This page is for solicitors, barristers, insurance assessors, forensic accountants, and corporate legal and IT functions who need digital evidence handled to a standard that will hold up under scrutiny. If you're a private individual whose personal photos are on a dead drive, the page you want is standard data recovery — the techniques overlap but the procedural overhead of forensic work isn't warranted for personal cases.
What follows: what forensic data recovery is and how it differs from standard recovery, the types of matters we accept and don't, our procedural framework (chain-of-custody, write-blocked imaging, hash verification, ISO/IEC 27037 alignment), the engagement workflow from initial consultation to final report, indicative pricing, and the retainer and panel arrangements available to firms with regular needs.
For a confidential initial discussion, call (02) 4311 6146 or email us. We can usually have a preliminary scope conversation the same business day and a written engagement letter the next.
What forensic recovery is, and what makes it different
The technical work of recovering data — imaging drives, reconstructing file systems, undeleting files, parsing artefacts like browser history and USB device records — is broadly the same whether the recovery is for a household customer who lost photos or for a matter heading to the Federal Court. What differs is the procedural overlay required when the data will be used as evidence.
Source media is never written to. Standard recovery often involves mounting a drive read-write to repair filesystem structures in place. Forensic recovery never does this. We image the source media using a hardware write-blocker (Tableau or WiebeTech, depending on the interface), producing a forensic image (typically EnCase E01 format with built-in compression and verification metadata, sometimes raw dd or AFF4 by client preference). The original drive is then physically sealed and stored unaltered until handed back. All analysis happens on the image.
Cryptographic hashing throughout the chain. The source media is hashed (SHA-256) before imaging starts. The completed image is hashed. The hashes are verified to match. Each working copy made for analysis is hashed against the original image. If anyone — us, the client, opposing counsel, the court — wants to verify at any later point that the evidence hasn't been altered, the hashes prove it.
Chain-of-custody documentation. Every transfer of the media is logged with timestamp, transferring party, receiving party, and the condition of the media (often photographed). The custody log accompanies the engagement file and is available to the court if requested.
Reproducible written reports. The technical report describes every step taken in sufficient detail that another forensic practitioner could verify the work or reach the same findings independently. Tools used (with version numbers), commands run, parameters set, and the rationale for each major decision are recorded. We don't write opinions into reports unless specifically instructed — we report what we found.
The shorthand for this whole framework is "evidence-handling discipline." It adds 30-50% to the cost compared to equivalent non-forensic recovery, but it's the cost of having the resulting findings actually usable in proceedings.
The types of matters we accept
The majority of our forensic work comes from one of five contexts.
Employment disputes. Alleged data theft by departing employees, breach of restraint-of-trade or confidentiality agreements, recovery of communications and documents from corporate devices. Usual instructing party: an employer's solicitor, sometimes accompanied by their forensic accountant where financial fraud is also alleged. Typical evidence sources: company laptops returned (or seized), USB devices connected to those laptops, email archives, corporate cloud storage exports.
Commercial disputes. Contract dispute matters where the existence, timing, or content of communications and documents is in issue. Typical evidence sources: email archives, document management systems, deleted files recovered from drives, metadata analysis of disputed documents (creation date, author, modification history).
Insurance claims involving digital evidence. Business interruption claims where the timing and extent of computer system unavailability is contested, cyber insurance claims where the scope of an attack needs documented assessment, fraud investigation under loss-recovery clauses. Usual instructing party: insurance assessor or loss adjuster, sometimes a panel solicitor.
Family law matters. Recovery of communications and documents within proper legal authority. We work strictly on instructions from a solicitor with documented authority — not directly with parties to a dispute. The discipline matters in family law more than most contexts because the admissibility hurdle is high and the contestation is intense.
Corporate internal investigations. Internal HR matters where an employee's conduct is under investigation and digital evidence is part of the assessment, corporate compliance and risk reviews, post-incident analysis of computer misuse. Engaged through corporate legal counsel or external solicitor.
What we don't accept: criminal matters (refer to NSW Police Forensic Services), classified or national-security material, matters where the instructing party doesn't have clear authority to give instructions about the media (e.g. an estranged spouse providing their partner's computer without legal authority), or anything that would put us in conflict between two parties to a dispute we're already engaged on for one side.
Our procedural framework
Our procedure aligns with ISO/IEC 27037:2012 (Guidelines for identification, collection, acquisition and preservation of digital evidence). The major elements:
Intake and chain-of-custody initiation. Media is received either by courier (tracked and signed-for) or by personal delivery to our Erina workshop. On intake we photograph the media, record make, model, serial number, capacity and physical condition, and log time and date of receipt. From this point the custody log accompanies the engagement file.
Write-blocked imaging. Source media is connected through a hardware write-blocker. The image is acquired using FTK Imager, X-Ways Imager, or dd over a write-blocked interface, depending on the source type. Output is normally EnCase E01 with embedded SHA-256 hash, though we'll produce raw dd, AFF4, or other formats on instruction.
Hash verification. The source is hashed before imaging starts. The image is hashed on completion. The hashes are verified to match. Both hashes are recorded in the case file and ultimately in the report.
Analysis on the image. All analysis tools work from the forensic image, not the source. Typical tools include X-Ways Forensics, FTK, Autopsy, R-Studio Forensic, plus targeted tools for specific artefact types (USB Detective for USB device history, KAPE for triage, plaso/log2timeline for timeline reconstruction). The source media stays in physical storage, untouched.
Reporting. Findings are documented in a written report describing scope, tools, methods, findings, and limitations. We distinguish carefully between technical findings (what the data shows) and inferences (what the data might mean) — the latter only included if specifically instructed, and clearly labelled as inference. Reports are reviewed for clarity and technical accuracy before delivery.
Source return and image retention. The original media is returned to the instructing party at the end of the engagement, in the same physical condition as received. Forensic images and working copies are retained on isolated storage for an agreed period (default 90 days after final report) and then securely deleted with destruction certificate provided on request.
Typical engagement workflow
From initial enquiry to final report, a moderate-complexity matter follows this rough path.
Initial confidential consultation. By phone or email, usually same-day. We discuss what evidence sources exist, what questions need to be answered, what timeframe applies, and any specific procedural requirements (LPP handling, sealed evidence procedures, etc.). No charge for this step. No commitment from either side.
Scope and engagement letter. Within 1-2 business days of the initial discussion, we issue a written engagement letter setting out the scope of work, the procedure to be followed, the indicative fee range (firm where the scope allows, range where complexity is genuinely uncertain), the confidentiality terms, and the proposed timeline. Work begins on countersignature.
Intake and imaging. Media is delivered (or collected by arrangement within reasonable distance). Intake documentation completed, write-blocked imaging conducted, hashes recorded.
Analysis. Performed on forensic images. Scope determined by the engagement letter. Where unexpected findings emerge that suggest scope expansion would be useful, we pause and discuss with the instructing party rather than expanding unilaterally.
Draft report. Issued for the instructing party's review. We accept clarification feedback on confusing wording but do not change technical findings to suit a desired outcome — that's both an integrity question and a practical one (any altered finding could be exposed by opposing counsel asking for our working notes).
Final report and source return. Delivered together. The engagement file (custody log, working notes, image hashes) is retained per the retention schedule. Expert witness availability for testimony is separately quoted if required.
Typical end-to-end timeline for a moderate-complexity single-drive matter: 14-21 business days. Urgent imaging-only engagements: 2-5 business days. Complex multi-drive or array matters: 4-8 weeks.
Indicative pricing and engagement structures
Forensic engagements are quoted per case because cost varies with scope, volume, complexity and urgency. The order-of-magnitude figures below are honest guides, not a rate card.
Forensic imaging only (preserve the evidence, no analysis) — typically $400-800 for a single drive up to 2TB. Higher for larger drives or arrays.
Imaging plus targeted recovery and basic written report (e.g. "recover all deleted files from the past 90 days, document file paths and deletion timestamps") — typically $1,500-3,500.
Comprehensive analysis with detailed report (e.g. "identify all USB devices connected, all files accessed during a specific window, full deleted-file recovery, email and document timeline reconstruction") — typically $3,500-8,500 depending on data volume and complexity.
Multi-drive or array investigations — quoted individually. Cost scales with the number of drives, the complexity of the array, and whether multiple drives need clean-room recovery before imaging is possible.
Expert witness testimony — quoted separately. Typically a daily rate plus reasonable disbursements, with conference and preparation time billed at our standard hourly rate.
For firms with regular forensic needs we offer two engagement structures. A standing engagement letter allows us to begin work immediately on instruction without per-case contracting overhead — no minimum spend, no commitment, just reduced friction at the start of urgent matters. A panel-rate arrangement trades a minimum annual commitment for reduced hourly rates and priority response timing. Both are quoted individually based on expected case volume; contact us to discuss what makes sense for your practice.
Why iFix Electronics for forensic work
The forensic data recovery market in Australia is small, and most firms in it sit at one of two extremes: large international consultancies with substantial overhead and pricing to match, or small operators with strong technical skills but inconsistent procedural discipline. We sit deliberately in the middle — substantial enough to bring proper procedural discipline (write-blockers, forensic imaging, ISO 27037 alignment, written reports, expert witness availability) but small enough to be responsive and to keep pricing reasonable for matters that don't warrant the major-consultancy fee structure.
The operational backbone is 16 years of continuous data recovery practice — over 35,000 jobs across phones, computers, external storage and forensic engagements. That depth matters: the technical edge cases that come up in adversarial proceedings (degraded media that complicates imaging, encrypted volumes that need attention, mobile device extractions, RAID reconstruction from inconsistent member drives) are matters we've handled across thousands of standard recovery jobs. We're not learning on your matter.
The geographic positioning matters operationally. NSW-based with daily courier links to Sydney, Newcastle and the wider state, plus interstate by tracked freight. Most instructing parties never need to visit our Erina workshop — the entire engagement happens by phone, email and tracked freight.
Need digital evidence handled properly?
Confidential consultation, written engagement letter, write-blocked imaging, ISO 27037-aligned procedure, expert witness availability where instructed. Standing engagement and panel arrangements available for firms with regular needs.
Call (02) 4311 6146 Email EnquiryCommon questions
What is forensic data recovery and how is it different from standard recovery?
Forensic data recovery applies the same technical techniques as standard recovery but under procedural constraints designed to preserve the evidentiary value of the data. The core differences: source media is never written to (we work from a forensic image, not the original), the image and the original are cryptographically hashed (SHA-256) on intake and again at handover so any tampering would be detectable, chain-of-custody is documented from the moment the media enters our workshop until it leaves, and the written report records every step taken in sufficient detail that another forensic practitioner could verify or reproduce the analysis. Standard recovery prioritises getting data back quickly and at lowest cost; forensic recovery prioritises defensibility of the process if challenged in proceedings.
What types of cases do you accept?
Civil matters predominantly — employment disputes (alleged data theft, breach of restraint of trade, IP misappropriation by departing employees), commercial disputes (contract evidence, communication histories, deleted documents), insurance claims involving digital evidence (business interruption, cyber claims, fraud investigation), divorce and family law (communication and document recovery within proper authority), corporate internal investigations, and accountant-led financial investigations. We accept matters from solicitors, barristers, insurance assessors, accountants in forensic accounting practice, and corporate legal and IT functions. We do not accept criminal matters (refer to NSW Police Forensic Services or equivalent), classified or national-security material, or matters where we don't have clear written authority from someone entitled to give it.
How do you ensure the evidence is admissible?
Admissibility is ultimately a matter for the court or tribunal, not for us. What we provide is a process that satisfies the technical requirements for evidence to be considered admissible: documented chain-of-custody from intake to handover, write-blocked imaging with cryptographic hash verification (SHA-256, sometimes both SHA-256 and MD5 for legacy compatibility), analysis performed only on forensic images so the original media is preserved unaltered, a written technical report describing tools used (FTK Imager, X-Ways Forensics, R-Studio Forensic, Autopsy, depending on the case) and steps taken in reproducible detail, and availability for expert witness testimony to explain our process to the court if required. Our procedure aligns with ISO/IEC 27037 (Guidelines for identification, collection, acquisition and preservation of digital evidence). Whether the resulting evidence is admitted in your specific matter depends on factors beyond our work (relevance, hearsay, the rules of evidence applicable in your jurisdiction) — that's your legal team's call.
What's a typical engagement timeline?
Initial confidential consultation by phone or email — same day or next business day. Scope agreement and written engagement letter — within 2 business days of the initial discussion. Source intake (you ship or hand-deliver the media to our Erina workshop) — usually 1-3 days depending on location. Forensic imaging and hash verification — 1-2 days for typical drive sizes (250GB-2TB); longer for large arrays. Analysis — variable by scope, but typical engagements run 3-10 business days of focused work. Draft report — 2-3 days after analysis completes, sent to you for review of factual content (we don't change technical findings on request but we do clarify confusing wording where pointed out). Final report and source media return — usually within 14-21 business days end-to-end for moderate-complexity matters. For urgent matters with imaging-only scope (preserve the evidence now, analyse later), we can sometimes turn the imaging step around within 24-48 hours of receipt.
What does forensic data recovery cost?
Forensic engagements are quoted per case rather than from a rate card because cost depends heavily on scope, volume of data, complexity of analysis required, and time-sensitivity. Honest order-of-magnitude figures: forensic imaging only (preserve the evidence, no analysis) for a typical single-drive case is usually $400-800. Imaging plus targeted recovery and basic written report (e.g. "recover all deleted files and their metadata from the past 90 days") is typically $1,500-3,500. Comprehensive analysis with detailed report (e.g. "identify all USB devices connected, all files accessed, all emails sent during a specific window, plus full deleted-file recovery") is typically $3,500-8,500 depending on complexity. Multi-drive or array-based investigations and urgent cases run higher. Expert witness testimony, if required, is quoted separately based on jurisdiction and time commitment. We provide written fee estimates in advance of any work and bill against an itemised time record.
Do you offer retainer or panel arrangements?
Yes. For law firms, insurance practices and corporate clients with regular forensic needs, we offer two arrangements: a standing engagement letter that allows us to begin work immediately on instruction without per-case contracting overhead, and a panel-rate arrangement with agreed hourly rates and priority response timing in exchange for a minimum annual commitment. Both arrangements are quoted individually based on expected case volume. The standing engagement letter is the more common option — it doesn't commit you to any minimum spend but reduces friction at the start of urgent matters. If you're with a firm that handles digital evidence matters regularly, contact us and we'll discuss what arrangement makes sense.
Will my matter remain confidential?
Yes, by both contractual obligation and operational practice. All engagements are subject to a written confidentiality clause in the engagement letter. Source media is held in physically secured storage at our Erina workshop while in our custody. Forensic images and working copies are stored on systems isolated from general business operations, and are deleted on a documented schedule following case completion (typically 90 days after final report delivery, longer by agreement). Staff working on forensic matters are subject to confidentiality obligations. We do not publicise client matters, do not retain client data beyond the agreed period, and do not use case details in marketing. If your matter has specific additional confidentiality requirements (legal professional privilege handling, specific destruction certificates, secure transmission protocols), we can accommodate those by agreement.
Related: standard data recovery for personal and non-evidentiary matters; external hard drive recovery for failed drives generally; virus and malware removal for incident response; Central Coast repairs overview.