July 5, 2017
Personal Injury & Insurance Fraud Investigation: Get the
Mobile Device!
As a
registered Private Investigator in Virginia, I routinely see job postings and
other opportunities for “surveillance investigators” to work insurance fraud
cases. This role involves a licensed
private investigator going to the home and/or work place of someone who has filed
an injury claim against another party for damages to surveil and document
(i.e., videotape) their activities to help prove or disprove that an injury has
taken place and is in line with the claim.
As an example, John Doe claims injury at his local grocery store by
slipping on a grape and falling. He
files suit against the grocery store chain, whose insurance company now must
work to defend this claim if they feel the claim is fraudulent. John Doe may get a doctor to diagnose him with
some sort of non-descript physical malady, bolstering his case, but medical
science can be fooled by a good actor, so the insurance company hires a private
investigator to follow and record John’s activities so they can dispute his
claim that he is legitimately injured due to the fall and present that evidence
to the plaintiff attorney and John Doe to combat the suit.
This is big
business in the private and insurance fraud investigation worlds. It’s probably just as big (or close to it) as
infidelity investigations. But when a
private investigator is charging $65 per hour or more to sit in his car with a
video camera, those costs can add up quickly.
One of the reasons why this is done is the worst reason in the world to
do anything: “That’s the way we’ve
always done it!” But there is a better
and more high-tech way to help prove whether or not John Doe is really injured…
Also, I
never liked surveillance work, so let’s talk about building a better proverbial
mousetrap…
Wearable Technology
The simple
fact is that in the modern era, smart phones are everywhere. Apple, Android, Windows and Blackberry (yes,
still) are all in the game to get consumer market share for smart phones. Furthermore, smart phones are almost always
connected to a network of some type, be it a cellular network, wi-fi network,
GPS or other type of connection. One
huge area of the smart phone market is wearable technology. Apple watch, FitBit, Nike & others all
have the ability to track movement and calories burned for health & fitness
purposes. This data can be a huge
benefit in insurance fraud investigations.
If John Doe is claiming he can’t walk more than 5 minutes at a time,
would he really be taking 5,000 or more steps in a day? Much of this data is available to us through
mobile forensic data extraction and it really doesn’t go away unless the user
chooses to make it go away.
Overall Data Sources
Even if
there’s no wearable technology in place, the mobile device will often capture
movement & health data by default. In our experience, most users don’t turn off
default setting such as location data & health tracking information, so if
they’re using a device, it’s a pretty good bet the data is still there. Consider the sample data extraction we
performed on an iPhone 6s in April, 2017 using Cellebrite Universal Forensic Extraction
Device (UFED). The extraction is
encrypted and must be on an iPhone to get the health data and, even though the
Health app isn’t currently natively supported, there is still useful data
contained in a number of the app database tables.
Figure 1
below shows when the health data first started being logged on the device,
which is our first clue that the app is in use:
The next
figure helps show us how much data the Health app has used since it’s
initiation on the device, which further proves that the user was using this app
to track activity:
Fig. 2: Data in & data out on wireless network through
Health App
The “Wan In”
& “Wan Out” are indicators that data has been sent and received through the
Health app on the cellular network on this device. It’s a simple equation, if there’s no data
sent or received, the app is not in use.
Figure 3 details
part of the healthdb.sqlite file, which is a database file that is associated
with the Health app on the iPhone. It
details the data sources that the app is using to help track movement, calories
burned, etc.:
Fig. 3: Data input devices
As you can
see, the user is using not only the iPhone itself for the data input, but an
Apple Watch as well. The table even
tracks the software version of each of the devices and we can see that the user
has routinely updated the devices when new software versions were released. If the user were syncing a FitBit or other
wearable technology to this iPhone, that would likely be listed here as well
and give us yet another clue about where to look for additional data. Please note, the time frame listed here
covers multiple devices through upgrades as well.
The native
Health app on the iPhone has the ability to capture data from a number of
different sources, such as Nike Run, FitBit or other apps which track movement,
steps, etc. Figure 4 below shows us the
actual input data sources for data going to the health app and gives us more
information.
Fig. 4: Data Sources Input
So we know
that the data may be coming from the Apple Watch, the Health App, the iPhone
generally or the RunKeeper app. The
healthdb_secure.sqlite table is the real goldmine in this treasure hunt because
it tells us more specific information about steps taken, dates, times, calories
burned, goals set by the user, etc. Fig.
5 below is a sample of this data in the activity cache:
Fig. 5: Health App Activity Cache Example
After
obtaining this data from John Doe’s (or Patrick’s) device, it starts to get
very hard to stand by the claim that he is injured beyond the ability to do
normal every day activities. But a
further search of all the apps on the device reveals a number of other
activity-tracking apps, such as Pacer, which is used to track movement and
distance.
Pacer app is
also not natively supported by Cellebrite, but that doesn’t matter. It still stores a ton of information we can
pull out of the database tables and report, as is shown in Fig. 6 below:
Fig 6: Pacer App Data
This data
can exist independently or be used to help corroborate the data that exists
within the Health app. Will they always
be exactly the same? No. But the point is proven that there is a fair
amount of movement happening and John Doe (or Patrick) is likely capable of
earning a living and may not be injured to the degree he claims.
Getting the Device
The rub in
civil cases like this is often getting access to the device. This important step should not be
overlooked. First and foremost, Counsel
should issue a spoliation letter to the plaintiff to preserve this data. If this is not in place, you run the risk of
the data being destroyed when an order to produce is issued. Furthermore, consumers upgrade their devices
all the time, and if the device is upgraded during the litigation process, we
need to ensure the previous device is still accessible. Next, when the timing is appropriate, we can
petition the court for a Motion to Compel the opposing party to produce their
device for the purposes of proving or disproving certain activity. We see this done fairly often in divorce
matters to help prove or disprove infidelity, malicious behavior/abuse,
locations etc. One very important piece about the
petition to the court is to request that any and all passcodes and passwords to
the device be supplied by the opposing party. Without this, we may not be able to access
the data on the device.
There are
likely other data sources on the device that may serve to dispute the claim of
injury, such as pictures, videos, etc.
But the health and activity data is often overlooked by the claimant in
a civil action because it’s all stored automatically. Furthermore, this data is not always easy to
delete. So start thinking outside the
box and call a digital forensic consultant before you call your private
investigator with his video camera. You
could save a lot of time and money and get better and less subjective evidence
to help defend your client!
Author:
Patrick J.
Siewert
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Virginia
DCJS #11-14869
Based in
Richmond, Virginia
Available Wherever
You Need Us!
We Find the Truth for a
Living!
Computer Forensics -- Mobile Forensics -- Specialized
Investigation
About the Author:
Patrick Siewert is the Principal Consultant
of Pro Digital Forensic Consulting, based in Richmond, Virginia. In 15 years of law enforcement, he
investigated hundreds of high-tech crimes, incorporating digital forensics into
the investigations, and was responsible for investigating some of the highest
jury and plea bargain child exploitation investigations in Virginia court
history. Patrick is a graduate of SCERS,
BCERT, the Reid School of Interview & Interrogation and multiple online
investigation schools (among others). He continues to hone his digital forensic
expertise in the private sector while growing his consulting &
investigation business marketed toward litigators, professional investigators
and corporations, while keeping in touch with the public safety community as a
Law Enforcement Instructor.
