Home Services Digital Forensics
Service

Digital Forensics
& Cyber
Investigations

When a breach occurs, the evidence you preserve in the first hours determines everything. Citadel Africa's digital forensics team collects, analyses, and presents court-admissible evidence — with an unbroken chain of custody from acquisition to courtroom.

Request an Investigation Our DFIR Process ↓
50+ Incidents Investigated
100% Chain of Custody Integrity
CHFI Certified Investigators
Evidence Chain of Custody Log Chain Intact
01
Acquisition
Disk Image — Server FS-004
2026-03-14 08:14:32 EAT
Secured
02
Verification
Hash Verification — SHA-256
2026-03-14 08:47:19 EAT
Verified
03
Analysis
Memory Forensics — Volatility 3
2026-03-14 10:22:08 EAT
In Progress
04
Findings
Lateral movement detected — T1021
MITRE ATT&CK mapped — report pending
Documented
Image Hash (SHA-256) a3f8...d92c
What It Is

Evidence That Stands Up. Answers That Matter.

Digital forensics is the science of recovering, preserving, and analysing digital evidence from computers, mobile devices, networks, and cloud environments. In the aftermath of a cyber incident, fraud, or data breach — forensics determines what happened, how it happened, and who is responsible.

Citadel Africa's investigators follow internationally recognised forensic standards — ensuring every piece of evidence we collect is admissible in Kenyan courts, regulatory proceedings, and disciplinary hearings. Our chain-of-custody documentation is meticulous from the moment we touch a device.

Whether you need to investigate a breach, prove employee misconduct, recover deleted data, or support law enforcement — we deliver findings that are technically sound and legally defensible.

Post-Breach Investigation
Determine exactly how attackers got in, what they accessed, and how to prevent recurrence.
Employee Misconduct & Insider Threat
Recover deleted files, communications, and activity logs to support HR investigations and disciplinary action.
Fraud & Financial Crime
Trace fraudulent transactions, recover financial records, and provide evidence for litigation or law enforcement referral.
Mobile Device Forensics
Extract and analyse evidence from smartphones and tablets — deleted messages, call logs, app data, and location history.
Ransomware Investigation
Identify the attack vector, map the full infection chain, and recover encrypted data where technically possible.
Our Methodology

The DFIR Investigation Process

Every investigation follows a rigorous, documented process — from first call to final report — ensuring nothing is missed and everything is defensible.

Phase 01
Identification & Triage

We establish the scope of the incident, identify affected systems, and prioritise evidence sources. A rapid triage call within hours of engagement — we never waste the critical first window.

Rapid Triage Scope Assessment Evidence Prioritisation
01
02
Phase 02
Evidence Acquisition

Forensically sound acquisition of disk images, memory dumps, network captures, and log files. Every acquisition is hash-verified (SHA-256/MD5) immediately — chain of custody begins the moment we touch the evidence.

FTK Imager dd / dcfldd WinPmem SHA-256 Verification
Phase 03
Analysis & Reconstruction

Deep-dive analysis of acquired evidence — file system analysis, memory forensics, log correlation, malware reverse engineering, and timeline reconstruction. We map every attacker action to MITRE ATT&CK techniques.

Autopsy Volatility 3 Wireshark MITRE ATT&CK Elastic SIEM
03
04
Phase 04
Reporting & Legal Packaging

A comprehensive forensic report with a full timeline of events, evidence analysis, attribution findings, and chain-of-custody documentation. Formatted for legal proceedings, regulatory submission, or internal HR use.

Executive Report Technical Report CoC Documentation Expert Witness
Phase 05
Debrief & Remediation Guidance

We walk your team through findings in plain language. For post-breach investigations, we provide actionable remediation steps and connect to our Incident Response team if containment is still required.

Live Debrief Remediation Roadmap IR Handoff (if needed)
05
Investigation Types

What We Investigate

01
Disk & File System Forensics

Full acquisition and analysis of hard drives, SSDs, and removable media — including deleted, hidden, and encrypted files.

Deleted file recovery
File timestamp analysis
Artefact extraction
Encrypted volume analysis
02
Memory Forensics

Analysis of volatile RAM captures to uncover running malware, encryption keys, credentials, and attacker tools that leave no trace on disk.

Running process analysis
Injected code detection
Credential extraction evidence
Network connection mapping
03
Mobile Device Forensics

Forensic extraction from Android and iOS devices — deleted messages, call logs, app data, GPS history, and social media artefacts.

Deleted SMS/WhatsApp recovery
App data extraction
Location history analysis
Cloud backup artefacts
04
Network Forensics

PCAP analysis, firewall log examination, and network traffic reconstruction to trace attacker movements across your infrastructure.

Packet capture analysis
C2 traffic identification
Data exfiltration tracing
Lateral movement mapping
05
Malware Analysis

Static and dynamic analysis of malware samples found during investigations — identifying capabilities, infrastructure, and attacker attribution indicators.

Static code analysis
Sandbox behavioural analysis
IOC extraction
Attribution indicators
06
Cloud & SaaS Forensics

Forensic investigation of cloud environments — AWS, Azure, GCP, Microsoft 365, and Google Workspace — where traditional disk imaging is not possible.

Cloud audit log analysis
M365 / Google Workspace eDiscovery
IAM & access log review
Cloud storage forensics
What You Get

Deliverables

Forensic Investigation Report
A comprehensive technical report covering methodology, findings, timeline of events, and MITRE ATT&CK mapped attacker activity — suitable for legal proceedings.
Chain of Custody Documentation
Full evidence handling log — from acquisition through to delivery — with hash verification records, analyst signatures, and evidence transfer forms.
Executive Summary
A non-technical summary for board, legal counsel, and leadership — what happened, impact assessment, and recommended next steps.
Timeline Reconstruction
A visual and documented reconstruction of events — from initial compromise to discovery — helping your legal team understand the full attack narrative.
Expert Witness Service
Available to provide expert witness testimony in court, regulatory hearings, or arbitration proceedings — explaining technical evidence to non-technical audiences.
Investigation Snapshot
What We Examine in a Typical Engagement
Disk Forensics
Full image + deleted file recovery
Log Analysis
System, application & security logs
Network Traffic
PCAP analysis & C2 identification
Mobile Devices
Android & iOS extraction
Cloud Environments
AWS / Azure / M365 audit logs
Why Citadel Africa

What Sets Our Forensics Apart

01
Legally Defensible from Day One

Our chain-of-custody processes are designed for Kenyan courts from the first moment of evidence handling. We don't retrofit legal compliance — it's built into every step of our process.

02
Speed Without Compromise

The first 24 hours after an incident are critical. We mobilise rapidly — triage calls within hours, on-site acquisition same day where required — without ever cutting corners on forensic rigour.

03
Integrated with Incident Response

Forensics and incident response are inseparable. Our investigators work hand-in-hand with our IR team — so while we preserve evidence, containment and recovery can proceed in parallel, not sequence.

Get Started

Need a Forensic Investigation?

Whether you're responding to a breach, investigating fraud, or building a legal case — contact Citadel Africa today. Time is critical. Don't touch affected systems before speaking to us.

Request an Investigation View All Services
Active incident? Call immediately — do not power off affected systems: +254 797 907 510