A multi-national client engaged Sandline to support a sensitive matter in Europe, requiring the defensible collection, analysis, and secure deletion of targeted data. The data spanned mobile devices, laptops, and various cloud-based applications. The client required a workflow that complied with EU data privacy regulations while ensuring accuracy, speed, and complete auditability.
The client needed a partner capable of:
- Collecting digital evidence across device types and cloud platforms.
- Generating forensic images in standardized formats (E01, and others) for downstream analysis.
- Ingesting and processing all collected data in a review platform suitable for categorization and forensic validation.
- Running targeted searches to identify sensitive or out-of-scope content.
- Producing a clear, defensible report with file paths so the forensic team could precisely locate and securely delete designated data within the client’s internal systems.
The workflow had to meet strict EU data handling requirements and maintain an unbroken chain of custody.
1. Comprehensive Forensic Collections
Sandline’s forensic team performed defensible acquisitions of:
- Mobile devices and laptops, using industry-standard tools to collect data in a forensically sound manner, specifically maintaining metadata through the efforts.
- Cloud accounts, leveraging secure collection workflows to extract account data while preserving integrity and ensuring compliance with regional privacy requirements.
All collections were documented with detailed chain-of-custody records and validated through hashing.
2. Forensic Analysis
The collected data sources, including Windows and Mac computers, Android and iPhone mobile devices, and other cloud sources, were loaded into an array of forensic platforms to aid in the identification and reporting of user-related activity.
- File Activity reports were compiled, detailing when files were interacted with.
- USB Device activity was aggregated, detailing if/when external devices were connected, and any associated activity.
- Anti-forensic analysis was conducted to determine if files were intentionally deleted from the systems ahead of Sandline’s analysis, or if the systems were factory reset to obfuscate user-activity.
The Forensics team shared the reports to the case team and reviewed via screenshare to aid in the upcoming search, identification, and review efforts.
3. Processing & Analytics in Everlaw
Following the initial forensic reporting, the collected datasets were processed within Sandline’s secure Everlaw environment:
- Normalization and indexing of data for efficient searchability.
- Metadata extraction, and file expansion for full visibility across custodians.
- Application of advanced search strings and filters to identify relevant and sensitive data.
This allowed rapid analysis and identification of “files of interest” while maintaining full defensibility.
4. Targeted Search & Reporting
Sandline’s review team executed targeted search workflows to isolate the files requiring action.
A customized report was generated that included:
- File names and metadata
- Exact file paths
- Custodian/device associations
- Flags for items designated for secure deletion
This report served as a clear roadmap for the forensics team to identify the targeted data for deletion, ensuring accuracy and traceability.
5. Secure Data Deletion Support
Using the reporting, the forensic team was able to confidently:
- Locate each targeted file within the collected environments
- Perform secure, defensible deletion in alignment with the client’s compliance and privacy requirements, while also generating verbose logging detailing the conducted efforts.
- Verify the file content was permanently deleted, and unrecoverable to the user
Following the successful deletion, the sources were re-collected to demonstrate that the deletions were successful, and the content was no longer present on the affected systems.
Sandline delivered a complete end-to-end solution that provided:
- Defensible forensic collections across devices and cloud platforms
- Actionable forensic reporting with technical debrief from the forensic team
- Streamlined review and analysis in Everlaw
- High-precision reporting to guide secure data deletion
- Full compliance with EU privacy and data governance standards
The client achieved a clean, verifiable deletion workflow with complete confidence in the defensibility and accuracy of the process.
