workplace harassment / hostile workplace — methodology

HR sensitivity — preserve evidence, not verdicts

this guide documents technical preservation of slack, teams, and email exports only. it is not HR advice, employment law guidance, or a substitute for your organization's investigation policy. before you collect or analyze chat data: confirm you are authorized under company policy, document consent where required, and loop in HR and employment counsel on scope — especially when the accused holds management authority over the complainant. preserve originals read-only; hash every file sha-256 before editing or redacting. do not confront the accused with tool output, do not share unredacted exports with witnesses outside the investigation team, and do not treat stylometry as a termination decision. counsel and HR determine findings, remedies, and whether law enforcement belongs in the loop.

1. trigger a legal hold on slack, teams, and mailbox exports before anyone deletes channels or purges retention.
2. collect from employer-owned systems and authorized exports — not personal devices without policy and counsel approval.
3. note who pulled each export, when, and from which admin console — chain of custody starts at collection.
4. redact unrelated third-party PII before sharing exhibits outside the core investigation team.
5. if the complainant requests confidentiality, route sharing through HR — not direct manager chains that include the accused.

what evidence exists and how fast it dies

the first 10 minutes

1. confirm HR has opened a case and you are on the authorized investigator list — stop if not.
2. issue legal hold on slack, teams, and relevant mailboxes for complainant, accused, and named channels.
3. pull admin slack export and teams message json for the date range — do not rely on screenshots alone.
4. preserve hostile .eml files as originals — forward-as-attachment, not inline reply.
5. if endpoint collection is approved: image slack storage sqlite and teams cache before reimage.
6. save anonymous post text and timestamps in a read-only file — hash immediately.
7. document utc timeline: first incident, escalation to HR, and any retaliation claims.
8. do not notify the accused that stylometry or desktop forensics is running — HR owns communication.
9. route raw exports to counsel review before wide distribution inside the company.
10. begin the path below on copies — not on the only legal-hold original.

the path

workplace harassment evidence arrives as platform exports, email threads, endpoint chat cache, and writing samples — not a single disk image. run steps 1–3 on employer-held exports; steps 4–5 when endpoint collection is authorized; steps 6–7 on email; step 8 last as supporting authorship analysis only.

1. 1. slack export analyzer

   workspace export zip from legal hold or admin export. browse #hr-policy channel messages, user roster, and timeline — the Parker fixture surfaces D. Mitchell targeting E-33017 with performance hostility and a deleted-message indicator.why first: HR cases start with what the employer already holds. a legal-hold slack export is the baseline narrative before you chase desktop residue or anonymous posts.

2. 2. slack export forensic analyzer

   same export zip, forensic pass. reconstructs threads, flags deleted-message subtypes, file shares, and user activity patterns export analyzers miss — e.g. message_deleted rows in #hr-policy.why second: browse mode shows text; forensic mode surfaces deletion metadata and thread gaps that become exhibit anchors.

3. 3. microsoft teams export forensic analyzer

   teams messages, channels, and members json from eDiscovery or admin export. parses edits, deletions, mentions, and guest access — Parker fixture includes edited hostile content and a deleted follow-up in HR Policy channel.why third: harassment rarely lives in one chat platform. teams edit and delete timestamps are separate artifacts from slack exports.

4. 4. slack desktop forensics

   slack storage sqlite from the accused or complainant workstation. recovers cache payloads for DMs and channels not fully captured in the workspace export — Parker fixture includes a DM residue: stop documenting my messages.why fourth: legal hold exports lag live chat. desktop sqlite can hold messages deleted before export ran.

5. 5. microsoft teams forensics

   teams leveldb / sqlite cache from endpoint collection. surfaces conversation residue, call metadata, and cached message bodies — Parker fixture includes keep this off the record DM cache tied to the accused display name.why fifth: teams clients cache content locally. pair endpoint residue with export json to show what was edited or deleted upstream.

6. 6. email thread reconstructor

   hostile .eml set — root message and reply. builds Message-ID / In-Reply-To / References tree and flat timeline — Parker thread PKR-HR-THREAD-001 links performance hostility email to the complainant HR documentation reply.why sixth: email is still where managers send what they will not put in slack. thread headers prove continuity when subjects get renamed.

7. 7. email thread reconstructor

   same .eml corpus, alternate threading pass. flags missing parents, broken References chains, and thread hijack patterns — useful when counsel receives a partial mailbox dump instead of a clean pair.why seventh: HR investigations receive redacted or partial exports. a second threading view catches gaps the first pass missed.

8. 8. natural language writing sample authorship comparator

   accused writing sample vs anonymous slack post text. stylometric similarity and shared phrase fingerprints — Parker fixture expects a match between D. Mitchell voice and an anonymous channel post paraphrasing the same HR-avoidance language.why last: authorship is supporting evidence only — run after platform identity is established. stylometry does not replace HR findings or legal process.

common false leads

• one harsh message equals harassment finding — pattern, context, and policy thresholds belong to HR and counsel, not a single slack line in isolation.
• deleted slack message equals no evidence — message_deleted subtypes and desktop cache often survive after the UI hides the body.
• teams edit timestamp means innocent typo — paired with hostile original content, edits can be cover-up behavior; read the export json, not the final text alone.
• stylometry match proves the accused wrote the anonymous post — authorship tools produce similarity scores, not legal identity. corroborate with account access, timeline, and HR interviews.
• email thread complete because two messages exist — partial mailbox dumps miss BCC and parallel threads; run both reconstructors and compare gaps.
• desktop forensics on the complainant laptop first — default collection target is employer systems and authorized exports; personal device scope needs explicit policy approval.
• export analyzer and forensic analyzer disagree — they emphasize different fields; reconcile on timestamps and message ids, not row counts alone.

what we can tell you, what we can't

we can tell you:

• slack channel timelines, user rosters, and deleted-message indicators from workspace exports
• teams message edits, deletions, mentions, and channel membership from export json
• cached slack and teams message residue from desktop sqlite artifacts
• email thread trees from Message-ID, In-Reply-To, and References headers
• stylometric similarity between writing samples (supporting, not definitive)
• csv and json exports suitable for redaction and counsel review packs

we can't tell you:

• whether conduct violates policy or law — HR and employment counsel determine that
• who should be terminated, demoted, or reassigned — management and HR decision
• guaranteed authorship in court from stylometry alone — expert review and corroboration required
• recover messages after platform purge if no export or cache was preserved — export first
• access slack or teams tenant data without exports your organization legally holds
• provide legal advice on Title VII, state law, or union grievance processes
• replace ethics-hotline or HRIS investigation modules — use dedicated HR tools where required

handing it off

• HR business partner (usually first): utc timeline, channel list, parties involved, redaction plan, and what exports exist vs what still needs legal hold.
• employment counsel: sha-256 manifest of each export, chain-of-custody memo, thread reconstructor output, authorship limitations spelled out, recommended interview order.
• IT / collaboration admin: extended retention confirmation, guest-access audit, whether accused still has owner rights on investigated channels.
• workplace investigator (internal or external): redacted exhibit pack — slack forensic csv, teams deletion log, email thread pdf, anonymous post hash log.
• law enforcement (only with HR and counsel): if threats of violence or criminal conduct — preserved .eml set, platform export hashes, not raw unredacted complainant PII sent ad hoc.

further reading

• EEOC — harassment overview
• US DOL — workplace harassment
• SHRM — HR investigation resources
• ACLU — know your rights at work
• MITRE ATT&CK — exfiltration (insider messaging context)

reference investigation