A full forensic examination of AI tool usage across your organization. We recover what your employees deleted, map what your DLP missed, and hand you a documented evidence package before a regulator or plaintiff's attorney builds one first.
Engagement scoped on a 30-minute briefing call. NDA signed before any details are shared.
Your employees cleared their history. Uninstalled the app. Used private browsing. These artifacts are still on your endpoints — and they tell a complete story.
The ChatGPT desktop app stores every conversation, uploaded file, and API key in a recoverable JSON structure — including sessions the user "deleted." We extract this in full, including timestamps and content previews where present.
Also applies to Claude, Copilot, Gemini, and 200+ AI desktop and mobile applications.
Chrome and Edge store full browsing history in SQLite files — including visits to AI tool URLs, session tokens, and access timestamps. We recover deleted rows from these files using forensic carving techniques and cross-reference with disk shadow copies.
Incognito sessions leave traces in RAM and pagefile even when not recorded to disk.
DNS query logs to api.openai.com, claude.ai, and similar endpoints — preserved in your network infrastructure — show exactly which endpoints made AI requests, how frequently, and at what data volume. TLS records show the size of what was transmitted even when content is encrypted.
Particularly valuable for demonstrating organisational-level exposure rather than isolated individual usage.
The Windows registry records AI application installation timestamps, execution counts, and user identifiers — even after the application has been uninstalled and privacy settings cleared. This creates a timeline of usage that is difficult to dispute.
Registry artifacts are particularly useful in M&A due diligence where historical AI usage needs to be documented without active cooperation from individual employees.
Volatile memory captures active AI sessions, clipboard contents pasted into AI tools, and proprietary data before it is written to disk. The Windows pagefile and hibernation file retain memory snapshots that can be acquired without interrupting operations.
This is the only category that requires on-site or live-system acquisition — all others can be collected remotely.
During a 2024 engagement at a 340-person professional services firm, analysis of SQLite browser databases recovered 1,847 visits to AI tool domains over 14 months — including 312 sessions on the General Counsel's endpoint. DNS logs confirmed 4.2 GB of outbound data to api.openai.com during the period. The firm had no AI usage policy in place. The finding was disclosed voluntarily to their cyber insurer before renewal.
Every stage maintains a documented chain of custody. You receive a methodology record alongside your findings so the evidence is defensible if challenged.
30-minute call to scope the engagement — number of endpoints, data environment, regulatory frameworks, and any active inquiries. NDA signed before this call. Engagement letter and SOW issued within 24 hours of agreement.
Guided remote forensic artifact collection via secure video call with your IT team. No raw data leaves your environment during this phase — we work from forensic copies and log exports.
Pattern matching against our 200+ AI tool indicator library, manual validation of all high-risk findings, and regulatory mapping. Every finding that makes it into the report has been manually reviewed — no automated false positives.
Final report delivered with a 60-minute debrief call. Draft shared with General Counsel 24 hours before final delivery for privilege review. Technical appendices provided separately for your IT and security teams.
Scope affects depth of analysis. It does not affect the number or type of deliverables — every engagement receives the full package below.
2–4 pages written for non-technical readers. Findings, risk level, regulatory exposure, and recommended immediate actions. Suitable for board presentation or insurance carrier disclosure.
Complete documentation of every finding with evidence citations, artifact source, timestamp, and data classification. Written for General Counsel and CISO review. Structured for attorney work product delivery on request.
A visual map of AI exposure by department and tool. Immediately communicates where your highest concentration of risk is and which teams require immediate policy intervention.
Finding-by-finding mapping to HIPAA, SOX, GDPR, and EU AI Act obligations. Where a violation is present, we document the specific provision, the finding that triggers it, and the disclosure risk.
Prioritised list of recommended actions ranked by risk severity and implementation complexity. Written for your IT, legal, and compliance teams with 30/60/90-day suggested milestones.
Artifact-level detail for your security and IT teams — tool-by-tool breakdown, endpoint inventory, and specific artifact locations. Delivered separately from the legal report.
A complete record of how evidence was collected, preserved, and analyzed. Required for any subsequent regulatory filing or litigation use of the findings. Follows SWGDE and NIST documentation standards.
Live walkthrough of findings with the engagement team. Attend with General Counsel, CISO, and CCO. Questions answered, remediation priorities discussed, next steps agreed.
This is not a proactive compliance checkbox. It is triggered by a specific situation or a clearly identified risk.
A regulator has made an inquiry or issued a document request that may implicate AI tool usage. You need documented findings before they conduct their own discovery.
Acquiring or being acquired. Undiscovered AI exposure in the target is a post-close liability. Buyers increasingly require AI forensic documentation as a condition of close.
Your next HIPAA, SOX, or ISO audit is approaching. You need to know what an auditor will find before they do — and have a remediation record to show.
Your cyber insurer has asked for AI usage documentation at renewal. Without it, claims involving AI data exposure may be denied. The audit report satisfies this requirement.
No. We work from forensic copies and log exports. Raw files — emails, documents, database contents — are never transmitted to us. We collect structured artifacts (browser history databases, DNS logs, registry exports) and analyze them within your environment or via a secure transfer of the artifact files only, not underlying data they reference.
A guided session with an IT administrator who has access to endpoint management tools, DNS query logs, and email gateway logs. We provide a pre-engagement checklist so your team knows exactly what to prepare. No agent installation is required and no persistent access is maintained after collection is complete.
Yes. If your General Counsel retains us directly, or if we are engaged at their direction, the report can be structured to fall under attorney-client privilege in most US jurisdictions. We strongly recommend involving legal counsel in the engagement setup call if this is a concern.
You are notified immediately — we do not wait for the final report. The scope of what "serious" means is agreed at the outset. We also have protocols for pausing the engagement if findings suggest an active breach rather than historical exposure.
The $12,500–$35,000 range reflects organization size (number of endpoints), data environment complexity (cloud-only vs. hybrid vs. on-premises), regulatory scope (single framework vs. multi-framework), and whether the engagement involves any on-site collection. The scoping call takes 30 minutes and produces a fixed-fee proposal. You will not receive a bill that exceeds the agreed scope.
Yes. We have experience with GDPR and EU AI Act obligations and can coordinate collection across EU jurisdictions. Engagements involving data subject to GDPR transfer restrictions are structured accordingly. Contact us to discuss your specific situation.
The briefing call is 30 minutes, under NDA, and produces a fixed-fee proposal. No obligation beyond that.