Wednesday, July 5, 2017
July 5, 2017
Personal Injury & Insurance Fraud Investigation: Get the Mobile Device!
As a registered Private Investigator in Virginia, I routinely see job postings and other opportunities for “surveillance investigators” to work insurance fraud cases. This role involves a licensed private investigator going to the home and/or work place of someone who has filed an injury claim against another party for damages to surveil and document (i.e., videotape) their activities to help prove or disprove that an injury has taken place and is in line with the claim. As an example, John Doe claims injury at his local grocery store by slipping on a grape and falling. He files suit against the grocery store chain, whose insurance company now must work to defend this claim if they feel the claim is fraudulent. John Doe may get a doctor to diagnose him with some sort of non-descript physical malady, bolstering his case, but medical science can be fooled by a good actor, so the insurance company hires a private investigator to follow and record John’s activities so they can dispute his claim that he is legitimately injured due to the fall and present that evidence to the plaintiff attorney and John Doe to combat the suit.
This is big business in the private and insurance fraud investigation worlds. It’s probably just as big (or close to it) as infidelity investigations. But when a private investigator is charging $65 per hour or more to sit in his car with a video camera, those costs can add up quickly. One of the reasons why this is done is the worst reason in the world to do anything: “That’s the way we’ve always done it!” But there is a better and more high-tech way to help prove whether or not John Doe is really injured…
Also, I never liked surveillance work, so let’s talk about building a better proverbial mousetrap…
The simple fact is that in the modern era, smart phones are everywhere. Apple, Android, Windows and Blackberry (yes, still) are all in the game to get consumer market share for smart phones. Furthermore, smart phones are almost always connected to a network of some type, be it a cellular network, wi-fi network, GPS or other type of connection. One huge area of the smart phone market is wearable technology. Apple watch, FitBit, Nike & others all have the ability to track movement and calories burned for health & fitness purposes. This data can be a huge benefit in insurance fraud investigations. If John Doe is claiming he can’t walk more than 5 minutes at a time, would he really be taking 5,000 or more steps in a day? Much of this data is available to us through mobile forensic data extraction and it really doesn’t go away unless the user chooses to make it go away.
Overall Data Sources
Even if there’s no wearable technology in place, the mobile device will often capture movement & health data by default. In our experience, most users don’t turn off default setting such as location data & health tracking information, so if they’re using a device, it’s a pretty good bet the data is still there. Consider the sample data extraction we performed on an iPhone 6s in April, 2017 using Cellebrite Universal Forensic Extraction Device (UFED). The extraction is encrypted and must be on an iPhone to get the health data and, even though the Health app isn’t currently natively supported, there is still useful data contained in a number of the app database tables.
Figure 1 below shows when the health data first started being logged on the device, which is our first clue that the app is in use:
The next figure helps show us how much data the Health app has used since it’s initiation on the device, which further proves that the user was using this app to track activity:
Fig. 2: Data in & data out on wireless network through Health App
The “Wan In” & “Wan Out” are indicators that data has been sent and received through the Health app on the cellular network on this device. It’s a simple equation, if there’s no data sent or received, the app is not in use.
Figure 3 details part of the healthdb.sqlite file, which is a database file that is associated with the Health app on the iPhone. It details the data sources that the app is using to help track movement, calories burned, etc.:
Fig. 3: Data input devices
As you can see, the user is using not only the iPhone itself for the data input, but an Apple Watch as well. The table even tracks the software version of each of the devices and we can see that the user has routinely updated the devices when new software versions were released. If the user were syncing a FitBit or other wearable technology to this iPhone, that would likely be listed here as well and give us yet another clue about where to look for additional data. Please note, the time frame listed here covers multiple devices through upgrades as well.
The native Health app on the iPhone has the ability to capture data from a number of different sources, such as Nike Run, FitBit or other apps which track movement, steps, etc. Figure 4 below shows us the actual input data sources for data going to the health app and gives us more information.
Fig. 4: Data Sources Input
So we know that the data may be coming from the Apple Watch, the Health App, the iPhone generally or the RunKeeper app. The healthdb_secure.sqlite table is the real goldmine in this treasure hunt because it tells us more specific information about steps taken, dates, times, calories burned, goals set by the user, etc. Fig. 5 below is a sample of this data in the activity cache:
Fig. 5: Health App Activity Cache Example
After obtaining this data from John Doe’s (or Patrick’s) device, it starts to get very hard to stand by the claim that he is injured beyond the ability to do normal every day activities. But a further search of all the apps on the device reveals a number of other activity-tracking apps, such as Pacer, which is used to track movement and distance.
Pacer app is also not natively supported by Cellebrite, but that doesn’t matter. It still stores a ton of information we can pull out of the database tables and report, as is shown in Fig. 6 below:
Fig 6: Pacer App Data
This data can exist independently or be used to help corroborate the data that exists within the Health app. Will they always be exactly the same? No. But the point is proven that there is a fair amount of movement happening and John Doe (or Patrick) is likely capable of earning a living and may not be injured to the degree he claims.
Getting the Device
The rub in civil cases like this is often getting access to the device. This important step should not be overlooked. First and foremost, Counsel should issue a spoliation letter to the plaintiff to preserve this data. If this is not in place, you run the risk of the data being destroyed when an order to produce is issued. Furthermore, consumers upgrade their devices all the time, and if the device is upgraded during the litigation process, we need to ensure the previous device is still accessible. Next, when the timing is appropriate, we can petition the court for a Motion to Compel the opposing party to produce their device for the purposes of proving or disproving certain activity. We see this done fairly often in divorce matters to help prove or disprove infidelity, malicious behavior/abuse, locations etc. One very important piece about the petition to the court is to request that any and all passcodes and passwords to the device be supplied by the opposing party. Without this, we may not be able to access the data on the device.
There are likely other data sources on the device that may serve to dispute the claim of injury, such as pictures, videos, etc. But the health and activity data is often overlooked by the claimant in a civil action because it’s all stored automatically. Furthermore, this data is not always easy to delete. So start thinking outside the box and call a digital forensic consultant before you call your private investigator with his video camera. You could save a lot of time and money and get better and less subjective evidence to help defend your client!
Patrick J. Siewert
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!
We Find the Truth for a Living!
Monday, May 15, 2017
May 15, 2017
Case Study: Call Detail Records Analysis in Civil Domestic Litigation
The conventional wisdom with regard to cellular call detail record analysis is that it is a tool primarily used by law enforcement to help prove or disprove the location of a criminal suspect in a given incident. More and more, however, we’re seeing uses for cellular call detail record (CDR) analysis and mapping in the civil litigation world, too. We’ll be discussing one such case in this article.
As a brief disclaimer, the exact locations of the houses of the parties involved in this case have been changed for confidentiality, but the rough geographical area and the cell tower information is the same. This is a live case which we worked and was recently concluded. So if you still don’t think that CDR analysis can be of use in your civil case, keep reading and let us help change your mind!
In July, 2016, we received a call from a divorced client who was seeking to have his alimony agreement reviewed by the Court. He had been divorced from his ex-wife for a number of years, but his spousal support agreement was costing him thousands of dollars every year, so he was researching ways to show that his ex-wife was not in compliance with the agreement. Like many alimony agreements, his stipulated that if the ex-wife cohabitated with anyone for a period of 12 months or more, the client would be released from the alimony agreement. The client, a very savvy and smart businessman in his own right, had already hired a traditional private investigator for surveillance, but the requirements to prove his suspicion in this case were too great and costly for that to be a viable year-long solution. However, he surmised that if he could obtain the cellular call detail records for his ex-wife’s paramour for a period of 12 months and illustrate that he never stayed at his listed residence and always stayed at the ex-wife’s residence during the 12-month period, it would constitute cohabitation. The client called us and we assisted with subpoena language, consultation, cellular record analysis and mapping.
The paramour’s cellular provider is Verizon Wireless. His listed address is also the address on the cellular account, which made proving where he claimed to live a simple matter. Both houses’ locations were verified through GPS coordinates and were not that far apart, but as you’ll see, they were far enough apart to make a difference in this case.
Verifying the data is always a part of best practices. To that end, we traveled to and physically verified the GPS coordinates of the houses of interest and the cellular towers primarily involved in this case. We further verified the type of cellular device the paramour was using through Verizon Wireless and spent some time on the phone with technicians from Verizon Wireless to ensure the analysis in this case was accurate.
Verizon Wireless records are provided in a series of Excel spreadsheets. The call detail records (CDRs) for the requested time period are in one spreadsheet and another details every tower in every switch in every locality that the device connected to for the requested period. It further details the GPS coordinates of those towers, the sectors (sides) of the towers and the azimuth and beam width of the given sectors. CDRs do not provide cellular signal range, but we can estimate the range by identifying the next closest tower of the same provider (one of which also happened to be a relevant tower in this case), measure the total distance and calculate 60% of that distance for the range of each tower in that direction.
Finally, timing of use was a primary issue. Because the paramour had a job that required him to travel all over the local area (in addition to out-of-state locations), the time frame for the analysis was restricted from 2100 hrs. to 0700 hrs. every day for all 12 months. This would help demonstrate where the paramour may actually be laying his head at night. In presenting our final report, we tallied the percentage of times calls were made from 2100 hrs. to 0700 hrs. on the towers that would likely service both the paramour’s listed residence and the ex-wife’s residence on a month-by-month basis. The final numbers were greatly skewed toward the tower and sectors servicing the ex-wife’s house.
Challenges to Analysis
As you can imagine, this was a large amount of data to analyze, map and report. Additionally, condensing over 12 month’s worth of cellular call data into a concise, easy to understand report was vital in this case. To add to the challenges, the ex-wife’s residence lie on the border of two sectors of the tower that was closest to it, so if a call were made in the front driveway, it may “ping” off of sector gamma, but if a call were made from the back of the house, it pay “ping” off of sector beta (see graphic below). This proved in the end to be an asset because it increased the percentages of calls that the paramour was making that hit off of that tower and those sectors.
Mapping for Analysis
Mapping the locations of houses, cell towers and sectors in this case was essential. To ensure a concise illustration, the data was pared down to the two relevant towers, three overall relevant sectors between them and the two relevant locations – the ex-wife’s house and the paramour’s listed residence. When the data is distilled down, here’s what the map looked like:
As we stated in the final report, there are a number of factors that can affect the range of cell towers. Terrain, tower load (use at a particular time), maintenance, weather, etc. The pie-shaped wedges illustrated here are estimates and should be considered rough operational ranges.
When all calls in the specified time frame were added up, 63% of them were sent or received from tower 468, sectors BETA and/or GAMMA. While that may not seem like an astronomical amount, when you factor in that some months 100% of the calls were sent or received from those sectors and in the same time period, only 1% of calls were sent or received from tower 302, sector BETA, which would be the tower closest to the paramour’s alleged & listed residence.
Despite continued challenges from the opposing party throughout this case and receiving a subpoena to appear in court to testify as to our findings, the case settled to our client’s satisfaction about a week before trial. The client’s attorney in the case emailed to say “I believe that a big reason it resolved was your report.” Feedback like that is fantastic to hear. This case involved many hours of tedious analysis work and we’re very happy it turned out postively for the client.
The value of cellular call detail record data in any number of cases should not be overlooked. Recently, I was discussing mobile data with some personal injury attorneys. The challenge in distracted driving cases, for instance, is that the device that may have been in use may be long gone by the time litigation and discovery comes around. Other evidence, such as cellular call detail records, can prove very useful and should be considered as a valuable resource of information in civil cases ranging from alimony to employment disputes to personal injury.
Patrick J. Siewert
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available wherever you need us!
We Find the Truth for a Living!