Digital Forensics &
Incident Response
When the incident hits, the speed and quality of your first response defines the outcome.
Every hour without clarity costs you — in evidence lost, decisions delayed, and damage spreading.
Evidence destroyed by well-meaning internal actions.
Leadership demands answers before facts exist.
Coordination between IT, security, legal, and external parties turns chaotic.
The Service
What we do
Investigate
Structured forensic analysis: what happened, when, how far it spread, whether the attacker is still present.
Preserve
Evidence preservation from hour one. Chain of custody documented. Defensible for regulators and legal proceedings.
Advise
Technical and executive briefings throughout. Containment recommendations. Facts for decisions, not guesswork.
When to engage
Recognise these situations?
If any of these apply, it is time to bring in specialist support. The earlier we are involved, the more evidence is preserved.
Call nowSuspected ransomware, extortion, or data theft
Unexplained EDR/SIEM or MDR findings indicating possible compromise
Suspected unauthorised access or lateral movement
Business email compromise or phishing resulting in suspected fraud
Insurer, regulator, or customer requiring independent assessment
NIS2/Cbw obligations requiring mandatory notification and documented response
Best Fit
Built for the teams in the crisis.
CISO & IT Leadership
Immediate access to specialist DFIR support without procurement delays. Named team, pre-agreed terms, ready when you need them.
Executive Teams
Fact-based decision support during live incidents. Clear briefings, prioritised facts, and containment recommendations you can act on.
Legal, Privacy & Compliance
Defensible evidence handling with documented chain of custody. Built to withstand regulatory and legal scrutiny.
IT & Security Teams
Specialist forensic support running parallel to ongoing operations. We investigate while you keep the business running.
Our Process
Three phases. Speed where it matters.
Initial Mobilisation
Incident triage, evidence preservation guidance, preliminary threat assessment, and first executive briefing.
Active Investigation
Forensic analysis, scope assessment, ongoing briefings, and containment advisory. Regular updates to all stakeholders.
Closure & Follow-up
Final incident report: timeline, impact, findings, recommendations. Delivered within 5 working days of investigation completion.
Engagement Models
Two engagement models.
Same investigative quality. Different levels of readiness.
Retainer
Be ready before the incident
- Rapid activation, typically within 1 hour
- Named senior team who knows your environment
- Base hourly rates, no emergency premium
- No activation fee, no NDA under fire
- Quarterly readiness check-ins
- Pre-agreed terms
Emergency
When you need us now
- Best-effort response, subject to availability
- Cold-start onboarding
- Premium hourly rates (1.5-2x)
- Activation fee applies
- No ongoing relationship
- Same investigative quality, slower start
Deliverables
What you get.
Incident triage & evidence preservation
Validation, initial triage, and evidence preservation guidance delivered within hours of engagement.
Structured forensic investigation
Full scope assessment with structured analysis of the incident timeline, impact, and attacker activity.
Technical & executive briefings
Regular updates to all stakeholders throughout the engagement. Facts for decisions, not guesswork.
Coordination with stakeholders
Coordination with internal teams, MDR, legal counsel, insurers, and regulators as needed.
Final incident report
Complete incident report within 5 working days: timeline, impact, findings, and recommendations.
You leave with a fact-based understanding of what happened, what to do next, and what to improve.
Practical Details
Practical details.
Why ForCri
Why ForCri?
Every engagement starts with preservation and scoping before investigation — the evidence you lose in the first hours is evidence you never get back.
We provide prioritised facts and clear next steps, not false certainty.
Senior DFIR practitioners on every engagement — not a junior triage desk that escalates later.
Continuity: same team across readiness, simulation, and real incidents.
The ForCri Lifecycle
Where this service fits
Every service feeds the next. DFIR is where preparation meets reality.
Findings from every incident feed directly back into readiness improvements, plan updates, and simulation design — all delivered by the same team that already knows your environment. No re-scoping, no re-learning.