Corporate investigations can hurt companies when digital evidence goes wrong. The stakes are high, and one mistake can turn a routine internal matter into a legal nightmare. Warren Kruse II has spent decades digging through digital evidence for major corporations and law firms, from FCPA cases across continents to expert testimony work. His job is finding truth in places most people wouldn’t know to look.
Gaining Perspective From Regulatory Work
Some of the most valuable experience comes from seeing how the other side operates. Kruse got that chance when he worked directly with regulatory investigators. “I was an expert for the Securities and Exchange Commission, which was valuable experience. I got to work with them directly and understand how they operate, so now I could better support our clients when they’re being investigated by the SEC. If you are being investigated by the SEC wouldn’t you trust who they did?” That inside look changed how he approaches corporate defense work. The work spans everything from insider threats to massive compliance violations. Kruse has helped organizations dig through structured analytics, email threading, and endless text message trails. Each case brings different challenges, but the mistakes are usually the same. Companies that survive investigations well have something in common: they planned ahead.
Planning Investigations Before Crisis
Planning sounds obvious, but most organizations don’t do it right. He recently saw a perfect example of what happens when companies wing it. A judge described one case as an “epic dysfunctional discovery.” Nobody wants their company making headlines for that kind of dysfunction. “How do you avoid that? You have a plan. When something happens, you execute it immediately. You’re not wasting time trying to figure out your strategy. You’re already implementing because you have the framework created already,” Kruse points out. Time kills investigations before they start. When an insider threat hits or a trusted employee walks out the door, IT departments want their equipment back fast. They need to reuse that hardware, and every day it sits around costs money. But rushing the preservation process costs a lot more when things go sideways.
Evidence handling makes or breaks cases, and Kruse has seen both sides of that equation. Chain of custody sounds like paperwork, but it’s the foundation everything else builds on. He learned this lesson the hard way during a deposition when opposing counsel asked about one missing box. “I wasn’t able to answer and I said I didn’t know. But they’re going to try and find those gaps. So you want an unbroken chain of custody,” he recalls. After securing the evidence, smart investigators move fast on data triage. The goal isn’t perfection at this stage. Kruse focuses on getting a solid assessment of what’s actually there before deciding where to dig deeper. Too many investigations waste time chasing dead ends because they skipped this step.
Reconstructing Timelines From Data
Modern investigations deal with data scattered across dozens of platforms. People don’t just use work computers anymore. “You have iPads, computers, cell phones, cloud storage, social media—all of these very different types of data. You want to put them together and reconstruct a timeline to see what that person was up to,” Kruse explains. The real story only emerges when you connect all those dots. The timeline work gets interesting around key dates. What did someone do on their last day? What about the week before? Kruse looks for triggering events too. Did the employee get put on a performance improvement plan? Was there an HR action that might have motivated unusual behavior? Those dates often reveal the most telling activity patterns.
Involving Legal Teams From Start
Cross-border investigations bring jurisdictional headaches that can sink cases. He has learned to get legal teams involved from day one, especially when dealing with different countries’ privacy laws. “Get legal involved early and often. Make sure that they are up to speed on what you’re doing and that it’s potentially covered under privilege,” he advises. Without privilege protection, initial investigation theories can become weapons for the other side later. That privilege protection becomes critical when subpoenas start flying. Companies need their early investigation work shielded from discovery, or their own emails and theories end up helping opposing counsel build their case.
Avoiding Shortcuts in Investigations
Some companies want to test the waters before committing to full forensic procedures. Kruse warns against this shortcut thinking. You can start with full forensic imaging and scale back if the case goes nowhere. But you can’t do it backwards. “You can’t just ‘look around’ and then say we found something, let’s image this computer, because now all of those date and timestamps might’ve been altered,” he cautions.
The best investigations do more than catch bad actors. “Internal investigations aren’t just about uncovering wrongdoing. They’re about protecting truth, your company, and the people,” he notes. Done right, investigations strengthen company governance instead of just assigning blame. The key is having a tested playbook ready to go. Kruse recommends regular roundtable discussions to find gaps in procedures. When something hits, companies should grab that playbook and execute immediately. No time for figuring things out on the fly.
Connect with Warren Kruse II on LinkedIn to learn more about his approach to investigations.
