Closing the Contextual Loop in Digital Investigations
Without All the Evidence, You May Not Know the Full Story
In the second part of our series on digital breadcrumbs, we provided a timeline surrounding an evening of travel that encompassed digital evidence consisting of monitoring flight delays, computer usage, and text messages. All derived from the digital breadcrumbs gathered from a corporate employee’s smartphone. In our timeline, there was some digital noise; events that had little or no bearing on our matter. However, these events may have left behind some digital breadcrumbs we can use.
While the actions we provided in our timeline example were not those of our suspected corporate thief, they could become tangential to show access and opportunity of our suspect. Let’s postulate for a moment how these digital breadcrumbs could be potentially relevant and provide enlightening context to our investigation.
If this were an actual investigation into theft of trade secrets, focus would likely be on data collected from our suspect’s devices, as well as those involved in the delivery of our target proposal. However, examination of our suspect’s devices leads to nothing but dead-ends. The target proposal with our traveling employee’s changes were seemingly never in his possession. Review of his corporate email provides little information, and his text messages reveal little communication with his traveling colleague.
But wait a moment. Our secondary analysis of those present at the client meeting to which the proposal pertains reveals our smoking gun. Located on his traveling colleague’s phone is the text-based conversation absent from his device. Her digital breadcrumbs reveal that she saved the updated draft to a USB device, and that the USB drive was the only location on which that particular draft existed. When asked what she did with the USB device, she explains she provided it to her colleague (our suspect), as his behest.
In an interview with our suspect, he denies having access to the draft, nor does he recall the meeting the night before with his colleague. However, upon closer examination of geolocation information embedded in his phone’s app data, we find that he is lying. His phone places him at the hotel that evening prior to the client meeting. And while his side of the text message conversation is mysteriously gone, we have it preserved from his colleague’s device.
As with any digital investigation, arriving at the truth is often the result of an amalgamation of disparate evidence. In our example, the actions of our traveler seemed superficial, but when combined with the absence of evidence from our suspect’s device, paired with the overlooked breadcrumbs of data he failed to cover up, we have our story. Assembling a timeline of these facts and presenting it to a judge or jury could mean the difference in a case.
If you are an attorney focused solely on document-based data, such as email and electronic office documents, you likely missed the opportunity to tell the full story, overlooking the context that these disparate and seemingly disconnected digital breadcrumbs provide. Leveraging link analysis of the colleague’s phone, you now have the missing text-based communications, as well as the common geolocation information. Presentation of this evidence in a succinct and clear timeline is now paramount.
If you missed our first installment of this article, take a moment to read “How Digital Breadcrumbs and Linked Data are Transforming Investigations.” And don’t miss out on what metadata and link analysis can tell you about your matter’s actors in the context of an investigation. Find out how easy it is to review these emerging data types and tell a better story--right down to the emoji. Arrange a demonstration of ESI Analyst today.