Forensic investigations engaged directly by HR, in-house counsel and corporate security — no law-firm intermediary required. Employee misconduct, IP theft, departing-employee data exfiltration and forensic readiness. Reports written for arbitration, internal action and litigation if it comes.
When an internal complaint, policy violation, or HR escalation requires a forensic answer — what was on the device, who said what to whom and when. Quietly, before the rumor mill gets there.
Suspected exfiltration of source code, customer lists, pricing models, design specs, or trade secrets. We trace the data path — USB, cloud, print, mobile, email, screenshot, peripheral — and produce a forensic timeline that holds up in injunction motions and trade-secret litigation.
Standard exit forensics when an employee resigns under suspicious timing, joins a competitor, or has access to sensitive data. Run before the device is reimaged. A clean exit report is just as valuable as a flagged one — it protects everyone.
A one-time engagement that maps your environment for an incident before one happens. We assess endpoint logging, audit-log retention, identity logging, IR playbooks and chain-of-custody templates — then deliver a written assessment and 30/60/90 remediation roadmap.
General Counsel and litigation managers who want a forensic partner without going through outside counsel. Findings are privileged; reports written to your standard.
HR investigators and Employee Relations handling internal complaints, policy violations, or pre-termination forensics. Reports formatted for HR review boards and arbitration.
Security teams running insider-threat programs. We supplement your EDR/DLP with deep forensic investigation when an alert needs to become a defensible finding.
Compliance officers and risk teams running PIPEDA, GDPR, SOX, or HIPAA matters. We provide regulator-facing findings and breach-scope determinations.
Companies without in-house forensic capability. A departing senior employee, a suspected fraud, a vendor anomaly — we handle the investigation end-to-end.
Acquirers conducting forensic due diligence — looking for hidden data theft, IP encumbrance, undisclosed breach history, or insider activity at the target.
Most forensic firms only take engagements through outside counsel. That works for trial-bound matters — but it adds extra time and cost for everything else.
We engage directly with HR, in-house counsel and corporate security. Faster start, lower friction, same forensic rigor. Reports are written to the standard counsel would expect if the matter escalates, so escalation costs nothing extra.
If the case ends up in court, we can testify. If it doesn't, we still produce work product that protects you — quietly.
No law firm required to start. HR, in-house counsel and corporate security can engage us directly under retainer or per-case.
If escalation looks likely, we route work product through your outside counsel. Privilege protected from intake forward.
Findings written for HR review boards and arbitration panels, not just judges. Plain language + technical appendix for if it goes further.
Departing-employee forensics: 3–10 days. Misconduct investigations: 5–30. We don't slow down because HR doesn't bill in 6-minute increments.
What HR, in-house counsel and CISOs ask before commissioning a corporate forensic engagement in Canada.
Generally yes, with two conditions: the company owns the device and the AUP / employment agreement permits monitoring or investigation. Most well-drafted Canadian AUPs include this language; if yours doesn't, we recommend updating it before any investigation begins.
For BYOD or personal devices, consent or court order is required. We always recommend a quick consult with employment counsel before imaging if there's any ambiguity.
Preserving evidence of what an employee did in their last 30–90 days before resignation. Specifically: USB devices connected, cloud-upload destinations, email attachments sent, recent file access (especially on confidential project folders), print jobs, browser history and Slack / Teams DMs.
We image laptops and phones before the device is wiped or re-provisioned. The image lives in cold storage for 90 days minimum, available if a non-compete or trade-secret issue surfaces post-departure.
Multi-source: endpoint forensics (shellbags, recent files, USB history, prefetch), email and Slack search (attachments, forwards to personal accounts), cloud audit logs (Google Drive, OneDrive, Dropbox, GitHub) for download or sharing events, print and badge logs for physical egress and network logs for unusual upload volume.
The story is rarely in one source. We assemble a timeline across all of them and produce a defensible report counsel can use for injunctive relief.
Yes. Covert imaging during off-hours (laptop left on the desk overnight, imaged in our van or off-site lab, returned before morning). Cloud-side investigation (M365 / Google Workspace audit log review) requires no endpoint access at all.
For active employees still suspected of ongoing theft, we can install enterprise endpoint monitoring with legal authorization, time-limited and scoped.
Infrastructure and policy designed so future investigations are feasible, defensible and fast. Concretely: enable M365 UAL retention extension, configure endpoint EDR for forensic-quality artifact preservation, document the chain-of-custody intake process for IT, establish a covert-imaging vendor relationship (us, or someone else), review IT-access policies, train HR / IT on what to preserve and what to avoid.
A readiness assessment is engaged as a one-time SOW and pays for itself the first time the lab uses what we set up.
Yes — PIPEDA federally, plus PIPA (BC, AB), the Quebec Act and PHIPA / health-sector laws where applicable. The general rule: investigations must be proportionate, scope-limited and not used for general surveillance.
We help structure investigations to meet the legal threshold. Sealed reports, named-purpose access, destruction-on-completion. Our reports anticipate the privacy-review questions before they're asked.
