Top 10 often overlooked sources for hidden electronic evidence

It is standard procedure for investigators in both the public and private sectors to extract intel from electronic records in addition to obtaining physical evidence. Subpoena and discovery criteria almost always include access to electronically stored information (ESI) as part of the language in the order. Since ESI is a relatively new field of evidentiary procedure, the wording on many default discovery orders does not specifically limit the scope for collection of data. This creates an both an opportunity and an obstacle for the attorney which a skillful investigator can assist with. The usual starting points for ESI collection are corporate file servers, email messages, word documents, spreadsheets, and web viewing histories. Depending upon the nature of the case there may be other data specific to the circumstances.

Beyond these, investigators can provide added value to clients by having a checklist of often overlooked places where valuable ESI and intelligence can hide. For starters, here are some examples of locations to observe for additional information.

1. Other Facebook messages – Of course Facebook and other social networks are near the top of the list for investigators, but there are always enhanced techniques for obtaining information in these venues. These tricks will change over time as the social networks change and users adapt. One current example is Facebook’s “Other Messages” section. A submenu of “Messages” the “Other” folder contains messages from users not currently connected with the user. Often these messages are from distant acquaintances looking to communicate without friending the user, or from marketers. Certainly keep researching methods to get more from social networks than a typical investigative professional.

2. Voicemail message audio files – In many corporate and alternate phone system environments, voicemail messages are saved as audio files on a server or local machine. When this is the case, these files are subject to the same storage / backup / retrieval methods as any other computer file. Frequently the system even retains deleted voicemails for some period of time, often months. Even if the phone system retains voicemail files for a few days, any automated backup will catch this file and have it on an archive disk or tape for retrieval. Imagine the investigative value from voicemail messages that the subject thought were deleted.
3. Box/Google Docs/Evernote – Many individuals are using third party file hosts for various purposes. Oven time systems such as Box.com, Evernote, and Google Docs are more flexible than in house applications so that users can configure them as customized to-do lists, calendars, and worksheets. In extreme cases users apply these resources to intentionally keep information off the corporate server or their own personal machine for security purposes. The files and notations in these files can enhance official records or add context to previously obtained information.
4. In game messaging – Facebook messages, Tweets, emails, and text messages are obvious source of communications history for a subject. There are additional places a cautious subject may exchange more sensitive information. Many games such as World of Warcraft have in-game messaging utilities where users can communicate while playing. Even the popular Words With Friends game has a chat dialog. In many cases a subject may be less guarded in communicating in these environments as the forum is considered less obvious, and the other party more of a close acquaintance.
5. Discussion forums – Once seen as obscure venues for techie types, online discussion forums have exploded into popular arenas for discussion between like minded individuals. The common themse may be based on a certain industry, a hobby, recreation, political interests, or social pursuit. The participants normally go by user names rather than true names, but often this is the prefix of their email address or some variant. If the investigator already has access to a targets computer, the browsing history files will have record of the sites visited. A search of received emails will also reveal signups to various online forums. Because the user perceives their posts as anonymous, they are often more frank  with their thoughts and comments. The messages can demonstrate opinions different than official testimony or evidence.
6. Meta data – Of course, no discussion of hidden ESI would be complete without covering meta data. This information is stored within a disclosed file, but not part of the visible record. For example a Word document might have meta data describing which user(s) collaborated on the file, the dates of revisions, and even retained records of what has been deleted.  Meta data on pictures can reveal the date and time of the picture, GPS coordinates, and the serial number of the camera. Since meta data covers a large variety of information, investigators can look for it almost anywhere. A PDF file might have website addresses where it was posted, a spreadsheet could contain hidden bank account numbers, and voicemail files often collect the caller ID of the incoming line.
7. Notes in margins of scanned PDF’s  – There are two types of PDF files, one created by document conversion and another by scanning. A converted document is created when a user takes a Word, doc, Excel spreadsheet, or other editable file and converts it to an Adobe PDF file. These often retain the readable and searchable text within the file. A scanned PDF is essentially a picture of a paper document. The text is not “readable” by a computer only by human eyes. Cut and paste is not possible, for example. An advantage for scanned PDF’s is that since they were once a hard copy document, notations may have been added. Look for fax header lines, written notes, or time stamps in the margins. A scanned PDF can also be compared to an original to ensure it is the same version, and discover what changes have been made. Even smudges on one version can tell when it was scanned compared to another version. We worked on a case where a scanned PDF had a faint coffee mug stain which was matched to a cup controlled by a particular office employee.
8. Outlook calendars – Be aware that some subjects will keep more than one calendaring system. A business version on Outlook using the corporate server, and possibly others on PC’s or Google Calendar. Look for similarities between the two, and emails where an event was added by a third party. Conference calls and webinars are particularly common for third party additions. A conference call can be useful to establish that there was a conversation on a particular date and subject. These often use a phone network dial-in that will not alwasy show in phone logs.
9. Email counter party records – When analyzing email messages, look for unmatched conversation chains. If a conversation appears one-sided or is missing contextual messages, it may be because the user has other accounts which were used intermittently, or that some messages were permanently deleted. The counter party to important email threads may be able to provide the missing information and location of other email accounts. The same is true for attached files. Look for file names in emails which do not appear in the computers file systems. If these were deleted, the counter party would have a copy if needed.
10. Shopping / Fedex account records – Instead of disregarding shopping records which appear to be personal purchases, take a look at email confirmations of online shopping. The record may reveal alternate email addresses, physical mailing addresses,or credit card accounts not previously known. If the item was sent to a third party it may have been a gift for an acquaintance or associate who may be a lead. Fedex, UPS, and shopping site account histories are maintained for a long time, and can reveal events from years past which could be valuable. Did the subject ship an item from an alternate location? Was there a type of item purchased which needs investigation such as a part for a vessel, firearm, or romantic gifts?

Bonus: GPS devices – While more location assistance is coming from smartphones, many individuals still use stand-alone GPS devices such as a Garmin for day-to-day navigation. Many of these devices use a “bread crumbs” method for tracking past movements. An investigator may be able to extract the prior activities by looking at the trail of navigation from a  vehicle GPS device. Scrolling through the entered addresses in the log file can also reveal what locations a subject was looking for on a certain day. The inclusion or exclusion of certain addresses also shows which places a subject does not know how to get to, and which ones they know with familiarity.

Operational tip: When analyzing an Excel spreadsheet, look for “static cells” which should be formulas. For example, if a commission amount should be calculated by multiplying a sales figure times a certain percentage, be sure that the cell contains a formula and not a fixed amount. This will not be readily apparent by looking at the sheet. One way to discover this is by making a few copies of a spreadsheet and changing various figures on the sheet, and seeing which numbers don’t change, or which ones result in “Error” messages.

Leave a comment

Filed under Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s