Discovery & Digital Forensics

Connecting the dots for your investigation

Deloitte understands that our clients face many different types of discovery and digital forensic matters. To help them address these potential challenges, our Discovery and Digital Forensics practice offers a full range of services across the forensic, discovery, and investigative lifecycles.

Whether tasked with preserving data from thousands of mobile devices, or improving the efficiency of document review through the application of machine learning, we combine the highly specialized skills of our people, our commitment to technological advancement, and the Deloitte Global network to provide deeper insights and smarter, more efficient solutions.

Digital Forensics

Deloitte offers data collection services across a wide range of data sources and devices. Our teams use industry standard forensic software and hardware to improve drive acquisition speed, and multiple options for write blocking to help maintain the integrity and authenticity of data of each collection. Our professionals follow industry standard chain of custody (CoC) guidelines. The collection methodologies and CoC documentation are designed to meet requirements for court acceptance.

  • Computer forensics: Deloitte Discovery’s experienced computer forensics professionals can help you find the critical information that you need by collecting, preserving, and harvesting data from mobile devices, computer systems, servers, cloud systems and back-up media, while maintaining/preserving data authenticity and chain of custody. We can also conduct advanced digital forensics analysis on networks, RAM memory, mobile devices, and video. We also offer advanced decryption services, advanced file and system recovery, and forensic tape analysis and recovery. 

  • Mobile device discovery: Deloitte Discovery’s experienced computer forensics professionals help you extract, preserve, and analyze the critical information from mobile devices, including smart-phones, tablets, and Global Positioning System devices, while maintaining/preserving data authenticity. Due to the rapidly changing mobile field, the ability to extract data and the type of data that can be extracted changes based on the device type and model. We use industry standard tools and techniques to extract and preserve the data from these devices. From the resulting image or extraction, we can produce a corresponding discovery load file containing the extracted mobile device data including the corresponding meta-data. This enables mobile device data to be loaded and reviewed with traditional data using standard discovery tools.


Deloitte Discovery has been providing eDiscovery services to corporate legal and IT departments, their outside counsel, and government agencies for many years. Our primary objective is to help our clients address the complexities associated with eDiscovery and information governance through the delivery of a comprehensive set of services and solutions. Our discovery services include:

  • Document review services: Deloitte’s Document Review Services team assists you organization and your legal counsel by helping to improve the overall document review process. Our focus is on streamlining the review, improving accuracy, and creating cost savings through leading practices and workflows such as, pre- and post-processing data culling, the use of predictive coding and other analytics, and providing real-time reporting.

  • Discovery analytics: Deloitte Discovery employs advanced analytics and reporting solutions that are designed to help reduce the risks and costs associated with electronic discovery. We leverage advanced analytics and statistical techniques to both inform you about document populations that require review and to evaluate the use of cost-saving technologies. You receive the benefits of analytic technology through approachable, easy-to-understand scoring methods, prioritizations, and visual analyses.

  • Artificial intelligence enabled contract management: Deloitte’s artificial intelligence-enabled contract management services helps you build, review, and manage a contract lifecycle framework that helps sustain and secure your business interests, while bringing efficiency into the process. We can help you identify key contracts faster to better facilitate the enforcement of your rights, renegotiate contracts, and identify potential areas of lost revenue or stranded costs.

Forensic Incident Response

The increase of cybercrime and data breaches continue to pose major problems for organizations in today’s digital world. While cyber criminals can create service disruptions through cyber-attacks, the most advanced methods of penetrations and breaches are specifically designed to remain undetected on your network as they collect and capture valuable data. Deloitte helps organizations to respond to cyber crime incidents in a forensically sound manner. Our professionals understand the uncertainties, risks, challenges and opportunities in the operating environments of large, complex organizations. Coupled with our industry experience we can deliver services, perspectives and solutions that best suit you, your business, your goals and, most importantly, your data.

Unauthorized surveillance and breaches with Predator & Pegasus | Indicators of compromise and how to protect

Predator and Pegasus are spyware programs that can be covertly installed on mobile phones and other devices running Android and iOS, exploiting all the latest versions of mobile operating systems. Various studies and publications indicate that journalists, politicians, government officials, chief executives and directors are the most common targets.

Modus Operandi

The examination of infected devices in our Forensic Lab indicates that these
spyware programs infect the devices by triggering a crafted SMS or instant
Message to urge the targeted individuals to click on malicious links, coming
however from “known” senders. There are other mechanisms via which the targeted user is not even required to click on malicious URLs and still their devices get compromised, through the use of apps. Such spyware can be customized to capture screenshots, intercept communication and copy browsing history and contacts from the infected device. It can also compromise the most common used messaging platforms. 

Indicators of Compromise

Studies, researches and our experience from infected devices indicate a variety of different methods to identify cases of compromise from spyware like Pegasus and Predator:

1. Network injection attacks

These spyware programs forcefully redirect benign pages to malicious ones leading to exposure of the targeted devices.

2. Malicious processes

The presence of certain processes in the phone memory may indicate that the device is compromised.

3. Usage of inbuilt applications

  • The threat actor uses known instant message applications to deliver the spyware on the system, thus making it vulnerable.
  • Pegasus and Predator use music applications to deliver their payload, where an HTTP request is generated from the music app that points to malicious network infrastructure as well.
  • Photos apps have been utilized by the threat actors to deploy the spyware in the devices, misusing its functionalities.

4. Camouflaging itself

  • Predator / Pegasus disguise its malicious processes as system services, making it difficult to differentiate.
  • Domain addresses used by Predator and Pegasus indicate that these spyware programs delete the trail of malicious processes from internal devices’ logs and databases.
  • Malicious domain addresses reside often in SMS, instant message applications, or e-mail. 

Detective measures:

  • Monitor your mobile’s data usage.
  • Be alerted in case of unexpected interruptions of calls.
  • Check your device’s temperature especially when idle.
  • Be alerted if the device turns on automatically.
  • Be careful of new services and / or application recently installed on your devices without your permission.

How to be protected: 

  • Only links from known and trusted sources should be opened.
  • The devices should be updated with the latest OS versions.
  • Avoid using public / free WI-FI services when accessing any sensitive information. Using a VPN is recommended if there are needs for confidential matters.
  • Familiarize with known suspicious URLs from Predator and Pegasus libraries available to the public. The lists keep changing so it is recommended to periodically check them.
  • If any unknown links / URLs need to be checked / opened, make use of reputable search engines.
  • The devices should have up-to-date antivirus apps.

How Deloitte can help you

Our Digital Forensic Specialists can investigate all suspected devices for indicators of compromise, the magnitude of the breach and the files accessed from the Spyware. This type of investigation requires specialized software and hardware that we possess locally in our Athens Digital Forensic Lab, while our Certified Digital Forensic Specialists can provide clarity under globally admissible methodologies and strict confidentiality.

Get in touch

Alexis Hadjipavlou

Alexis Hadjipavlou

Equity Partner, Financial Advisory, Restructuring & Forensic, Innovation & Deloitte Private Leader

Alexis is an Equity Partner & Leader of the Restructuring & Forensic practice, as well as the Leader of Innovation and Private of Deloitte Greece. He has over 20 years’ experience with Deloitte in bot... More

Konstantinos Eleftheriadis

Konstantinos Eleftheriadis

Partner, Financial Advisory, Forensic, Financial Crime & Disputes and Energy, Resources & Industrials Leader

Konstantinos is an Equity Partner in Financial Advisory and the Leader of Energy, Resources & Industrials Industry. He specializes in Forensics and M&A Transaction Advisory Services. With over 17 prof... More

Yannis Dracoulis

Yannis Dracoulis

Partner, Financial Advisory, Forensic, Financial Crime & Disputes

Yannis is a Partner in the high specialized Forensic, Financial Crime and Disputes practice. He has more than 20 years of experience in investigations, compliance, anti-corruption services and litigat... More