HR Forensics

Workplace Investigation Evidence Tools

Digital evidence collection for workplace investigations with SHA-256 hash verification and automated chain of custody. Email PST analysis and Android device extraction built by CISSP, ISSAP, ISSMP certified examiners.

Workplace investigations require forensic collection of email, mobile device and cloud data using tools that preserve evidence integrity. Sherlock PST Viewer analyzes Outlook PST/OST files in read-only mode with SHA-256 hashing. Sherlock Android Acquirer performs consent-gated device extraction. Both generate automated chain of custody reports for HR proceedings and litigation.

Download PST Viewer Free Download Android Acquirer Free Call 604.229.1994

Investigation Triggers

When Digital Evidence Is Needed in a Workplace Investigation

Workplace investigations arise when an organization receives a complaint, discovers suspicious activity or identifies a policy violation that requires factual determination. The decision to collect digital evidence should be made early because electronic records are volatile. Auto-deletion policies, device resets and routine IT maintenance can destroy relevant data within days of an incident.

Four categories of workplace misconduct most frequently require digital evidence collection:

Harassment and discrimination: Email messages, chat logs, text messages and social media communications between the complainant and respondent. Digital evidence establishes patterns of behavior, timelines and context that witness testimony alone cannot provide. Screenshots are insufficient because they lack metadata verification.
Intellectual property theft: USB device connection logs, email attachments sent to personal accounts, cloud storage upload history and file access timestamps. When an employee is suspected of exfiltrating trade secrets or client data, forensic analysis of their workstation and email archive reveals exactly what files were accessed, copied or transmitted.
Policy violations: Acceptable use policy breaches including unauthorized software installation, access to prohibited websites, use of personal cloud storage for company data and circumvention of security controls. System logs, browser history and email records document the scope and duration of the violation.
Fraud and financial misconduct: Email correspondence authorizing irregular transactions, altered financial documents, communication with third parties involved in fraudulent schemes and evidence of concealment. Email metadata including timestamps, routing headers and attachment records establishes when financial decisions were made and by whom.

Types of Digital Evidence in Workplace Investigations

Workplace investigations involve evidence from multiple digital sources. Each type requires specific collection methods to preserve forensic integrity.

Evidence Type	Source	Collection Method
Email PST/OST files	Outlook archives on custodian workstations	Write-blocked forensic copy analyzed in Sherlock PST Viewer read-only mode
Mobile device data (BYOD)	Employee-owned Android phones and tablets	Consent-gated extraction using Sherlock Android Acquirer
Cloud storage	OneDrive, Google Drive, Dropbox, SharePoint	Platform eDiscovery export or API-based collection with access logging
Chat and messaging logs	Microsoft Teams, Slack, WhatsApp, Signal	Platform export for enterprise tools; device extraction for personal messaging apps
System and access logs	Active Directory, VPN, file server audit logs	Export from SIEM or log management platform with timestamp verification
Browser and application history	Workstation local storage	Forensic image of workstation drive analyzed with forensic tools

Legal Requirements: Consent, PIPEDA and Union Considerations

Workplace investigations operate within a legal framework that balances the employer's right to investigate against employee privacy rights. Getting this wrong exposes the organization to privacy complaints, grievances and evidence exclusion.

Company-owned devices. Most employment agreements and technology use policies include provisions granting the employer the right to monitor and examine company-issued equipment. If your organization has a signed technology use policy on file, it typically provides sufficient authority to examine company devices during an investigation. Review the specific policy language before proceeding.

BYOD and personal devices. Examining an employee's personal device requires written informed consent. The consent must specify what data will be collected, how it will be used, who will have access and how long it will be retained. Sherlock Android Acquirer Forensic Edition enforces a consent-gated workflow that requires documented authorization before any extraction begins.

PIPEDA compliance. The Personal Information Protection and Electronic Documents Act requires that collection of personal information be limited to what is necessary for the stated purpose. During a workplace investigation, this means targeting collection to specific custodians, relevant date ranges and keywords related to the allegation. Bulk collection of entire mail servers or indiscriminate device imaging exposes the organization to complaints filed with the Office of the Privacy Commissioner of Canada.

Provincial privacy legislation. British Columbia's Personal Information Protection Act (PIPA) and Alberta's Personal Information Protection Act (AB-PIPA) impose parallel requirements. Organizations operating across provinces must comply with the most restrictive applicable legislation.

Union considerations. In unionized workplaces, the collective agreement may require notification to the union before conducting an investigation, presence of a union representative during interviews and specific procedures for examining employee data. Review the collective agreement before initiating any digital evidence collection. Failure to comply can result in grievances that undermine the entire investigation.

Email Evidence with Sherlock PST Viewer

Email is the most common source of evidence in workplace investigations. Employees communicate via Outlook and their messages are stored in PST (Personal Storage Table) and OST (Offline Storage Table) files on their workstations. These files contain every email, attachment, calendar entry and contact in the account.

Sherlock PST Viewer opens PST and OST files in strict read-only mode. The tool never writes to the source file. No timestamps are modified, no metadata is altered and the file remains byte-for-byte identical before and after analysis. This is verifiable by comparing SHA-256 hashes.

Read-only analysis: Opens PST/OST files without modifying a single byte. SHA-256 hash of the source file remains identical after examination. This preserves evidence integrity for any subsequent legal proceedings.
SHA-256 per-message hashing: The Forensic Edition ($67) computes a unique SHA-256 fingerprint for every individual email message. If opposing counsel questions whether a specific email was altered, the examiner presents the hash computed at analysis time and demonstrates it matches the original.
Keyword and date-range search: Search across the entire PST archive for specific terms, sender/recipient addresses and date ranges. Targeted searching supports PIPEDA proportionality requirements by limiting review to relevant communications.
Chain of custody reports: The Forensic Edition generates automated chain of custody documentation recording examiner identity, examination date, source file hash, every search query executed and every message exported with its individual SHA-256 hash.
Court-ready PDF output: Mark relevant emails and generate a multi-page PDF report with per-message evidence cards including sender IP attribution from RFC-822 Received headers, SPF/DKIM/DMARC authentication results and SHA-256 hash values.

The free edition handles viewing, searching and hash verification. The Forensic Edition at $67 adds export, forensic reporting and chain of custody logging. No subscription. No annual renewal.

BYOD Device Evidence with Sherlock Android Acquirer

When employees use personal Android devices for work communications, those devices may contain evidence relevant to a workplace investigation. Text messages, chat app data, call logs, photos and documents stored on a personal phone can establish timelines, confirm or refute allegations and reveal communications not captured in corporate email systems.

Sherlock Android Acquirer performs forensic extraction from Android devices with a consent-gated workflow designed specifically for workplace investigations involving personal devices.

Consent-gated extraction: The tool requires documented written consent before any data extraction begins. This satisfies PIPEDA requirements for informed consent and provides a defensible record that the device owner authorized the collection.
Selective data collection: Extract only the data categories relevant to the investigation: messages, call logs, contacts, photos or documents. Selective extraction supports the privacy principle of proportionality by avoiding collection of irrelevant personal data.
Forensic PDF reports: The Forensic Edition ($399) generates comprehensive forensic reports with SHA-256 hash verification, device identification details, extraction methodology and chain of custody documentation.
No device modification: The extraction process does not install permanent software on the device, does not modify existing data and does not leave forensic artifacts. The device is returned to the employee in the same state it was received.

The free edition handles device detection, bootloader status checks and data inventory. The Forensic Edition at $399 adds full extraction and forensic PDF reports. No subscription. No annual renewal.

Common HR Mistakes with Digital Evidence

These errors occur in workplace investigations regularly. Every one of them weakens the organization's position if the matter proceeds to litigation, arbitration or regulatory review.

Forwarding emails instead of creating forensic copies: HR personnel frequently forward suspicious emails to themselves or to legal counsel. Forwarding creates a new message with new metadata. The original Received headers, sender IP addresses, timestamps and SPF/DKIM/DMARC authentication results are destroyed. A forwarded email cannot be authenticated back to the original sender. Always collect the source PST/OST file and analyze it with a forensic viewer. See email preservation for litigation for the complete procedure.
No chain of custody documentation: Evidence collected without a documented chain of custody is vulnerable to challenge. Every person who handles evidence, every action taken upon it and every storage location must be recorded with dates and times. Sherlock forensic tools generate this documentation automatically.
Modifying evidence through improper handling: Opening a PST file in Microsoft Outlook modifies the file because Outlook operates in read-write mode by default. Copying files using Windows Explorer while Outlook is running risks corruption. Saving attachments to new locations changes file metadata. Any modification changes the SHA-256 hash and breaks the evidentiary chain. Use forensic tools that enforce read-only access.
Collecting too broadly or too narrowly: Bulk collection of entire mail servers violates PIPEDA proportionality requirements. Collecting only the inbox misses evidence in sent items, deleted items, drafts and custom folders. The correct approach is targeted collection of complete PST/OST files for identified custodians within a defined date range.
Delaying evidence collection: Auto-deletion policies, email retention schedules, device resets and routine IT maintenance destroy evidence continuously. The gap between receiving a complaint and collecting evidence should be measured in hours, not weeks. Issue a preservation notice immediately upon opening an investigation.

Self-Service Tools vs Professional Forensic Examiner

Not every workplace investigation requires a professional forensic examiner. The decision depends on the severity of the allegation, the likelihood of litigation and the complexity of the technical environment.

Factor	Self-Service Tools	Professional Examiner
Investigation type	Policy violations, routine HR inquiries, preliminary fact-finding	Harassment with litigation risk, IP theft, fraud, criminal referral
Evidence complexity	PST/OST email files, single Android device	Encrypted devices, cloud environments, multiple custodians, server forensics
Legal exposure	Internal resolution expected	Litigation, arbitration, regulatory inquiry or criminal prosecution likely
Budget	PST Viewer Forensic Edition: $67. Android Acquirer Forensic Edition: $399	Professional engagement starting at consultation rates
Court testimony	Not required	CISSP, ISSAP, ISSMP certified examiner available as expert witness

For investigations where digital evidence must withstand legal scrutiny, a certified forensic examiner ensures that collection methodology, chain of custody and analysis meet evidentiary standards. Sherlock Forensics examiners hold CISSP, ISSAP and ISSMP certifications with 20+ years of court testimony experience.

External Resources

For additional guidance on workplace investigations and digital evidence:

Questions

Workplace Investigation FAQ

Can HR conduct a digital forensic investigation without a forensic examiner?

HR can perform preliminary evidence collection using self-service forensic tools like Sherlock PST Viewer and Sherlock Android Acquirer. These tools enforce read-only access, compute SHA-256 hashes and generate chain of custody documentation automatically. If the investigation may lead to litigation or criminal referral, engaging a certified forensic examiner is strongly recommended.

Do I need employee consent to examine a company-issued device?

For company-owned devices, consent requirements depend on your jurisdiction and existing employment agreements. Most technology use policies grant the employer right to examine company devices. For BYOD personal devices, written informed consent is typically required. In unionized workplaces, the collective agreement may impose additional requirements.

What is the difference between forwarding an email and making a forensic copy?

Forwarding creates a new email with new metadata. The original Received headers, sender IP addresses, timestamps and authentication results are destroyed. A forensic copy preserves the source PST or OST file byte-for-byte with all metadata intact. SHA-256 hashing verifies the copy matches the original.

How does PIPEDA affect workplace investigations in Canada?

PIPEDA requires organizations to limit collection of personal information to what is necessary for the identified purpose. During a workplace investigation, this means targeting collection to specific custodians, date ranges and keywords rather than performing bulk collection. Provincial legislation may impose stricter requirements.

Can Sherlock forensic tools be used in unionized workplaces?

Yes. Sherlock PST Viewer and Sherlock Android Acquirer operate in read-only mode and generate automated chain of custody documentation. In unionized environments, ensure evidence collection complies with the collective agreement and that union representatives are notified as required. Sherlock Android Acquirer requires explicit written consent before any data extraction.

Get Started

Equip Your Workplace Investigation

PST Viewer Free for email analysis. Forensic Edition ($67) for SHA-256 per-message hashing, chain of custody and court-ready reports. Android Acquirer Free for device detection. Forensic Edition ($399) for full extraction and forensic PDF output. No subscriptions. No annual renewals. See also: email preservation for litigation, chain of custody software and forensic report generator and private investigator forensic tools.

Since 2006CISSP, ISSAP, ISSMP certified604.229.1994

PST Viewer Free PST Forensic Edition - $67 Android Acquirer Free Android Forensic Edition - $399 Call 604.229.1994