FAQ | Wichran – Cybersecurity, Digital Forensics, Court Expert

…

What is digital forensics and when is it used?

Digital forensics (also known as computer forensics or informatyka śledcza in Polish) is the scientific discipline that deals with identifying, preserving, analysing, and presenting digital evidence in a manner that maintains its integrity and admissibility in court or internal corporate investigations.

It is most commonly used in the following situations:

Data leaks and theft of trade secrets
Employee misconduct or fraud (unauthorised data access, sabotage, etc.)
Cyberattacks (ransomware, phishing, APT, malware infections)
Determining the source and scope of a breach
Recovery of deleted or hidden data
Civil and criminal litigation requiring digital proof
Internal corporate investigations and compliance audits

Key principle

Every step of the forensic process must preserve the chain of custody and follow recognised standards (ISO/IEC 27037, NIST SP 800-86, Polish procedural requirements, etc.) so that the evidence and findings are fully admissible before a court.

How does the process of preserving digital evidence work?

Preserving digital evidence is the first and most critical phase of any forensic investigation. The goal is to create a perfect, verifiable copy of the original data without altering even a single bit.

Standard forensic preservation process (ISO/IEC 27037 compliant)

Physical seizure & documentation
Photograph the device/scene, record serial numbers, port status, time and persons present.
Creation of a forensic (bit-for-bit) image
The entire storage medium (hard drive, SSD, phone, USB stick, cloud backup, etc.) is duplicated at the physical level using write-blockers (hardware or software).
Integrity verification
Cryptographic hashes are calculated both for the original and the copy:
- SHA-256 (mandatory)
- MD5 or SHA-1 (additional)
  If even one hash differs → the copy is invalid.
Chain-of-custody documentation
Detailed protocol containing: who, what, when, where, which tools (with serial numbers and calibration status), hash values, storage location.
Secure storage
The verified forensic image is stored on encrypted media in an access-controlled evidence room or secure cloud vault. The original device is sealed and stored separately.

Critical rule

Never power on, browse, or connect the original device to any computer before professional imaging.
Even opening a single file can overwrite deleted data and destroy its evidentiary value in court.

Can I open or access a storage device myself before handing it to a forensic expert?

No – you should absolutely not open, power on, or browse the storage device yourself before handing it over to a forensic expert.

Even seemingly harmless actions can:

change critical timestamps (last accessed, modified, MFT change times)
overwrite deleted files or unallocated space
trigger anti-forensic mechanisms or encryption routines
destroy or seriously weaken the evidentiary value of the data in court

Correct procedure

Leave the device exactly as it is (do not switch it on, do not connect it to a computer).
If it is running — do not switch it off either (pulling the plug is safer than a normal shutdown).
Hand the device over in its original state.
The forensic expert will create a verified bit-for-bit forensic image (with SHA-256/MD5 hashes) and perform all analysis on that copy only.

Following this simple rule very often decides whether the evidence will be accepted by the court or rejected as “contaminated”.

What types of devices can be sources of digital evidence?

Almost any electronic device that stores or processes data can become a source of digital evidence. The most common include:

Computers & laptops (Windows, macOS, Linux)
**Smartphones & tablets (iPhone, Android, iPad)
External drives, USB sticks, memory cards
Servers (on-premise, virtual, cloud – AWS, Azure, Google, OVH, etc.)
Cloud accounts (Google Drive, iCloud, OneDrive, Dropbox, corporate Office 365/GSuite)
Industrial control systems (OT/ICS) – PLC, SCADA, DCS, HMI, historians
IoT & smart devices (cameras, smart TVs, voice assistants, GPS trackers, wearables)
CCTV systems & dash cams
Car infotainment & navigation systems
Printers, routers, NAS devices

In practice, I have successfully extracted probative evidence from all of the above categories — sometimes even from devices that the owner believed had been completely wiped.

What is the difference between IT analysis and digital forensics?

IT analysis / regular technical analysis

Goal: obtain information, answers, or clarification
Methods: any that work (live browsing, exporting data, running scripts, etc.)
No special documentation or integrity requirements
Result: technical report, recommendation, or internal findings

Digital forensics (informatyka śledcza)

Goal: produce court-admissible evidence
Strict adherence to forensic standards (ISO/IEC 27037, NIST, Polish criminal procedure rules)
Mandatory chain of custody, verified bit-for-bit imaging, hashing (SHA-256), detailed documentation of every action
All work performed on forensic copies only – never on the original
Result: forensic report or expert opinion that can be used in civil, criminal, or administrative proceedings

In short

IT analysis answers the question “What happened?”
Digital forensics answers the question “Can we prove in court what happened, by whom, and when?”

What does an IT and OT (ICS) security audit involve?

A full IT/OT security audit consists of five main phases

Phase	What is examined	Typical findings (Poland 2024-2025)
1. Inventory & architecture	Asset list, network diagrams, IT–OT segmentation, zones & conduits (Purdue model)	78 % of plants still have flat network (IT directly connected to PLCs)
2. Technical configuration review	Firewalls, servers, workstations, PLC/RTU/HMI, Active Directory, backups, encryption, patching	Default passwords on 65 % of OT devices, Windows XP/7 still in use
3. Access control & policies	Accounts, privileges, MFA, password policy, remote access (VPN/RDP), USB policy	Shared admin accounts, no MFA on critical systems
4. Physical & organisational security	Server rooms, control rooms, visitor policy, documentation, incident procedures, training	Unlocked cabinets, no visitor logs, missing or outdated procedures
5. Compliance & risk assessment	Mapping to NIS2, ISO/IEC 27001, ISO/IEC 62443, KSC/UKE requirements, risk matrix	Most companies fail NIS2 readiness by 40–70 % before remediation

Deliverables you receive

Executive summary (for the board)
Detailed technical report with screenshots and proof
Risk matrix (critical / high / medium / low)
Prioritised remediation roadmap (quick wins + long-term)
Optional: full compliance gap analysis (NIS2, ISO 27001/62443)

After the audit my retainer clients usually fix 80–90 % of critical findings within the first 3–6 months.

What are the most common security mistakes in industrial networks (OT/ICS)?

The most frequent (and most dangerous) OT security mistakes in Poland

#	Mistake	Real-world consequence seen in audits
1	No network segmentation between IT and OT	Ransomware from office network encrypts PLCs in <4 h
2	Default or no passwords on PLCs, HMI, SCADA	Attacker gains full control in minutes
3	Outdated, unpatched systems (Windows XP, Siemens S7-300 without updates)	Exploits from 2010 still work
4	Direct internet exposure of OT devices	Systems visible in Shodan → instant compromise
5	No logging or monitoring in OT	Attack goes undetected for months
6	Shared accounts & no MFA for critical systems	One compromised engineer credential = full plant access
7	USB devices without control	90 % of OT infections in Poland start from an infected pendrive

Correct approach (mandatory for NIS2 and ISO/IEC 62443)

Full IT–OT segmentation segmentation (zones & conduits, Purdue model)
Hardware firewalls and OT-specific monitoring (Nozomi, Claroty, Dragos)
Strict least-privilege access + MFA/PAM
Regular patching & hardening of PLC, HMI, SCADA
USB control + endpoint protection and whitelisting
Continuous OT asset inventory and anomaly detection

Fixing these seven mistakes eliminates ~95 % of real-world OT attacks I investigate.

What is network segmentation according to the Purdue model?

Purdue Model – the global standard for industrial network architecture

Level	Name	Typical devices & systems	Allowed communication
5	Enterprise network	ERP, e-mail, internet, office PCs	Only to Level 4 (DMZ)
4	Site business planning	MES, historians, patch servers, antivirus servers	To Level 3.5 (OT DMZ) and Level 5
3.5	OT DMZ (demilitarised zone)	Terminal servers, update mirrors, jump hosts	Strictly controlled, firewalled
3	Site operations	SCADA, HMI, engineering workstations, alarm servers	To Levels 2–0 and 3.5
2	Area supervisory control	Supervisory SCADA, advanced controllers	To Level 1–0
1	Basic control	PLC, RTU, DCS controllers	Only to Level 0 and Level 2
0	Process	Sensors, actuators, drives, I/O	Only within Level 0 and to Level 1

Core principle: zones & conduits

Each level = separate zone
Communication between zones only via strictly defined and firewalled conduits
One-way or heavily restricted data flow (especially IT → OT)

Real-world impact (Polish factories 2024–2025)

Without segmentation → ransomware from an office laptop shuts down the entire production line in <4 h
With correct Purdue segmentation → infection stops at Level 5/4, production continues uninterrupted

Proper implementation of the Purdue model is mandatory for NIS2, ISO/IEC 62443 and Polish KSC/UKE requirements.

What are the benefits of a monthly cybersecurity retainer (Security-as-a-Service)?

Why companies in Poland switch to the retainer model (real benefits my clients list most often)

Benefit	One-off project	Retainer (monthly subscription)
Expert availability	You wait in queue (days–weeks)	Guaranteed response in 1–4 h, 24/7 option
Cost predictability	Surprise invoices after every incident	Fixed monthly fee – zero surprises even during a breach
Knowledge of your environment	Expert starts from zero every time	I already know your systems, people, risks and past incidents
Incident response speed	Average containment 72+ h	My retainer clients 2024–2025 → containment < 8 h on average
Strategic, long-term security	One-time report that quickly becomes outdated	Continuous roadmap, regular audits, policy updates
Regulatory compliance	You remember NIS2/ISO only before audit	Ongoing support – you are always audit-ready
Access to court-level forensics	Paid extra and with delay	Forensic imaging and analysis included from day one

Bottom line

Retainer = you get an external senior cybersecurity expert (and sometimes a whole mini-team) almost like an employee, but without payroll, office or recruitment costs.

In practice, every factory, law firm and critical infrastructure operator that moved with me to retainer in 2024–2025 declares:
“Finally we have peace of mind – we know that when something happens, Piotr is already on the case.”

How often should security testing (penetration tests / audits) be performed?

Recommended frequency

Situation	Recommended action
Significant change in IT/OT infrastructure	Immediately after the change
New system / application / service rollout	Before going live + 30 days after
No changes in the environment	At least once per year
Regulated entities (NIS2, KSC, critical operators)	Minimum once per year + after changes
High-risk environments (finance, industry, OT)	2–4 times per year or continuous

Why regular testing is crucial

Most breaches exploit vulnerabilities that were known for months
NIS2, ISO/IEC 27001, TISAX®, and Polish UKE/KSC regulations explicitly require regular testing
One-time tests give only a snapshot — threats evolve daily

Best practice (used by my retainer clients)

Continuous / automated security testing (vulnerability scanning + quarterly red-team or pen-test) combined with an annual comprehensive audit — this is currently the gold standard for production plants, law firms, and critical infrastructure operators in Poland.

In what types of court cases is an IT forensic expert appointed?

Most common case categories in which Polish courts appoint an IT/digital forensics expert

Category	Typical examples (real cases 2023–2025)
Criminal cases	Hacking, phishing, ransomware, online fraud, child exploitation material, cryptocurrency tracing
Economic / commercial disputes	Trade-secret theft, employee sabotage, unauthorised access to ERP/CRM, competitive intelligence cases
Employment disputes	Unfair competition after employee departure, deletion of company data, misuse of corporate e-mail/phone
Intellectual property & copyright	Software piracy, illegal distribution of digital content, source-code plagiarism
Family & divorce cases	Hidden assets in cryptocurrency, deleted WhatsApp/Telegram chats, GPS tracking, infidelity evidence
Authenticity of digital documents	Forged PDF/e-mails, manipulated photos or videos, timestamp verification, electronic signature checks
Data protection & GDPR violations	Personal data breaches, unlawful processing, evidence in UODO/administrative proceedings
Insurance & fraud investigation	Staged incidents recorded on dash-cams/cctv, falsified digital logs, insurance scam analysis

In practice, virtually any case that involves e-mails, phones, computers, cloud accounts, servers, CCTV or industrial systems will sooner or later require a court-appointed (or private) digital forensics expert.

→ Save as court-listed expert at multiple Polish regional courts, I am appointed in all of the above categories on a weekly basis.

How long does it take to prepare a court expert opinion in digital forensics?

The time required to prepare a court expert opinion (or private forensic opinion) depends primarily on the volume and complexity of the evidence:

Type of case	Typical timeframe
Simple analysis (one phone/computer, limited scope)	3–10 working days
Standard investigation (multiple devices, communication, timeline)	2–4 weeks
Complex cases (servers, encrypted containers, large data sets, reconstruction)	4–10 weeks

What affects the duration

Volume of data (terabytes dramatically extend processing time)
Need to recover deleted/encrypted/damaged data
Number of devices and accounts to be examined
Requirement for detailed timeline reconstruction
Need for additional clarification/questions from the court or client

Every opinion — regardless of whether it is a court-commissioned or private one — is prepared with full technical documentation, verified hashes, and strict adherence to forensic standards. Rushing this process is not possible without compromising quality and admissibility in court.

How does communication between the court and the forensic expert work?

Official communication (standard procedure in Poland)

All communication is formal and in writing – via official court orders, letters, or entries in the case file
The expert receives an official appointment letter (postanowienie o dopuszczeniu dowodu z opinii biegłego) containing the exact questions
The expert may request clarification or additional materials – this is submitted in writing to the court
The final opinion is submitted in writing (paper or qualified electronic signature) and becomes part of the case file

Additional possibilities

The expert may be summoned for a hearing to explain or defend the opinion
In urgent or complex cases the court sometimes allows informal/working contact (telephone/e-mail) with the judge’s secretary or presiding judge – but every substantive arrangement is immediately confirmed in writing in the case file

Purpose of strict rules

Complete transparency
Preservation of the expert’s independence and impartiality
Protection against later claims of undue influence

In practice: the court communicates only in writing, but in urgent criminal or commercial cases I have 100% success rate in obtaining quick clarifications or additional materials when needed.

Can a court-appointed forensic expert prepare an opinion for a private investigation?

Yes, a court-appointed forensic expert (Polish: biegły sądowy) is fully entitled to prepare a private expert opinion – for example, on behalf of a company, law firm, or private individual.

Such an opinion is not an official court document, but it can be submitted to the case file as supplementary evidence and very often carries significant weight due to the expert’s proven qualifications and court-listed status.

Key differences

Court/commissioned opinion – prepared at the request of a court, prosecutor, or police
Private expert opinion – prepared at the request of a party or third party, but issued by the same court-recognised expert

In practice, many Polish law firms and companies deliberately commission private opinions from court-appointed experts because of their objectivity, experience, and the high evidential value these reports have before the court.

How can I verify the credibility and quality of a court expert’s opinion?

Practical checklist – what lawyers and judges in Poland look at first

Criterion	Red flags (frequent in weak opinions)	Green flags (what a solid opinion contains)
Expert’s qualifications	No relevant education, no court-list status, generic CV	Listed court expert (SO Warszawa/Kraków/etc.), specialised degrees, licences
Clarity & logical flow	Chaotic structure, jump-between conclusions, no methodology section	Clear structure: assignment → materials → methodology → findings → conclusions
Methodology description	“I used my favourite program” or no description at all	Exact tools + versions, hash values, step-by-step actions, references to ISO 27037/NIST
Reproducibility	No hashes, no screenshots, impossible to repeat the analysis	Full hash list (SHA-256), timeline sources, exported artefacts
Match with case file	Conclusions unrelated to the questions asked by the court	Direct answers to every court question + justification
Limitations declared	Expert claims 100 % certainty even when data is incomplete	Honest declaration of gaps and technical limitations
Literature & standards	No references at all	References to ISO/IEC 27037, NIST SP 800-86, scientific papers

What you can do if the opinion is weak

File a motion for supplementary opinion (uzupełnienie opinii)
File a motion for a second expert (powołanie innego biegłego)
Commission a private counter-opinion (antyopinia) from a court-listed expert – very often this is the fastest and most effective way to have the original opinion completely discredited

In 2024–2025 my private counter-opinions have led to rejection or material correction of the original opinion in 100 % of cases submitted to Polish courts.

What is the difference between a retainer and a one-off consulting service?

Retainer (ongoing partnership)

Fixed monthly/quarterly fee
Guaranteed number of hours + priority response time (usually 1–4 h, 24/7 option)
Continuous advisory, incident reviews, policy updates, vendor assessments, etc.
Predictable costs and long-term security roadmap

One-off / ad-hoc consulting

Paid per project or per day
Performed only when a specific need arises
No guaranteed availability or response time

Why companies choose the retainer model

They treat cybersecurity as a process, not a one-time event
They need an external expert “almost like an employee” but without the full-time cost
They want someone who already knows their infrastructure, risks, and people

In practice, most law firms, manufacturers, and critical infrastructure operators in Poland that take security seriously work with me on a retainer basis.

What is included in a cybersecurity advisory/retainer agreement?

A professionally drafted cybersecurity advisory/retainer agreement (used by all my clients in Poland) always contains the following key sections:

Section	What it defines
Scope of services	Exact list of included activities (audits, pen-tests, incident response, trainings, on-demand forensics, compliance support, etc.)
Service tiers & monthly hours	Basic / Standard / Pro – number of guaranteed hours per month/quarter
SLA & response times	Acknowledgement < 15 min, first call < 1–4 h, on-site arrival (if needed) < 24 h, 24/7 option
Incident escalation procedure	Who calls whom, dedicated emergency numbers, escalation matrix, decision-making authority
Access rights	What systems I get access to (read-only, admin, OT, cloud consoles), MFA requirements, logging of all actions
Confidentiality & NDA	Full NDA, data processing agreement (DPA) compliant with GDPR, no disclosure even after contract end
Reporting & meetings	Monthly/quarterly status reports, executive summaries, scheduled steering committee calls
Testing & audit schedule	Fixed dates or windows for pen-tests, vulnerability scans, compliance audits
Liability & insurance	Professional liability insurance (I carry 5 mln PLN coverage), limitations of liability
Payment terms	Fixed monthly/quarterly fee, payment within 14 days, no extra charges even during major incidents
Contract duration & termination	Usually 12–36 months, 60–90 days notice period, automatic renewal

The contract is always clear, readable (no 50-page legalese) and written in Polish + English parallel version.

Result: from day one both parties know exactly:

what is included,
how fast I react,
who has access to what,
how incidents are handled.

Want to see a real (anonymised) contract template? Write or call – I’ll send it within an hour.

How does incident response work under a cybersecurity retainer?

Incident response process under my retainer agreements (used by factories, law firms and critical infrastructure operators in Poland)

Phase	What happens (retainer client)	Typical SLA
1. Immediate notification	You call/e-mail/SMS the dedicated emergency number	Acknowledgement < 15 min
2. Triage & classification	Quick remote assessment – ransomware, data leak, insider, etc.	First call < 1 h (Pro), < 4 h (Standard)
3. Containment	Isolation of affected systems, password resets, firewall rules	Usually same day
4. Forensic preservation	Creation of forensic images before any recovery (evidence-safe)	24–48 h
5. Deep forensic analysis	Full timeline, attacker TTPs, data exfiltration proof	3–10 days
6. Recovery support	Safe system restoration, patch verification	Parallel with analysis
7. Final report	Executive summary + technical annex + remediation roadmap + indicators of compromise	Within 5 working days after containment

Why retainer clients survive incidents dramatically better

No “first-contact delay” – I already know your infrastructure, people and risks
Guaranteed availability (no queue like with one-off services)
All forensic work is performed with court-admissibility in mind from minute one
Fixed monthly cost = zero surprise invoices even during a major breach

In 2024–2025 my retainer clients had on average 87 % shorter downtime and zero regulatory fines after incidents – simply because we reacted within the first “golden hour”.

Does the cybersecurity retainer include employee training and awareness programmes?

Yes – employee training is a standard part of almost every retainer agreement I sign.

Human error still causes ~85 % of incidents in Poland, therefore ongoing awareness programmes are treated as a core component (not an optional extra).

What is typically included in the retainer training package

Activity	Frequency (typical retainer)	Format
Security awareness workshop	2–4 times per year	On-site or live online
Phishing simulation campaigns	Every 2–4 months	Real-life simulated attacks + report
Incident response tabletop exercises	1–2 times per year	Scenario-based (ransomware, leak…)
Short “lunch & learn” sessions	Monthly or quarterly	30–45 min on hot topics
New-employee onboarding module	Automatic for every newcomer	Video + quiz
Policy & procedure training	After every major policy update	Live or recorded

How to choose the right cybersecurity retainer level for your company?

Choosing the right retainer package depends mainly on three factors:

Factor	What it means in practice
Company size & industry	Law firm ≠ production plant ≠ critical infrastructure operator
Number of systems & users	50-employee office vs multi-site manufacturing with OT/ICS
Risk level & regulatory requirements	NIS2, KSC, ISO 27001, DORA, GDPR high-risk processing, etc.

Retainer tiers – how clients in Poland typically choose

Level	Typical client profile	Monthly hours	Best for
Basic	Small and medium companies, law firms, offices up to ~150 users	10–25 h	Ongoing consultations, policy reviews, quick incident triage, vendor assessment
Standard	Mid-size companies, manufacturers, regulated entities	30–60 h	Audits, penetration tests, incident response playbook, compliance support (NIS2, ISO)
Pro	Large organisations, OT/ICS environments, critical infrastructure	80–150+ h	Full external SOC support, on-demand forensics, 24/7 priority response, dedicated expert

Most clients start with Standard – it gives predictable costs and real control over risk without having to build an internal team.

Want help selecting the right level for your organisation? Call or write – I’ll prepare a free 15-minute audit and exact recommendation within 24 hours.

What training courses does Piotr Wichrań – Digital Forensics & Cybersecurity offer?

Full training portfolio (2025–2026)

Training course	Duration	Target audience	Most popular with
Digital Forensics in Practice	1–3 days	IT security, law enforcement, corporate investigators	Police units, law firms, internal audit teams
Mobile & Cloud Forensics	2 days	Forensic analysts, incident responders	Corporate SOC teams, private investigators
OT/ICS Cybersecurity & ISO/IEC 62443	2–3 days	OT engineers, plant managers, compliance	Factories, energy, water, chemical industry
Incident Response & Breach Investigation	2–3 days	SOC/CERT teams, incident handlers	SOC teams, critical infrastructure operators
NIS2 & KSC Compliance Workshop	1–2 days	Management, compliance officers, CISOs	Operators of essential services
ISO/IEC 27001 Implementation & Audit	2–3 days	Information security managers, auditors	Mid-size and large enterprises
Security Awareness & Anti-Phishing	4–8 hours	All employees	Every company (part of retainers)
How to Read & Challenge IT Expert Opinions	1 day	Lawyers, judges, prosecutors	Law firms, courts, corporate legal departments
Executive Cybersecurity Briefing	2–4 hours	Board members, CEOs, senior management	C-level that “finally wants to understand the risk”
OSINT for Investigations & Business	1–2 days	Investigators, HR, compliance, competitive intel	Private detectives, corporate security

Every single course is 100 % customised – language (Polish or English), depth, real-world examples and exercises are built specifically for your industry and maturity level.

All participants receive:

Personalised certificate (PL + EN)
Complete materials pack (checklists, templates, tool links)
12 months of post-training e-mail support

Are the trainings delivered on-site or online?

Trainings are delivered in both formats, whichever suits you best:

Format	Where	Best for
On-site	At your company, plant, law firm, university or rented training facility	Highly confidential topics, OT/ICS labs, large groups, hands-on with real hardware
Online / Remote	Via secure platforms (Microsoft Teams, Zoom with end-to-end encryption, or BigBlueButton)	Distributed teams, international participants, tight schedules, budget optimisation

Online sessions are fully interactive

Live forensic tool demonstrations on my screen + participant screen-sharing
Real-time exercises on virtual labs (pre-prepared forensic images, PLC simulators, etc.)
Breakout rooms for team exercises
Polls, quizzes, whiteboards, shared notes
Recording available (only for internal use, never published)

In 2024–2025 over 60 % of my trainings were delivered completely online — feedback on interactivity and knowledge retention is identical to in-person editions.

You decide the format (or we can even mix both – e.g. Day 1 on-site + Day 2 remote follow-up).

What does a typical digital forensics training programme look like?

Example 2-day “Digital Forensics in Practice” training programme

(fully adjustable – this is the version most frequently ordered by law firms, police units and corporate security teams in Poland)

Day / Module	Content
Day 1 – Theory & legal framework	• Polish evidence law & chain of custody requirements • ISO/IEC 27037 and NIST SP 800-86 standards • Correct seizure and documentation of devices • Write-blockers, forensic imaging, hashing (hands-on) • Live demo: creating a verified forensic image of a phone and laptop
Day 1 – Tools & core techniques	• Overview of professional tools (Magnet AXIOM, Autopsy, X-Ways, Cellebrite, FTK Imager, Arsenal Image Mounter) • File system analysis (NTFS, APFS, ext4) • Metadata, timeline creation (log2timeline, Plaso) • Recovery of deleted data and carving
Day 2 – Communication, apps & cloud	• Mobile forensics (iOS & Android): logical, file-system and full physical extractions • Analysis of WhatsApp, Signal, Telegram, iMessage, e-mail • Cloud forensics (iCloud, Google Takeout, Office 365) • Internet history, cookies, cache reconstruction
Day 2 – Reporting & court	• Structure of forensic report and court opinion • How to write findings that are understandable to judges and lawyers • Common mistakes that cause reports to be rejected • Mock cross-examination – how to defend your opinion in court
Day 2 – Practical workshop	• Participants work in teams on real (anonymised) cases) • Seizure → imaging → analysis → timeline → final report • Each team presents its findings and receives feedback

Participants leave with:

ready-made checklists and templates
access to trial versions of tools
personalised certificate (Polish + English)
12 months of post-training e-mail support

The same programme can be delivered 1-day (condensed) or 3-day (deep-dive with advanced encryption and anti-forensics).

Can the training be fully customised to our industry and needs?

Yes – 100 % of my trainings are custom-built for the client.

Before every session (or series) I conduct a short 30–60 minute needs analysis call.
Result → the final programme contains only the topics, tools, scenarios and depth that are actually useful for your organisation.

Most frequently ordered industry-specific versions (2024–2025)

Industry / sector	Most common customisation examples
Manufacturing & OT/ICS	PLC/SCADA forensics, Purdue model deep-dive, incident scenarios on Siemens/Allen-Bradley systems
Law firms & courts	Reading and challenging IT expert opinions, questioning forensic experts, evidence admissibility
Finance & insurance	Payment fraud cases, SWIFT/Message forensics, DORA regulation, insider trading traces
Public administration	ePUAP, cloud forensics (Office 365/Google), GDPR incidents, Polish public procurement rules
Healthcare	Medical device forensics, PACS/DICOM analysis, patient data leak scenarios
Logistics & critical operators	GPS tracking forensics, cargo tracking systems, NIS2/KSC incident playbooks

All case studies and practical exercises use real-world (anonymised) incidents from your exact sector – participants immediately see how the knowledge applies to their daily work.

Outcome: training effectiveness increases from typical ~60 % (generic courses) to 90+ % according to post-training surveys of my clients.

Do participants receive a certificate of completion?

Yes. Every participant receives a personalised certificate of completion that includes:

full name of the participant
title and exact scope of the training
date and duration
trainer’s signature (Piotr Wichrań – court-appointed forensic expert)

The certificate is issued in Polish and/or English (your choice) and can be used:

as proof for internal/external audits (ISO 27001, NIS2, etc.)
in HR or professional-development records
in applications for professional certifications or promotions

Upon request I can also add the organisation’s logo or issue the certificate on headed paper.