Case Studies

Reconstructed Text Message Chains And A Telling Voicemail Tips The Scales

When a partner of a commercial real estate company caught wind of fraudulent deals being penned by the other partners of the firm, he decided to take action. However, one of the partners involved realized that there may be trouble, and quickly began a coordinated effort to destroy the digital trail evidence. Text messages were removed from devices and cloud-based backups destroyed.

Investigators leveraged the power of active threading functionality allowing them to reconstruct conversations from multiple data sources ranging from backups to forensic images of each individual’s phone.

The digital trail of evidence being deleted from multiple devices presented a significant hurdle to investigators attempting to piece conversations back together. The answer and revealing path rested on reconstructing the fragmented message threads across devices. Investigators leveraged the power of active threading functionality to reconstruct conversations from multiple data sources ranging from backups to forensic images of each individual’s phone. Interestingly enough, it was a voicemail that captured the group’s intentions to delete the incriminating data that became the key piece of evidence.

While the whistleblower possessed text messages and other communications surrounding the corruption, fraud, and dishonesty, other key messages were found through restoration of iCloud backups spanning laptops and two smartphones. The technology was able to reveal key information captured from multitude of metadata sources including:

  • EXIF Data from several key photos
  • Geolocations revealing travel patterns
  • Text Messages, WhatsApp and Facebook Messenger

Using the functionality of active threading, the counsel saved incredible amounts of time putting the story together with all of the relevant data. In the end, the timeline functionality paired with its ability to support multiple disparate data types counsel was able to clearly piece together the fraud as well as the attempt to hide the evidence.

print