What We Do
How We Do
Get Started

CyFIR Internal Investigation: A 6-Hour Human Resources Department Use Case

BY eSentire

June 17, 2021 | 4 MINS READ

Want to learn more on how to achieve Cyber Resilience?

This blog was originally published on CyFIR.com and has been reposted as-is here following eSentire’s acquisition of CyFIR Inc. in June 2021. As of the date of the acquisition, no changes have been made to the content below.

Human Resource Departments are responsible for many company-wide functions, including internal investigations of employee misconduct. In the digital age, these tasks can take considerable resources and pose challenges due to the sensitive nature of many workplace issues. The following scenario demonstrates how CyFIR Internal Investigation Services can assist Human Resources staff by dramatically improving the process for conducting internal investigations.

John’s appointment as CEO came on the heels of a messy (and all too public) discrimination and harassment lawsuit that had resulted in the resignation of his predecessor. For John and the company to succeed, he needed to implement some real change, which is why he hired Brenda as the new Vice President of Human Resources.

Brenda had a reputation for tackling thorny issues like sexual harassment, and after six months, she had made significant progress – the company was now conducting regular supervisor training, a formal non-retaliation policy was on the books, and new procedures for investigating complaints had been rolled out company-wide.

Soon after, an employee approached Human Resources through the company’s open-door policy. Employee A, a worker from the corporate headquarters location, lodged a formal complaint that she had been subject to sexual harassment from Employee B, a senior executive who managed a remote office on the other side of the country. Employee A submitted a written statement that alleged Employee B had been sending her unwanted and unsolicited text messages, inappropriate jokes in company emails, and had made unwanted advances during a corporate retreat last month.

Given the company’s zero-tolerance policy for sexual harassment, Brenda followed protocol to initiate a formal investigation into the matter. However, Brenda knew how much time and effort went into thoroughly investigating each complaint. She also recognized that, given the extreme sensitivity of the matter, she needed to validate the substance of the allegation as discretely as possible to avoid harm to the reputation of either Employee A or Employee B.

With a small HR department and 25,000 employees, a serious investigation would be a significant drain on her limited resources. In previous companies, investigations of this nature had taken months or sometimes years to complete. To understand what tools were at her disposal, she contacted the company’s Chief Information Officer. He advised her to leverage CyFIR – the company’s new digital forensics tool – to conduct the first phase of the investigation.

Operating with complete discretion, the company’s security professional began the investigation by executing a remote, live keyword search of Employee B’s email on both the company Exchange server and on the employee’s company-assigned computer. Using CyFIR, the investigator was able to acquire results in a matter of minutes. The next point of analysis was a remote examination of material on Employee B’s computer. Evidence contained in email and screenshots of his in-progress chats confirmed that there was a foundation to Employee A’s complaint. These findings led to a more in-depth investigation of Employee B’s activities.

Utilizing the ability of CyFIR to remotely investigate live internet history and track user activity, the investigator determined that Employee B was also visiting inappropriate websites, downloading inappropriate pictures, installing unauthorized programs on his company computer, and actively searching for employment with the company’s direct competitors.

Once the investigators identified these artifacts of investigative interest, they leveraged the forensic imaging capabilities of CyFIR to preserve the evidence and produce a report in the event that legal action would be required. Once the evidence was presented to company leadership, Employee B was terminated for cause. The entire investigation was conducted in less than six hours.

Superior Speed and Scalability

In many companies, internal investigations can drag on for weeks or even months, tying up valuable resources and disrupting normal operations no matter the outcome. Brenda’s story demonstrates the value the CyFIR Enterprise Platform can deliver to Human Resources Departments when conducting sensitive internal investigations due to its ability to quickly and comprehensively gather and store evidentiary data.

Some of the key takeaways of this use case include:


eSentire, Inc., the Authority in Managed Detection and Response (MDR), protects the critical data and applications of 2000+ organizations in 80+ countries, across 35 industries from known and unknown cyber threats by providing Exposure Management, Managed Detection and Response and Incident Response services designed to build an organization’s cyber resilience & prevent business disruption. Founded in 2001, eSentire protects the world’s most targeted organizations with 65% of its global base recognized as critical infrastructure, vital to economic health and stability. By combining open XDR platform technology, 24/7 threat hunting, and proven security operations leadership, eSentire's award-winning MDR services and team of experts help organizations anticipate, withstand and recover from cyberattacks. For more information, visit: www.esentire.com and follow @eSentire.

Read the Latest from eSentire