Digital Forensics & Expert Witness Services
Court-ready forensic investigations, chain-of-custody evidence handling, and expert witness testimony. Led by Craig Petronella -- Licensed Digital Forensic Examiner with 25+ years of hands-on forensic experience serving Raleigh-Durham and nationwide.
Five Forensic Domains Under One Roof
Each discipline requires specialized tools, acquisition procedures, and analytical expertise. PTG maintains capabilities across all five.
Endpoint Forensics
- Computer forensics with bit-for-bit imaging via hardware write-blockers (Tableau, Wiebetech)
- Mobile forensics using Cellebrite UFED, GrayKey, and Magnet AXIOM for iOS and Android
- SHA-256 and MD5 hash verification on every forensic image for integrity proof
Network, Cloud, and Email
- Network forensics: PCAP analysis, lateral movement mapping, exfiltration reconstruction
- Cloud forensics: Microsoft 365, Google Workspace, AWS CloudTrail, Azure AD
- Email forensics: BEC investigation, header analysis, forwarding rule detection
What We Investigate
From breach root-cause analysis to courtroom testimony, our forensic capabilities cover the full investigation lifecycle.
Breach Investigation
Determine initial access vector, lateral movement path, data exfiltration scope, and produce reports for incident response, insurance claims, and regulatory notification.
eDiscovery and Litigation Support
Defensible ESI collection, processing, and production compatible with Relativity and Concordance. Satisfies FRCP and NC Rules of Civil Procedure.
Employee Misconduct
Forensic examination of workstations, email, USB device history, and cloud sync activity. Reports formatted for HR proceedings, termination, or civil litigation.
Intellectual Property Theft
Trace file access, USB transfers, cloud uploads, and evidence of cover-up attempts. Support injunctive relief, damages claims, and criminal referrals.
Ransomware and Malware Analysis
Determine infection vector, assess data exfiltration (double extortion), extract IOCs, and produce documentation for FBI/IC3 reporting and insurance.
Expert Witness Testimony
Daubert-compliant expert reports, deposition testimony, trial presentations, and litigation consulting. Experienced in Wake County, Eastern and Middle District NC federal courts.
Chain of Custody That Survives Scrutiny
Evidence Excluded
Without write-blockers and hash verification, opposing counsel can challenge evidence integrity on a motion in limine.
Broken Chain of Custody
Undocumented evidence handling creates gaps that undermine admissibility in court and regulatory proceedings.
Daubert-Ready Evidence
Hardware write-blockers, cryptographic hash verification, and documented methodology satisfy Federal Rules of Evidence and Daubert standards.
Unbroken Documentation
Every evidence interaction is recorded from acquisition through testimony, following NIST SP 800-86 and SWGDE best practices.
Our Forensic Investigation Process
Identification: Scope incident, identify evidence sources, establish legal obligations
Preservation: Issue holds, capture volatile data, secure physical access
Collection: Forensic imaging with write-blockers, hash verification, API-based cloud logs
Analysis: Examine images, correlate logs, reconstruct timelines, map attacker TTPs
Reporting: Detailed forensic reports for courts, regulators, insurance, and executives
Testimony: Expert witness depositions, trial presentations, and litigation consulting
Craig Petronella -- Licensed Digital Forensic Examiner, CMMC Registered Practitioner, MIT Cybersecurity Certified
Craig founded PTG in 2002 and has spent over 25 years conducting forensic investigations for businesses, law firms, and government agencies. He has provided expert witness testimony in cases involving cryptocurrency fraud, SIM swap attacks, ransomware, data breaches, intellectual property theft, and business email compromise.
His dual expertise in forensic investigation and regulatory compliance (HIPAA, CMMC, NIST 800-171, SOC 2) makes him uniquely qualified for cases where a breach triggers both legal proceedings and compliance obligations. Organizations needing ongoing security leadership often pair forensics with virtual CISO services.
Digital Forensics Questions Answered
Will your forensic evidence be admissible in court?
Yes. We follow NIST SP 800-86, SWGDE, and ACPO guidelines with hardware write-blockers, cryptographic hash verification, and documented chain of custody. Our methodology satisfies Daubert standards applied by NC federal and state courts.
How quickly can you respond to a forensic emergency?
24/7 emergency response. For Raleigh-Durham Triangle clients, on-site within hours. Remote cloud forensic collection can begin within minutes. Call 919-348-4912 for emergency engagement.
What is the difference between digital forensics and data recovery?
Data recovery retrieves lost files. Digital forensics preserves, analyzes, and documents evidence in a legally defensible manner using write-blockers, hash verification, and chain of custody. If evidence may be needed in legal or regulatory proceedings, you need forensics.
Does cyber insurance cover forensic investigation costs?
Most cyber insurance policies cover forensic investigation costs for covered incidents. We work with major carriers regularly and produce reports that satisfy their documentation and claims processing requirements.
Can you investigate cloud environments like Microsoft 365?
Yes. Our cloud forensics capability covers Microsoft 365, Google Workspace, AWS, Azure, and SaaS platforms. We collect Unified Audit Logs, sign-in logs, CloudTrail events, and admin activity records via API-based collection.
What tools do you use for forensic imaging?
EnCase Forensic, FTK, X-Ways Forensics, Autopsy, Magnet AXIOM, and Cellebrite UFED. Hardware write-blockers from Tableau and Wiebetech prevent modification of source media. All images verified with SHA-256 and MD5 hashes. For advanced training, see our cryptocurrency forensics course.
Common Investigation Triggers
Digital Evidence Does Not Wait
Every hour after a breach or misconduct event degrades the evidence you need. Contact us for forensic investigation led by a Licensed Digital Forensic Examiner with 25+ years of experience.