Social Media Links

Experts & Advisors

Steve Sandford

Senior Director

Photograph of Steve Sandford

55 Bishopsgate, 2nd Floor
London, England EC2N 3AS

+44 (0) 20 7469 1111 Main
+44 (0) 20 7015 2354 Direct
+44 (0) 7795 595 503 Mobile

Get in touch

Steve Sandford is a Senior Director at Ankura based in London. He is a knowledgeable cybersecurity professional with more than 12 years’ experience from within law enforcement as well as in the private sector. Steve holds a second-class BSc (Hons) and an MSc with distinction in computer forensics.


Steve has experience in the investigation of cybersecurity incidents as well as assessing organisations readiness for such incidents. He has helped large, medium, and small corporate organisations with digital forensics and cyber investigations, and has also assisted with workflow development, policy and procedure writing, and the implementation of in-house capabilities for multi-national organisations.

The types of investigations with which Steve has assisted clients with include business email compromise, ransomware, malware, network intrusions, PCI investigations, insider threat and breach of internal usage policies.

Steve has prepared hundreds of expert witness level reports and witness statements for use in criminal and civil courts, as well as tribunals, and has experience presenting evidence in criminal and civil courts on many occasions. He has given evidence in the Central Criminal Court of England and Wales, the Old Bailey, on a case where the victim was defrauded of over €2.5m. After being cross-examined by two defence barristers, Steve’s testimony helped convict both defendants.

Steve’s other professional experience includes:

  • Investigating a Ransomware incident affecting 20 locations nationwide of Marine Services company in the UK. Steve led the investigation and coordinated the preservation of data and containment of the infection using an endpoint monitoring solution. Analysis was performed to identify the point of compromise, which was confirmed as an outdated, unpatched version of the operating system. Steve assisted with identifying there was no data exfiltrated and contributed to the notification to the Information Commissioners Office (ICO) whilst working with law enforcement agencies to keep them abreast of any developments.
  • An Office365 compromise investigation affecting 15 accounts in a European asset management company. The compromise was initially detected due to a payment made to a fraudulent account. After further analysis it was discovered that the attacker had phished an admin user which compromised the account credentials. The attacker then found some invoices and interjected into email conversations, changing the account details. The investigation discovered that 15 accounts in total had been compromised over a 3-month period. Advice was given to the client straight away to enforce a password reset across the environment and enable multi-factor authentication.
  • A security and vulnerability assessment for a Maritime company in Asia. This involved conducting an assessment of the infrastructure and any existing vulnerabilities, a review of current policies and procedures, and staff interviews. The outcomes were mapped against the NIST Cyber Security Framework to show where the organisations gaps were and recommendations were made to improve their security posture and build a security improvement roadmap.
  • Breach Investigation on behalf of a credit card company. The investigation involved collecting and investigating the point-of-sale machines in a major handbag retailer. These machines were collected across the UK and examined. Unencrypted credit card data was recovered; due to the retail company’s incorrect processes and procedures and a malware key logger was found on some of the machines. On others there was no key logger executable present but a text document that had the credit card and personal info was recovered. It was determined that the remote access software on the POS machines were still using the basic admin credentials rather than a created account. An attack on these machines found this flaw and a key logger was uploaded once access was gained.
  • A malware intrusion investigation for a Cypriot Internet Services Provider. The client reported evidence of cryptomining software running on their unpatched Zimbra mail system and wished to find out how it got there and if there was any other malicious activity. The investigation discovered evidence that malicious webshells and executables were download onto the mail server which was then used to connect to malicious domains and to facilitate the downloading of further exploits. The cryptomining executable was one of the malicious files downloaded and had been running in the client system, using up resources, for over 10 days. It was recommended that the client upgraded to the most recent version of the mail solution and that patching was kept up to date and passwords were reset for all users.
  • MSc (Distinction) Digital Forensics
  • BSc Second-Class with Honours Forensic Science
  • AccessData Certified Examiner (ACE)
  • AccessData Mobile Phone Examiner (AME)
  • AccessData Android Forensics
  • AccessData FTK Internet Forensics
  • AccessData Linux Forensics
  • AccessData Mac Forensics
  • AccessData Windows 8 Forensics
  • CelleBrite UFED
  • CellBrite Physical Pro
  • Certified Security Incident Specialist (CSIS)
  • EnCase CF I & II
  • EnCase Advanced CF
  • EnCase Advanced Internet Examinations
  • EnCase Examination of NTFS
  • EnCase Macintosh-Linux Examinations
  • Satellite Navigation Forensics
  • XRY & XRY Physical
  • XRY iPhone Forensics

Thought Leadership

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in
I need help with