and needed both response and a defensible investigation.

// engagement

Championed a team providing incident response and investigation into a municipality’s suspected breach.

// method

Investigated the client’s systems to identify potentially exposed data and information.

// result

Gave the municipality a coordinated response and a clear account of exposure.

incident responsepublic sectorbreach investigationteam lead
// CASE-OSINT-01● closed · arrest

Online predator investigation — support to law enforcement outcome

A team effort to identify an online offender, where digital investigation supported a real-world outcome.

// engagement

Contributed to a team investigation pursuing an online offender in a harassment matter.

// method

Applied digital investigation and correlation techniques to surface and confirm identifying signals.

// result

The work supported an outcome that resulted in an arrest.

OSINTonline investigationattributionlaw-enforcement support
// CASE-OSINT-02● closed · arrest

Public figure — coordinated fake-account harassment unmasked

A high-profile individual was being attacked and slandered through a network of fake social-media accounts.

// engagement

Investigated a coordinated harassment and defamation campaign against a public-figure client run through fake accounts.

// method

Correlated multiple fake social-media accounts to identify the source of the attack.

// result

Identified those responsible; the engagement resulted in an arrest.

OSINTsock-puppet correlationreputation attackattribution
// CASE-IP-01● closed · settled

Corporate espionage — IP theft identified, large settlement

A client's intellectual property was being stolen by intruders, with significant commercial stakes.

// engagement

Investigated significant corporate espionage targeting a client’s intellectual property.

// method

Identified the actors who gained access to steal the client’s IP and built the supporting picture.

// result

The work led to a large settlement and destruction of the stolen IP.

corporate espionageIP theftintrusion analysissettlement support
// CASE-LEGAL-01● closed · settled

Canadian law firm — data analysis for a class action

A class-action over overcharged interest and fees turned on validating a large, problematic data set from the opposing party.

// engagement

Aided a class-action lawsuit over alleged overcharging of interest and processing fees.

// method

Led a team performing validation, analysis, and reporting on a problematic data set provided by the opposing party.

// result

Supported the client’s strategy and analysis through the trial and settlement process.

litigation supportdata validationexpert analysisclass action

// Identifying details — client, names, hostnames, addresses and indicators — are withheld. Engagements are described in shape and outcome only.

// credentials
  • Cellebrite Certified Operator (CCO)
  • Cellebrite Certified Physical Analyst (CCPA)
  • Cellebrite certified — mobile & digital forensic extraction and analysis

// specialist certifications

// vendor-verified credentials
// Cellebrite — digital forensics
Cellebrite Certified Operator (CCO)
Cellebrite CCO — Certified Operator
Cellebrite Certified Physical Analyst (CCPA)
Cellebrite CCPA — Certified Physical Analyst
// Check Point
Check Point Certified Security Expert (CCSE)
CCSE — Certified Security Expert
Check Point Certified Security Administrator (CCSA)
CCSA — Certified Security Administrator
Check Point MSSP Program Certification 2025
MSSP Program — Certification
Check Point CloudGuard WAF Technical Specialist 2025
CloudGuard WAF — Technical Specialist
CellebriteDigital forensics
  • Cellebrite Certified Operator (CCO)
  • Cellebrite Certified Physical Analyst (CCPA)
Check Point Software TechnologiesExpert & troubleshooting
  • Check Point Certified Security Master (CCSM)
  • Check Point Certified Troubleshooting Expert R81 (CCTE)
  • Check Point Certified Security Expert (CCSE) R81
  • Check Point Certified Security Expert (CCSE) R80
  • Check Point Certified Security Expert (CCSE) R77
  • Check Point Certified Security Administrator (CCSA) R81
  • Check Point Certified Security Administrator (CCSA) R80
  • Check Point Mind Master
Check Point Software TechnologiesPartner & program
  • Welcome Partners (CPSC)
  • MSSP Certification
  • DemoPoint Rising Star 2025
// show all Check Point specialist & sales certifications (21 more) ▾
Check Point Software TechnologiesTechnical specialist
  • CloudGuard WAF — Technical Specialist
  • Quantum Force — Technical Specialist
  • Harmony SASE — Technical Specialist
  • Harmony Mobile Technical Specialist
  • Harmony Email & Collaboration Technical Specialist
  • Harmony Endpoint & Harmony Browse Technical Specialist
  • Technical Specialist — Harmony Pre-Sales
  • CloudGuard Pre-Sales — Technical Specialist
  • CloudGuard IaaS Specialist — Public Cloud Administrator
  • Cloud Practitioner
  • Check Point Jump Start — SMB
Check Point Software TechnologiesSales specialist
  • Quantum Sales Specialist
  • Quantum Force — Sales Specialist
  • Harmony Sales Specialist
  • Harmony SASE — Sales Specialist
  • Harmony Mobile Sales Specialist
  • Harmony Email & Collaboration Sales Specialist
  • Harmony Endpoint & Harmony Browse Sales Specialist
  • CloudGuard Sales Specialist
  • CloudGuard IaaS Sales Certification
  • Security Beyond the Perimeter — Sales Certification

// incident-response runbook

// what happens when you call the IR desk
  1. // 01
    DetectConfirm the incident, scope the blast radius, and start the clock. We establish what we know and what we do not.
    ● alert
  2. // 02
    ContainIsolate affected systems and identities to stop the spread — without destroying the evidence we will need next.
    ● active
  3. // 03
    Preserve evidenceForensic imaging and acquisition under chain-of-custody. We capture the scene before remediation touches it.
    ● forensics
  4. // 04
    Eradicate & recoverRemove the foothold, rebuild from known-good, restore service, and verify the threat is gone before we stand down.
    ● recover
  5. // 05
    ReportA written root-cause analysis, the chain-of-custody record, and a hardening roadmap so the same door does not open twice.
    ● closed

// the runbook is our standard IR sequence — the status labels (alert / active / forensics / recover / closed) illustrate the flow, not a live incident.

// operations spec

kluetek HQ

address850 College St, Toronto, ON M6H 1A1
phone(416) 827-1965
emailhelpdesk@kluetek.com
support portalsupport.kluetek.com →
hours08:00–20:00 ET (after-hours on-call)
IR escalation● 24/7 on-call
founded2005 · College Street, Toronto
// engagement runbook

How it starts

  1. // 01
    Triage callWhat happened, what's at stake — or the IR desk if it's live
  2. // 02
    Preserve & imageEvidence-safe acquisition, chain of custody opened
  3. // 03
    Examine & analyzeRecover, reconstruct, attribute — read-only
  4. // 04
    ReportPlain-English findings, court-ready if needed
  5. // 05
    Expert supportTestimony, remediation, follow-on recovery
Incident? Call now