London Area, United Kingdom
I’m a Cyber Incident Response and Digital Forensics specialist with 14+ years of experience delivering high-stakes investigations, breach response, expert witness services, and eDiscovery support across the UK, EMEA, and global regions. My background spans senior DFIR consulting, incident command during major cyber events, and hands-on digital investigation across mobile, endpoint, server, and cloud environments. I’ve led and supported investigations into ransomware, APT intrusions, zero-day exploitation, insider threats, fraud, business email compromise, cloud compromise, and complex evidential matters requiring clear technical and legal defensibility. I’ve worked closely with Legal, HR, Crisis Communications, Insurance, Business Continuity, and C-suite stakeholders during fast-moving incidents where clarity, discretion, and sound judgement matter. My experience also includes improving response capability through better documentation, playbooks, escalation paths, tabletop exercises, and closer integration between technical and non-technical teams. Alongside IR and DFIR leadership, I have a strong background in expert witness and evidential work, producing clear, defensible reports for solicitors, barristers, insurers, and courts. I also spent several years delivering eDiscovery collections and litigation support across EMEA, handling large, multi-jurisdictional matters with careful evidence handling and cross-border coordination. Key areas of experience: • Incident command and senior DFIR delivery across EMEA, APAC, and the US • Ransomware, APT, fraud, cloud compromise, insider threat, and BEC investigations • Expert witness reporting for criminal, civil, tribunal, and regulatory matters • eDiscovery collections, evidence handling, and litigation support • Cross-functional crisis coordination with Legal, HR, Comms, BCM, insurers, and executives • IR process development, playbooks, readiness improvement, and tabletop exercises • Hands-on technical work across Defender, Sentinel, Cybereason, Velociraptor, cloud forensics, memory analysis, and enterprise investigations • Scripting and automation using PowerShell, Python, and terminal-based workflows
As owner and contracting as Compute Forensics, I led and delivered complex digital investigations for criminal defense teams, civil litigation firms, and corporate clients. My work spanned everything from forensic imaging and mobile phone analysis to eDiscovery collections and internal employee investigations. I provided eDiscovery support for legal teams by conducting targeted collections from endpoints, mobile devices, and cloud platforms, ensuring full chain-of-custody, metadata preservation, and compliance with evidentiary standards. I regularly worked with tools like FTK, Intella, and Cellebrite to support legal disclosure, early case assessment, and technical expert review. On the defense side, I conducted independent forensic analysis in criminal matters involving computer misuse, alleged harassment, IP theft, and digital evidence disputes. My reports helped challenge prosecution findings, recover deleted communications, and reconstruct timelines relevant to key events. I also supported internal HR and misconduct investigations for businesses, identifying misuse of IT systems, unauthorised access, or data leakage. This often included log review, behavioral analysis, and preparing evidence packs for internal or legal escalation. Whether supporting a defense solicitor, corporate legal counsel, or HR team; I delivered clear, defensible, and discreet forensic work trusted in court and corporate environments alike
As Managing Consultant for DFIR across EMEA at Trustwave (now LevelBlue), I delivered complex digital forensic and incident response services for high-profile clients across finance, tech, legal, and critical infrastructure sectors. Operating under a follow-the-sun retainer model, I led and supported major breach investigations while managing key client relationships. Case highlights include: -Contained nation-state APT activity using memory forensics, YARA rules, and IOC development. -Led forensic response to a financial sector malware incident, restoring operations within 48 hours. -Triaged 26 compromised hosts during a coordinated breach, supporting malware eradication and recovery. -Identified and mitigated credential leaks via dark web monitoring and enforced MFA. -Investigated a zero-day exploit (Palo Alto), confirming privilege escalation and coordinating emergency patching. -Uncovered insider abuse by correlating AD logs and forensic artefacts, leading to improved access controls. -Mapped C2 infrastructure using OSINT techniques to proactively block threat actor domains. -Responded to a large-scale BEC/phishing attack in O365, removing persistence and improving posture. -Secured misconfigured AWS S3 buckets through IAM review, remediation, and encryption enforcement. Beyond reactive response, I led proactive services including tabletop exercises, IR readiness reviews, and forensic process optimisation. I worked closely with CISOs, legal teams, and SOCs, translating technical findings into strategic actions. I also mentored junior consultants, drove cross-regional collaboration, and refined investigation workflows to improve response speed and consistency.
At CCL, I conducted a range of digital forensic examinations across mobile devices and traditional endpoints, supporting criminal investigations, civil disputes, and internal reviews. My work involved detailed device extractions, analysis of digital artifacts, and reporting for both legal and investigative audiences. Key highlights included: Leading a mobile forensic investigation into a suspected state-level spyware infection, performing a deep packet capture (PCAP) analysis of network traffic to identify indicators of compromise and potential exfiltration. Conducting routine endpoint examinations, including email abuse, IP theft, and insider threat scenarios, using industry-standard forensic tools to build timelines and extract actionable evidence. Performing Cellebrite and AXIOM-based mobile extractions, validating findings against known threat indicators and user activity. Assisting in the testing and validation of forensic tools and workflows used in high-stakes investigations. Delivering clear, defensible reports for legal clients and internal stakeholders, ensuring adherence to evidentiary standards and ACPO guidelines. This role strengthened my expertise in mobile threat detection and deep forensic validation, particularly in scenarios involving highly sensitive or politically significant cases.
At Envista Forensics, I led expert digital forensic and cyber breach investigations across EMEA, primarily servicing cyber insurance panels and responding on behalf of loss adjusters and their insured clients. Envista’s clients included top-tier private firms, insurers, legal teams, and enterprise organisations facing breach-related crises or litigation. My role involved conducting detailed post-incident investigations, including forensic imaging, log analysis, malware examination, and root cause analysis, to determine the cause, scope, and impact of cyber events. These ranged from ransomware and data exfiltration to internal fraud and misconfiguration-driven breaches. Often operating under urgent timelines, I provided clear, defensible findings that supported both breach remediation and legal or insurance outcomes. This included assessing technical liability, supporting claims validation, and producing expert reports used by underwriters, adjusters, and legal teams. I regularly engaged with insurers, brokers, legal counsel, and IT stakeholders; offering forensic clarity during high-stress scenarios and ensuring investigations met legal, evidentiary, and policyholder requirements. My work helped bridge the gap between technical findings and commercial impact, empowering stakeholders to make informed, timely decisions.
At Rio Tinto, one of the world’s leading mining and metals companies, I supported the Group Investigations team in conducting highly sensitive internal investigations, including cases involving major bribery and corruption allegations, which were the subject of public scrutiny and regulatory interest. My forensic work contributed directly to internal and regulatory investigations related to this case, which concerned payments connected to mining rights in Guinea and resulted in executive dismissals and global media attention. I was responsible for the collection, preservation, and analysis of digital evidence across devices and systems belonging to individuals under investigation. I led and supported forensic analysis across a range of internal reviews, including employee misconduct, financial irregularities, and compliance breaches, ensuring all digital evidence was collected, preserved, and analysed in accordance with strict legal and procedural requirements. Key responsibilities included: Performing forensic collections and in-depth analysis across laptops, servers, mobile devices, and cloud data sources. Supporting multi-disciplinary investigations alongside Legal, HR, Ethics & Compliance, and Cybersecurity teams. Providing forensic input into anti-bribery and corruption (ABC) matters — including a high-profile case concerning international operations under regulatory review. Managing evidence on Rio Tinto’s eDiscovery platform, assisting legal teams with remote review and data analysis. Ensuring compliance with internal data privacy policies, including data segregation, jurisdictional handling, and confidentiality protocols. My work helped uncover critical findings in employee-related cases and supported the company’s commitment to ethical conduct, transparency, and regulatory compliance on a global scale.