Do you decide what the story is, or shape the reporting?

No. We sit on the technical side of the editorial firewall. We confirm or corroborate what a device, account, or open-source record actually shows, and we explain the limits of that finding in plain language. What it means, whether it runs, and how it is framed are the newsroom's calls — the SPJ principle of acting independently. The model is the Pegasus Project: Amnesty's Security Lab ran the forensics, Citizen Lab peer-reviewed the methodology, and the journalists owned the story.

Are you a press-freedom organization or a source of legal advice?

Neither. We are a private digital forensics practice. We are not the CPJ, the EFF, the Freedom of the Press Foundation, or Citizen Lab — we apply the same published, peer-reviewed methods those organizations document, and we cite them as the standard, not as partners. We are also not your lawyer. We produce the technical record; your media-law counsel advises on privilege, shield protections, and what is safe to publish.

Will my material leave my control if I bring it to you?

We scope every engagement in writing first, and we work to keep your reporting material on infrastructure you control wherever the method allows. Forensic acquisition is designed to be read-only and hash-verified, so the original is preserved and any examination happens on a verified copy. We do not sell, share, or train models on your case data, and we explain up front what we would and would not be able to withhold if served with legal process — so there are no surprises.

Can a forensic report ever guarantee a source is safe or a device is clean?

No, and any vendor who tells you otherwise is overselling. Forensics finds indicators; the absence of indicators is not proof of safety. The honest output is high-confidence, evidence-backed language — “consistent with”, “no known indicators of compromise found” — never a certainty claim. That candor is the point: a report a court or an editor can trust is one that states exactly what the evidence can and cannot establish.

What if the work needs field investigation, not just digital forensics?

When a story needs background research, locates, or physical work that sits outside digital forensics, we coordinate with licensed private investigators rather than improvise outside our lane. The forensic record we produce stays distinct from, and feeds, that work — and you keep one accountable point of contact.

Digital Forensics for Journalists

Court-credible forensics that confirms and corroborates — so the evidence holds up and the story stays yours. We work on the technical side of the editorial firewall: we tell you what a device, an account, or an open-source record actually shows, and you decide what it means.

Talk to Quinn confidentially Start with source protection

Forensics confirms. You keep the story.

Investigative reporting runs on a simple division of labor that protects its own credibility: the people who gather and verify technical evidence are not the people who decide what the story is. A digital forensics practice belongs on the technical side of that line. We establish, with documented methods, what a phone, a laptop, an account, or a public record actually contains — and we say plainly what that does and does not prove. The judgment, the framing, and the decision to publish stay with you and your editors.

The clearest model is the Pegasus Project. Amnesty International’s Security Lab performed the forensic analysis; the University of Toronto’s Citizen Lab independently peer-reviewed the methodology; and the reporting consortium owned the journalism. The forensics did not steer the story — it gave the story a spine that could survive scrutiny. That separation is not a limitation. It is the reason the findings held.

A direct line to Quinn, the founder — not a sales pipeline.
Worked in-house by the examiner who scoped it.
Explainable findings you can verify, with the methodology shown.

How an independent forensic practice supports reporting

We support newsroom work in four ways, each scoped in writing before it begins and each reviewed by a credentialed examiner before findings leave the practice:

Digital security for journalists — threat-modeling, device and account hardening, and what forensic confirmation adds after a suspected breach.
Protecting journalistic sources — secure intake, metadata minimization, and forensic methods that can help verify a channel without exposing a source.
OSINT for journalists — lawful verification and provenance methods, the line research must not cross, and how forensics corroborates open-source findings.
Newsroom device compromise response — what to do when a phone or device may have been targeted, and how a forensic examination confirms or rules out an intrusion.

Data stays on your machine — which is a form of autonomy

A recurring fear in sensitive reporting is that the very tools meant to help become a new exposure: a cloud platform that can be subpoenaed, a vendor that retains your material, an analytics pixel that quietly logs what you were researching. Our default is the opposite. Wherever the method allows, your reporting material stays on infrastructure you control, examined on hash-verified copies rather than uploaded wholesale to someone else’s server. Evidence that lives on your machine cannot be silently produced by a third party who never told you. We also tell you, before you commit, what we could and could not withhold if we were served with legal process.

Explainable, court-credible findings — not a black box

Credibility is the entire product. A finding that cannot be explained cannot be defended — in print, in a correction, or on a witness stand. Every examination is documented so the reasoning is visible: what was collected, how it was preserved, what method produced each conclusion, and where the uncertainty lies. The work is prepared to support admissibility under the Federal Rules of Evidence 901 and 902, with a documented chain of custody and collection aligned to recognized standards (ISO/IEC 27037, NIST, SWGDE). That court-grade discipline is the white space an advocacy guide cannot offer: a named, credentialed examiner who can stand behind the methodology.

The language stays calibrated to what the evidence supports. We write “consistent with”, “high-confidence”, and “no known indicators of compromise found” — never “proven” where the artifacts only show probability, and never “clean”, which forensics cannot establish. Honest limits are what make the rest of the report trustworthy.

What working with us means

Written scope before any work. You see a written scope — deliverables, timeline, and price — and approve it before we begin. You are never billed for work you did not authorize.
We commit to findings, not outcomes. We tell you up front what the evidence can and cannot establish. Recovery, attribution, and prosecution are decided by banks, platforms, insurers, and courts — we produce the record they act on, and we put that distinction in writing.
Every case is investigated, not just scanned. A credentialed examiner reviews every case before findings leave the practice. You get a documented investigation to court-admissible standards — not a single automated scan and a one-line answer.
We will tell you if you do not need us. If a free or simpler step — a police report, an IC3 filing, a platform's own recovery flow — would resolve your situation, we point you there first.

Where to start

If you are not sure which guide fits, start with the situation. Worried about a specific source or channel? Begin with source protection. Suspect your own phone was targeted? Go straight to device compromise response. Hardening a beat before anything goes wrong? Read digital security for journalists. Verifying open-source material for a story? See OSINT for journalists. Or talk to Quinn directly — the first conversation is confidential and there is no sales process.

Quinnlan Varcoe

Founder & CEO

With operational experience across Fortune 50 security programs and the defense industrial base, Quinnlan founded SleuthX in 2022 to provide clients with the caliber of expertise typically reserved for the largest enterprises. Her work in threat intelligence and digital forensics has earned the trust of 26,000+ cybersecurity professionals who follow her analysis.

“26,000 professionals follow my work because I say what others won't — and I can back it up technically.”

Fortune 50 BackgroundDefense IndustryThreat IntelligenceDigital PrivacyIncident Response

Frequently asked by journalists