Case Studies

When a partner of a commercial real estate company caught wind of fraudulent deals being penned by the other partners of the firm, he decided to take action. However, one of the partners involved realized that there may be trouble, and quickly began a coordinated effort to destroy the digital trail evidence. Text messages were removed from devices and cloud-based backups destroyed.

Investigators leveraged the power of active threading functionality allowing them to reconstruct conversations from multiple data sources ranging from backups to forensic images of each individual’s phone.

The digital trail of evidence being deleted from multiple devices presented a significant hurdle to investigators attempting to piece conversations back together. The answer and revealing path rested on reconstructing the fragmented message threads across devices. Investigators leveraged the power of active threading functionality to reconstruct conversations from multiple data sources ranging from backups to forensic images of each individual’s phone. Interestingly enough, it was a voicemail that captured the group’s intentions to delete the incriminating data that became the key piece of evidence.

While the whistleblower possessed text messages and other communications surrounding the corruption, fraud, and dishonesty, other key messages were found through restoration of iCloud backups spanning laptops and two smartphones. The technology was able to reveal key information captured from multitude of metadata sources including:

• EXIF Data from several key photos
• Geolocations revealing travel patterns
• Text Messages, WhatsApp and Facebook Messenger

Using the functionality of active threading, the counsel saved incredible amounts of time putting the story together with all of the relevant data. In the end, the timeline functionality paired with its ability to support multiple disparate data types counsel was able to clearly piece together the fraud as well as the attempt to hide the evidence.

Today’s criminals do not plan their crimes via email and zoom exchanging PowerPoint slides. And when it comes to solving today’s complex crimes, identifying technological data points that can prove innocence or guilt beyond a reasonable doubt are at the heart of every investigation. From Fitbits to burner phones, today’s criminals leave a trail of digital fingerprints that require modern investigative technology.

Mobile devices are often considered a window into one’s daily life. A cell phone’s location can be detected through cell site location information, often referred to as CSLI. This data, when available, can be quickly analyzed through technological means to place a person at or near specific locations. However, geolocation is often just one piece of a complex puzzle. When you send an SMS, MMS or place a call, your phone’s location is often being recorded when connecting to a nearby cell tower. Dates and times are also recorded down to the second that include the moment a call or message was sent, as well as the service being engaged, such as SMS or 4G LTE.

Investigators were trying to piece together as much evidence as possible to determine where each suspect was located in correlation to the crime scene.

Recently one of our Partners needed to analyze and cross reference messages received by one device in conjunction with cell tower data from two other devices subpoenaed as part of a criminal investigation. Mobile messages from the victim’s device were loaded into our platform, combined with the cell tower data captured from the suspect’s devices. Leveraging the Actor Matching Technology, each message could be mapped to its participants, showing who was engaged in conversations at specific times.

Investigators were trying to piece together as much evidence as possible to determine where each suspect was located in correlation to the crime scene. The Actor Matching Technology quickly linked actors to the phone calls, text messages, and the cell tower geolocations recorded. Timelines were then built for each matter actor to show where each suspect was located in correlation to the victim. Combining this evidence into a single investigative solution quickly revealed patterns of activity surrounding the night of the incident, helping investigators present a clear picture of the night in question.

Wage and hour class actions require specificity of aligning claims to the class. Much of this data usually resides in a multitude of platforms ranging from off-the-shelf software to proprietary timekeeping systems that often prove challenging to align and fully understand.

A telemarketing firm was faced with a claim of several years of unpaid time was owed to employees because their timekeeping software used to register employees’ time was not properly recording the start and end of their workday. The claim alleged that the system did not synchronize time entries properly with the actual time each employee started their workday, taking anywhere from 15 to 30 minutes to register their initial punch in time. There were also claims by the class that their workday often extended beyond the time they clocked out. Overall, the claim alleged the employees had been underpaid on average of thirty minutes each day spanning a period of approximately three years and sought reparations for these unpaid hours.

CloudNine technology was used to effectively combine both the timecard entries with each employees’ email activity over the course of the period of the claim. The digital trail revealed that periods of work activity were in sync with the timekeeping system.

Data available included exports from the timekeeping system, which reflected each employees’ time in and out for each day worked, as well as internal ticketing system that leveraged email notifications and responses, reflecting when each user was actively resolving open requests. CloudNine technology was used to effectively combine both the timecard entries with each employees’ email activity over the course of the period of the claim. The digital trail revealed that periods of work activity were in sync with the timekeeping system.

At its core, the CloudNine technology is designed to combine a multitude of disparate data types in a simple and intuitive fashion, allowing case teams to quickly identify differing activities and filter by the correlating individual or group. Sets of data can then be easily identified and time-lined to demonstrate clear patterns of work activity across a variety of differing data types.