020 7193 4905

HR, Employment Dispute Investigations

Locate digital evidence from employees during a dispute.

As computers and computer data become the central conduit for information flow both within an organisation and outside, it follows that this data will contain key traces or artefacts which pinpoint statements made and actions carried out that will prove pivotal in any dispute between employees or between employees and the company.

Whilst most companies have experienced and well trained IT departments, these are typically woefully unprepared for dealing with incidents that may eventually end up at a tribunal – which follow Criminal Procedure Rules in dealing with digital employment dispute evidence. Additionally, the at-arms-length independence that a 3rd party such as First Response brings to such investigations will immediately counter any claims by disaffected employees of constructive dismissal. The hoops that companies must jump through in dealing with HR disputes are myriad and require careful management to ensure successful outcomes and avoidance of damaging reputational loss.

Case study

An employee at an investment bank in the City of London brought a claim of sexual harassment to her HR department and immediately took leave on grounds of stress. She provided extracts from a chat log asevidence of the harassment. First Response were instructed to examine the computers of the victim and the subject, who was alleged to have sexually harassed her via an internal chat application, used by employees. The subject was also placed on leave pending the result of the investigation.

Our analysis recovered deleted emails from the victims machine to a friend outside the company detailing how she would ensure a ‘big payout prior to leaving‘. Deleted chat logs from the victims computer tallied with those present as live (not deleted) files on the subjects machine. Essentially, the log files showed that the victim had posed various questions to the subject along the lines of ‘if you were going to have sex chat with someone, what would you say?’.


These chats quickly became very explicit based on the victims requests to make them so. Given the full context of the conversations, and the supporting email evidence, the ‘victim’ was immediately dismissed and the subject of the investigation exonerated and re-instated. The victim admitted the scam and left quietly.

This case had all the propensity to become a major embarrassment for all concerned, resulting in a lengthy tribunal action and severe reputational loss for both the company and the innocent accused.

Prompt and appropriate instruction of First Response as a qualified independent third party allowed us to remove the heat and emotion from the situation and focus on the forensic artefacts present.

Insolvency Investigation Services

London Practitioners Use First Response For Insolvency Investigation Services

First Response has carried out a number of investigations for insolvency practitioners – our ability to quickly organise often undocumented and non-administered network systems for emailaccounting dataspreadsheets and other documents has been pivotal in allowing investigators to quickly focus on the decisions of Directors and senior management which led to the companies collapse. The strength of the court-ready evidence we produce allows insolvency administrators the option to pursue legal remedies, hold Directors to account and provide more successful outcomes for creditors.

Insolvency Investigation

Case study

In the aftermath of a financial company collapse, First Response was instructed by the administrator, a large insolvency practice in central London, to examine the failed companies IT systems with a view to recovering the data held on their network servers, with a particular focus on accounting information and email conversations between the Directors.

On arrival at the site, all computer equipment was switched off, no staff were in attendance and the office had been stripped of all furniture. There was no documentation present and the complex structure of servers and data storage cabinets in the server room had to be determined by examining each of the powered off systems one-by-one.

Our investigations determined that attempts had been made to delete large portions of the data by the out-going network team. Despite these setbacks, we were able to rebuild all of the data arrays and recovered 100% of the data, even the deleted material.

We successfully recovered the banks accounting systems, email repository and all of the personal profiles of the Directors and senior management. This enabled our administrator client to prove a complex fraud had occurred and to take legal action against the Directors concerned, who have since fled the country.

If you would like to discuss any aspect of our services for insolvency practices, call us on 020 7193 4905.

Industrial Espionage

Detecting Industrial Espionage in London Takes Precision

Industrial espionage covers a wide range of corporate activities which centre around intellectual property (IP) theft. Often, a companies own employees are at the heart of the theft or attack, other times, it’s well resourced, patient, and technically skilled groups who are stealing your data.

No longer are system compromises the result of teenage ‘hackers’ having a poke around corporate networks. Data theft – whether by a nation state or an over zealous competitor, involves highly sophisticated technical means to steal your designs, plans and customer data.

This area more than any other we deal in, requires the focus and attention of dedicated incident response and forensic analysts who are current in the attack methodologies being employed.

Industrial Espionage

Case study

A high-net-worth individual running a boutique financial service in Switzerland believed he was being targeted by an organised crime syndicate, using sophisticated technical attacks against his systems.

First Response were instructed to determine if any compromise had occurred, and if so what data had been ex-filtrated and who was responsible.

The preliminary examination of his systems uncovered a hardware key-logger, a hardware or software module which captures everything typed at the keyboard, including passwords. We then carried out a detailed analysis of the most at-risk computer systems. A time line analysis of system artefacts discovered, allowed us to pinpoint the date and time when the key-logger was installed – this in turn allowed us to cross reference with door access data and in-house CCTV to determine the identity of the attacker.

He was a long-time employee and PC support engineer who had simply been paid to install the device. Our report led to his arrest by Swiss Police and full cooperation with the investigation. Analysis of other systems, including firewalls and proxy servers uncovered a six month history of sustained attacks using malicious code and a series of direct assaults on network edge devices. Artefacts present showed that several of these attacks had been successful and that the email accounts of two Directors had been compromised.

All of these attacks originated from a small number of IP addresses allocated to a Russian ISP. Swiss authorities took over the investigation and in cooperation with their Russian counterparts, eventually arrested members of the criminal gang behind the attacks.

Call us on 020 7193 4905 for more information on how we can help.