Case Study 6: Identification of Witnesses

BackgroundAn allegation of an assault was made. The assault allegedly occurred at a large social event with controlled access and presold tickets. The identity of the assailant was not known beyond a general description.
CollectionCollection of social media posts using geospatial and time/date data at event location. From those posts, social media accounts of event attendees were identified. Used credentialed access from victim’s accounts. Collected posts and likes from event promotion site (including dialog regarding sale / resale tickets, event photos etc). Collected photos from commercial photographer engaged at event on photographer’s Facebook page.
CollationWe collated material from three collection tools including artefacts and metadata.
AnalysisUsing our visual analysis tool we were able to depict the social network of most event attendees showing many forms of social connections. Photos of attendees were reviewed for possible matches to the description of the alleged assailant. Email details and phone numbers for some witnesses were obtained.
ProductCollection of photos in photo-board style review Lists of names of event attendees Identification of sources of additional information (event organiser, commercial photographer). Preserved copy of all data.
OutcomeInvestigation is ongoing, key witnesses have been identified for statements.

Case Study 5: Location of Person of Interest

BackgroundA person of interest (POI) in a commercial relationship with organised crime had “phoenixed” a number of businesses with non-payment of debt. The businesses were thought likely to have been used in money-laundering activity. The addresses and phone numbers used by the POI had changed frequently.
CollectionWe identified and collected the contents of a number of social media accounts operated by POI from accounts and events connected to various businesses. The material covered the last two businesses operated by the POI over the last six months. Some of this data collected was from Facebook, Foursquare and Twitter “Events”.
CollationDownloaded information into logical evidence containers corresponding to the case and different businesses.
AnalysisWe compared data to separately identify the POI so that we could understand patterns of movement, recent photos, current addresses and phone numbers and presented this on a clean map.
ProductA number of locations were specified that were habitually attended by the POI at regular times.
OutcomeCourt notices were served by the investigator with no wasted time or travel.

Case Study 4: Identity Theft / Takeover

BackgroundIn a recent migration appeals matter, a visa over-stayer had appealed a deportation notice on the basis of incorrect identity. The investigative hypothesis was that the suspect had stolen the identity of another member of her ethnic community.
CollectionUsing the stolen / assumed identity and the genuine identity we were able to collect a significant volume of material.
CollationMaterial corresponding to each identity was organised into separate repositories.
AnalysisWe were able to compare and contrast material from each account and reconcile this against a timeline. Biometric and visual comparison of the two identities was part of the analysis.
ProductDemonstration of the longstanding nature of the genuine account was through photos appearing across a range of account holders. By contrast the constructed identity / identity taken-over could not demonstrate the same provenance. Photos in the company of known parties at different times and places were considered to be material evidence.
OutcomeMaterial we provided contributed to the correct identification of the applicant.

Case Study 3: Assault Investigation – Test Retrospective Claims

BackgroundA number of complainants asserted that they did not know each other. Defence alleged complainants conspired to change statements. Social media was used to show probable real-world links between complainants and dialog in relation to the investigation and trial.
CollectionWe used a four different programmatic tools to download public and credentialed (from cooperating party) account information from a number of social media accounts that appeared to be operated by complainants. A cooperating party allowed us to use their Facebook account to view data from friends and friends of friends.
CollationIn the case-based investigation data repository we collected many thousands of items including posts, chat, photos, check-ins, likes, friending requests etc. In separate repositories- using both public and “friend” account credentials – we were able to deduplicate and highlight second level connections between contacts (friends of friends). Data from several social sites was downloaded, normalised and combined into a single case repository.
Search and AnalysisClustering and visualisation tools showed different forms of connections and communications indicating comments, connections, likes etc. We searched the collection for keywords and highlighted communications relating to key people and subjects involved in the case.  Social network activity was analysed for function, density and reciprocity.
ProductSocial network diagram – showing interactions of several different types (likes, dialog relevant to case and other communications) Date / communication / friend matrix Timeline Report Court appearance explaining data collected and presentation to the jury of detailed trial graphics Cross examination of material by Crown prosecutors.
OutcomeOur material contributed to the objective categorisation of complainants’ statements.

Case Study 2: Fabricated or Deleted Evidence

BackgroundIn a family law matter paper print-outs of Facebook pages was introduced by the applicant as evidence of conversations on Facebook. The respondent disputed the authenticity of the statements and sought to demonstrate these were manufactured and had never been posted to her Facebook Profile. The respondent alleged that the material was a deliberate attempt to mislead the court to her detriment.
CollectionAll Electronically Stored Information (“ESI”) from several relevant accounts was collected programmatically across a specified date range including attendant metadata to compare with the material introduced by the applicant that was claimed to be authentic.
CollationESI was downloaded into a case-based logical evidence container, preserved and organised to compare with the material in question.
AnalysisComparative analysis of paper court exhibits with downloaded ESI. Initially a simple visual inspection to ascertain whether the contested posts were visible from the respondent’s account (Facebook Profile) or from the perspectives of related parties that allegedly included comments and which were Facebook friends of both parties. We carefully reviewed changes in friend’s collections and account privacy settings to identify potential changes in the visibility of material with the credentials that we used to collect material for the case. For corroboration and to confirm our analysis of metadata, we also obtained sworn statements from “Facebook Friends” as witnesses – all of these supported our analysis all in their assertions that they had not seen the post alleged to have been fabricated in the live Facebook environment. Our experienced investigators also reviewed material looking to content analysis; language / tone / fonts/ appearance / layout. Also we used techniques such as gap analysis of metadata sequence and integrity to determine possible existence of any data missing from conversation threads and posts on wall.
ProductReport specifying findings in metadata integrity and showing any gaps that could have corresponded to the allegedly fabricated posts / component of evidence. Recommendations that statements be taken from related parties to confirm that the alleged posts did or did not exist. Recommendation for investigation of possible perjury to escalate matter to be able to obtain data from social site law enforcement liaison process. A detailed report allowing law enforcement liaison processes to be very focused and efficient in data requests to the relevant online social network.
OutcomeOur report was submitted to the court. We understand additional questions regarding provenance of the Facebook posts were asked of the applicant.

Case Study 1: Insurance Fraud

We have completed thousands of matters in relation to personal injury claims.

Our work covers both litigated and non-litigated matters with reserves ranging from a few thousand dollars to many millions of dollars.

The following case is typical.

BackgroundObjective: Test assertions made in claim using information obtained from social media and other online sources.
Collection & Preservation of Probative DataOSINT tools identified many sources of social media accounts contextually and directly linked to the matter. We used our array of forensic data acquisition tools tools to access, collect and preserve all public social media information available. All posts / ESI were collected in a logical evidence container that does not allow content alteration or unmonitored access to items collected. All items were given an algorithmic hash-value (fingerprint) generated on the basis of item-specific attributes and the date and time of collection – this ensures that items cannot be altered.  The metadata also included all of the online social network published metadata in relation to the items collected.
CollationItems were tagged according to themes that were relevant to observations we made that conflicted with assertions made by the insured. Example themes were: “Time and Place”, “Degree of incapacity / impairment”, “Commercial Activity”.  Other categories were derived from clinical sources including American Medical Association Guides to the evaluation of permanent impairment, 6th edition (AMA6).  
AnalysisWe compared declarations made in claims forms and in other dialog with insurance company representatives and medical professionals. Material differences in  function compared to self-reported impairment were further investigated. Patterns of postings and communications were identified with reference to content to substantiate function or incapacity at different points in time.
ProductOnline access to collection for external legal counsel and claims assessor to search and review material for their own tagging / subjective organisation of collection. Legal load-file export of collection. Report summarising our findings specifying observations and open questions in relation to the claim. Presentation of data in a report format for Independent Medical Examiner (IME) recategorization or consideration. Videos posted by the plaintiff to TikTok and Instagram were also provided for review.
OutcomeOur collection provided material that led to the claim being declined, after the material was presented to the plaintiff in a legal conference. The financial result was a significant saving to the insurer. The reasonable basis for the declination of the claim was based on our OSINT report and data collection.
CommentsThis is a common category of our work for. Recently we took on a portfolio of suspicious matters under investigation by various claims managers who had been unable to progress the investigation using conventional methods. We drilled-down on assertions in the claims to better inform claims teams about the genuineness and honesty of claims. Our approach provided information not available using commonly available alternatives. We found important revelatory material when other approaches had been exhausted. In over 30% of psychological claims investigated by us, we have identified material inconsistencies between the claim and the actual status. It is not unusual for us to identify claimants working or leading active and interesting lives when they assert that they are unable to perform basic activities of daily living. We aim to augment other claims management processes to ensure faster negotiations and better settlements.