TL;DR: A corporate fraud investigation hinged on whether the suspect employee was alone in the office during a wire-transfer authorization event. The badge log said yes. The building camera said no. The Sherlock Universal Events Viewer Forensic Edition reading the workstation event log plus the Sherlock Browser Viewer Forensic Edition reading the navigation history together proved a second person was at the workstation during the transfer window. The reconstruction took 18 examiner hours; the matter resolved at mediation rather than trial.
The Triggering Incident
A mid-sized Canadian company referred a wire-transfer fraud to Sherlock Forensics through their external counsel. The disputed transfer was \$340,000 USD initiated on a Saturday morning when only one employee (the controller, who had wire-authorization access) was supposedly in the office. The company's bank flagged the transfer destination as inconsistent with the company's typical vendor profile. The controller acknowledged authorizing the transfer plus claimed it was a legitimate vendor payment. The CFO disputed whether the vendor was real.
The legal posture was civil rather than criminal. Counsel needed defensible evidence of who actually authorized the transfer. The badge log showed only the controller's badge swipe entering the office at 8:14 AM Saturday plus exiting at 11:42 AM. No other badge entries plus no other badge exits. If the badge log were the only evidence, the controller was alone in the building.
Surface 1: Physical Badge Log
The badge log was the first artifact Sherlock pulled. The system was a standard corporate access-control vendor with an audit trail going back two years. The controller's badge entered the loading dock side at 8:14 AM, the office floor at 8:17 AM plus exited via the loading dock at 11:42 AM. No other badge activity in the morning window. Sherlock preserved the badge log with SHA-256 hashes plus chain-of-custody documentation.
If the investigation had stopped at the badge log, the outcome would have favored the controller's narrative. The Sherlock methodology is to never stop at a single artifact when a contested factual question is at stake.
Surface 2: Building Camera Footage
The building lobby had a security camera with 30-day retention. Sherlock pulled the footage from the relevant Saturday morning window plus preserved it with SHA-256 hashes. The camera showed the controller entering at 8:14 AM as expected. The camera also showed a second person entering through the loading dock at 8:11 AM (three minutes before the controller) plus exiting at 11:38 AM (four minutes before the controller). The second person was carrying what appeared to be a small object plus did not badge in or badge out.
The combination of footage plus badge log produced the first concrete forensic finding: someone was in the building during the transfer window who was not on the badge log. The next question was whether that person was at the controller's workstation when the transfer was authorized.
Surface 3: Workstation Event Log
The controller's workstation was preserved for forensic imaging by IT under counsel's preservation order. Sherlock used the Universal Events Viewer Forensic Edition to read the Windows event log for the Saturday morning window. The Security channel showed Event ID 4624 successful interactive logon at 8:19 AM (consistent with the controller arriving at 8:17 plus walking to the workstation). The Security channel also showed Event ID 4634 logoff at 10:47 AM plus Event ID 4624 second successful interactive logon at 10:51 AM. Two distinct login sessions. The badge log showed only one entry plus one exit. The session pattern was inconsistent with a single-user workflow.
Sherlock cross-referenced the second logon Event ID 4624 timestamp against the wire-transfer authorization timestamp from the bank record. The transfer was initiated at 10:58 AM, seven minutes after the second logon. Both logons used the controller's domain account.
Surface 4: Browser Navigation History
The Sherlock Browser Viewer Forensic Edition pulled the Chrome history plus session-restore artifacts from the workstation profile. The browser navigation pattern across the two logon sessions differed measurably. The first session (8:19 AM to 10:47 AM) showed routine work-pattern navigation: corporate intranet, the bank portal in read-only mode, internal SharePoint pages. The second session (10:51 AM to 11:34 AM) showed exclusive focus on the bank portal wire-transfer page plus the destination-account lookup. Different navigation style. Different click patterns. Browser Viewer surfaced both patterns plus their differences in the per-session report.
The Synthesis
Two badge swipes (controller in plus controller out) plus video footage of two people plus two distinct workstation logons plus two divergent browser patterns together reconstructed a different incident than the badge log alone suggested. Someone other than the controller was at the workstation when the wire transfer was authorized. The controller had logged off, the second person had logged on under the controller's credentials plus the wire transfer was initiated during that second-person session.
The case did not require Sherlock to identify who the second person was; counsel handled that downstream through human-source interviews. What Sherlock needed to provide was defensible forensic evidence that the controller's narrative did not survive multi-source examination. The reconstruction was 18 examiner hours billed out at standard Sherlock incident response rates. The matter resolved at mediation rather than trial because the defendant could not effectively challenge the multi-source forensic record.
The methodological lesson generalizes beyond this case. No single artifact decides a contested factual question. Badge logs say what badge holders did. Cameras say what people did. Event logs say what user accounts did. Browser histories say what session activity did. The four surfaces together say what actually happened. Sherlock Forensics is the engagement partner for the multi-source synthesis when single-source evidence falls short.