Internal investigations
Review communications, user activity, device artifacts, cloud data, and access records to support privileged or management led fact finding.
Business forensics
Digital evidence review for business disputes and internal investigations.
Review of account activity, employee devices, email records, cloud data, and access questions.
Investigative focus
For situations where leadership needs records, timelines, and limits.
Business forensic work often happens under time pressure. The process still has to preserve records, respect scope, and produce findings that can be reviewed later.
Departing employees
Assess file handling, external device use, cloud sync, downloads, transfers, account access, and document movement around departure windows.
Account compromise
Interpret sign ins, security alerts, recovery events, mailbox rules, access geography, and attacker persistence indicators.
Data access disputes
Evaluate whether sensitive systems, files, accounts, or communication platforms were accessed, copied, modified, or shared.
Business email compromise
Reconstruct the timeline of mailbox access, spoofing, forwarding rules, payment diversion, and message handling.
Common questions
Common questions this work can help answer
Was data accessed, copied, or transferred?
Review file activity, removable media records, cloud sync folders, downloads, and account logs.
Was an account compromised?
Evaluate login records, security alerts, recovery events, mailbox settings, and suspicious access patterns.
Were mailbox rules or forwarding settings changed?
Examine mailbox configuration, message trace, forwarding rules, and related timing.
Did a departing employee use external storage or cloud sync?
Review endpoint artifacts, USB records, cloud folders, document movement, and departure window activity.
Do the available records support the allegation?
Compare the claim against source records, timing, account activity, and alternate explanations.
Evidence handled with restraint
Corporate investigations require scope and restraint.
Rune Forensics can work with outside counsel, internal legal teams, executives, insurers, or investigators to keep the evidence review proportional and controlled.
Preserve what matters
Identify relevant custodians, devices, accounts, logs, and cloud sources before volatile evidence disappears.
Limit unnecessary exposure
Focus analysis on defined questions and relevant records rather than broad, intrusive review.
Correlate across systems
Compare endpoint artifacts, cloud activity, email events, and access records to avoid single source assumptions.
Report for action
Deliver practical findings for counsel, leadership, insurance review, negotiation, or litigation strategy.
Common evidence sources
Business matters usually require more than one record type.
Endpoint artifacts
User activity, files, external devices, cloud sync folders, browser records, execution artifacts, and system logs.
Cloud platforms
Microsoft 365, Google Workspace, cloud storage, account settings, audit logs, sign in history, and sharing records.
Email systems
Message headers, mailbox rules, message trace, forwarding activity, authentication events, and security alerts.
Mobile and messaging data
Work phones, chats, media, attachments, notifications, app records, and communication timelines.
Business inquiry