Archive for the 'Private Investigator' Category

Three Rules for Success

To be a successful private investigator follow my three rules.

  1. Spend 95% of your workday doing billable tasks.
  2. Be incredibly organized, and maintain a fastidious filing system.
  3. Don’t get distracted by things that aren’t billable hours.

Site Investigation Tools

When you start to investigate a particular Internet site, I suggest you begin with these resources.

Domain Dossier Investigate domains and IP addresses. Get registrant information, DNS records, and more—all in one report.

InterNIC Public Information Regarding Internet Domain Name Registration Services

Network Solutions’ Whois

DomainSearch.com  Search multiple top level domains at once to see if the domain name is in use. I use it to find the domain name in other top level domains.

Convert Host/Domain Name to IP Address and vice versa  Find the IP of a host machine (convert host to IP) or domain name (convert domain name to ip address) or find the name of one of the hosts at an IP address (convert ip address).

Using Traceroute Learn how to use and interpret traceroute results.

Additions thanks to Kirby:

hostcabi.net  Provides lot of information, but most importantly, it identifies other users of same Google Analytics account and all the sites using that account.

sitedossier.com  Sometimes shows older servers, which is useful when website has upgraded to cloud service or CloudFlare.

Getting a Date

Date formats are easily misinterpreted. For example, if you write 06-07-07, an American might assume that it represents June 7, 2007 or 1907 and an European might assume that it is 6 July 1907 or 2007. Some might  recommend using an unambiguous date system, such as an ISO 8601 European date format, (YYYY-MM-DD) but unless the reader  is a government worker they might get the month and date mixed-up.

The best method is to use a 3-letter abbreviation for the month preceded by the day and followed by the full year to avoid any confusion thusly, 6 Jul 2007.

Forgotten But Not Gone

The European Union “right to be forgotten” law that allows individuals to demand the removal of links from Google’s EU search sites is starting to come into play.

The EU “Right to be Forgotten” is clearly a form of censorship in the 28 member nations and 4 other European countries that encompasses over 500 million people. Google has 90% of the search engine market there.

Demanding the removal of an indexed item only renews interest in the story. As the law only applies to Google and not the pages themselves or other search engines, traffic to the articles in question increases thanks to journalists calling attention to them once they receive notification that the article was removed from the EU sites. This is known as The Streisand Effect.

European Google search results for any name display the disclaimer that, “Some results may have been removed under data protection law in Europe,” even if nobody requested the removal of anything.

Of course, people will soon tire of writing about the removed articles and people will stop demanding the removal of indexed items.

Certainly, a free speech enthusiasts will start to collate all the missing search results and make them available. This has already started with Hidden From Google. This site archives articles that Google must remove from European Union search results. I’m certain a Twitter account like @gdnvanished will also appear to provide similar content.

The easiest way to circumvent this censorship is to search using the Google.com site instead of the local EU search sites—or better yet, use other search engines like DuckDuckGo, Yandex, and blekko.

Perception & Disguise

I was working on a small surveillance crew recently and we needed to change our appearances on the fly. Changing clothing is an old ploy but it wasn’t enough for this group of very alert subjects.

We bought used clothing in bigger sizes than we normally wear. I tested this clothing around people who haven’t seen me in a while. They all commented on how much weight I had lost. Some asked if I had been sick. I didn’t change, but the clothes made me look like I had lost 30 pounds. Adding a little makeup under my eyes made some people think I had a terminal illness.

Perception goes a long way. People quickly jump to conclusions–my disguise made sure it was the conclusion I wanted them to make.

Critical Thinking & Reality TV

Critical thinking is the investigator’s greatest tool. You might have developed a good way of evaluating sources such as my 13-point check list for evaluating information, but you must apply it with intellectual rigor.

The authority of the source and the accuracy of the information are key issues to examine.

  • What is the reputation of the data, and the data-provider? Has this source of data been cited elsewhere?
  • What is the reliability of the source?
  • How can you document or qualify the source of the information?
  • Are the complex issues of data integrity and validity oversimplified?

With regard to authority and accuracy, I suggest you read the interview with Cody Lundin who is a professional survival instructor with over 25 years of experience. Read this to learn more about Survival TV from his perspective as an expert. He calls this stuff, Survival Entertainment with good reason and says, “…anyone who would trust their life to what they see on reality television shouldn’t breed.”

Microsoft’s Ban on Guns & the Investigator

Since 2009 Microsoft’s Code of Conduct has been applied to more and more of their online services. Under this Code of Conduct, users are prohibited from using it in  “any way that promotes or facilitates the sale of ammunition and firearms” (See bullet point #13). You have to trust that Microsoft’s definition of “promotes or facilitates the sale of ammunition and firearms” is the same as yours and that one of their robots doesn’t delete all your data. Not recognising this risk could mean the loss of all your investigation reports and data. A lot of my investigations have included large volumes of data on firearms and ammunition. Imagine the damage to your reputation, if at a crucial juncture in the investigation, some Microsoft employee or robot decides my data and reports are “promoting guns” and deletes everything.

Most of Microsoft’s online services are covered by their “Code of Conduct”. This includes Windows Live, Office 365, Microsoft Sharepoint, Bing.com, Outlook.com, Windows OneDrive, Exchange Online, MSN and more.

Searching for firearms and ammunition data on Bing may already produce censored results as a result of the Code of Conduct.

Only Skype, Microsoft Azure and XBox Live are now exempt. I expect Skype will be the next to come under the Code of Conduct.

Windows OneDrive, formally Microsoft SkyDrive, is part of Windows 7, Windows 8, Windows 8 for Phones and Windows 8 for Tablets. If you handle information about firearms you should avoid these products. You could find your account terminated and all your emails, contacts, calendar, and everything else deleted.

Windows Live powers a number of Microsoft services including Microsoft’s cloud email and cloud Office suite. Windows Live, Outlook.com and Exchange Online power many large institutions. If you work in such an institution be very careful, especially if you have signed documents agreeing to abide by Microsofts Terms of Use.

If you use Microsoft Office and the Office 365 service to share files about guns, then you will eventually find everything has gone down the memory hole.

Microsoft’s Code of Conduct can affect everything an investigator does. Searching, email, voice calls, storing data, and preparing reports are all potentially at risk if you use these services in relation to firearms and ammunition related topics. Now ask yourself how Microsoft knows the content of your data and think about the confidentiality and security of your data.

You must have a due diligence process in place before starting to even look for online and cloud services. You have to read and understand the implications of all the stuff hidden in the fine print.

How to Take Veracious Surveillance Video

I don’t like going to court, who does, but sometimes it’s a necessary evil.

I once conducted a surveillance as part of a complex investigation. Of all the surveillance operatives, I was the only one subpoenaed regarding the primary subject. During a break in the proceedings I asked the barrister, why only me?

His answer was simple and direct. He said, “you started or finished each video segment by panning up and out to wide angle to clearly show where the video was taken. The visible landmark buildings and the surroundings make your video more credible.”

None of my evidence was questioned until they got around to a segment of my “camera in a cardboard box” video taken on a city street. Those questions ended when pictures of me with my box on the street were entered into evidence. These were taken by facing a reflective shop window–there I was in my Dickie work clothes holding the cardboard box that concealed the the camera.  The other side didn’t like the fact that I captured the licence plates on both the subject’s car and that of his mistress parked on the same side street by walking down the street with my cardboard box. They were later connected through the licence plate and surveillance, which in turn, led us to an apartment on the same side street that was purchased with embezzled funds.

I don’t know if questioning the truthfulness of all surveillance video based upon the location of the person recording it will become standard practice or if this was just a bit of aggressive lawyering, but these courtroom tactics can be defeated by proper technique, documentation, and reporting.

Searching Google Anonymously While Signed In

I know you still want to use Google without giving away all your personal data. To accomplish this while using Firefox, use the Searchonymous extension. With this, you can stay signed into your Google account while searching and Google won’t know it’s you doing the search. It also gets rid of most of the annoying ads.

If you use Chrome or a browser like Comodo Dragon that is based on Chrome, then you might try Search Disconnect which purports to do the same thing.

Smartphone Security

Losing your smart phone can be more that inconvenience if your are an active private investigator. Over at PInow, Kelly Cory’s article titled How to Keep Your Smartphone Secure offers some sound advice.

Black Suits & Dark Glasses

I went to a meeting with a client to help solve a problem one of his customers was having. Sitting in the reception area, I witnessed a wondrous spectacle. In struts a guy in a black suit wearing dark glasses and earwig. He looks around ominously and then talks into his sleeve. Next, the great man enters surrounded by a phalanx of black suits, dark glasses, and earwigs. This is Canada. Private bodyguards don’t exist here. They are just for show-offs who like to look important or for those tricked into hiring some feckless cannon fodder.

It turned out that this was the guy with the problem. My client realised that he was ineptly handling the symptoms rather than treating the disease. He had received threats. He had suffered vandalism to his home and car. He couldn’t in any way identify his persecutor. However, he was a senior executive of a company in an industry that sometimes attracts threats and acts of violence.

When the great man was asked how he had received the threat, he said that he received it on his unlisted cell phone, so it must be a serious threat perpetrated by dangerous people. I Googled the cell phone number. Lo and behold, there it was in a Kijiji ad for some stuff he was selling. The picture of the stuff included the front of his house and enough of his car to identify its make, model, and colour.

His name appeared on the title for his house along with that of his wife. Searching his name in social media sites, I was able to identify his children and wife. I found that his son went to hockey practice at the arena where his car was vandalised.

In half an hour I learned where he lived, his cell phone number, identified his family, where his children went to school, and learned his son’s hockey schedule. More importantly, the social media content related to his family members also identified him. This led me to conclude that it was possible that he was not the target. Of course, the wife and kids didn’t have bodyguards.

Each of his bodyguards was questioned regarding their training and experience. It wasn’t surprising to me that they were repurposed security guards with no training. The agency providing the bodyguards did not conduct any investigation nor did the client’s employer.

Without any idea who in the family was being targeted, new security arrangements were made. The house and office got uniformed security guards. The client and his wife got reliable security drivers. We put in place new security arrangements for the children. All social media content was expunged. I ensured that the police and telephone company became involved.

Further investigation produced a list of suspects. The police tied one of these to the vandalism of the client’s car. Police interrogation led to a confession. The offender turned out to be the teenage daughter’s jilted suitor who was also a player on a rival hockey team.

Veracity of Online Images & Video

My mother advised me not to believe everything I read remains true today as it was 50 years ago. Today, this advice extends to online video and images.

Hoax imagery and video abounds online. A fake video of an eagle trying to fly off with an infant in a Montreal park is only one example. Students at the National Animation and Design Centre created this ‘Golden Eagle Snatches Kid’ video. Their skill was impressive. It took a frame-by-frame analysis to uncover the fake. Frames that lacked the eagle’s shadow revealed it to be a hoax.

Free editing software like VLC Media Player or Avidemux Video Editor can help split video into frames, but locating and investigating the person who posted the video proves more productive in most cases. The following is a short outline of how I approach this problem.

First, start listing the places you find the item and user names that posted it. Look for the first instance of the item by filtering by date. Try to find the first instance as this may be the original and the original poster of the item. Compare video thumbnails to find the earliest and largest as that may be the original. Search the thumbnails in Google Image Search, TinEye, and Bing. However, searching TinEye, et al, will require an image with high contrast and distinctive colour combinations.

Next, try to identify the person who first posted it. Sometimes, discovering the creator of the item is easy because it was posted on a Facebook page or on YouTube, but usually it was just duplicated there and originates elsewhere. Search all text associated with the item—tags, descriptions, user names. Use everything as search terms. Search all the user names to identify the people. Use sites to LinkedIn, Facebook, etc., to get a feel for the background of the people you may later contact.

Once you have found the likely source of the item, examine and question the source to establish his reliability. You need to engage this person to establish that he created the video or image and that it isn’t a hoax or an altered version of something he still possesses.

What was the Weather Like?

Wolfram Alpha is an interesting answer engine. It answers questions by computing the answer from curated, structured data, rather than providing a list of web pages that contain the search words like normal search engines.

Investigations often hinge on local conditions such as weather. When I need to estimate the weather conditions or compare someone’s description of the weather to actual conditions, I type in a search term like “what was the weather in toronto on july 1, 1967″. Sometimes, Wolfram Alpha has no data from which to formulate an answer such as happened with this search. If you substitute the years 1950 or 2000 you get answers, but not for 1967.

Of course I verify what I get from Wolfram Alpha through official sources.

How to be an Internet Eyewitness

Eyewitness testimony is the weakest evidence an investigator can collect. The vessel that contains this evidence is subject to illness, death, corruption, and a myriad of defects that compromise the evidence. Being a trained investigator does not make you immune to all these weaknesses.

How we access and share information and how we communicate has changed dramatically over the last 30 years. This evolving technology is changing how we conduct investigations. It is changing how we observe criminal activity. The number sources of evidence available in some investigations have become overwhelming.

The Investigator as an Internet Eyewitness

The key to believable evidence gathered from the Internet is that it is visual, understandable, and could be reproduced if someone else did it at the same time as when it was originally collected.

When I review an investigation, I apply these criteria to determine if it was done by an expert or a bodger.

Investigators are taking on the role of eyewitness by observing evidence that might not be visible to any other available investigator as it appears only momentarily in internet venues. To be a reliable eyewitness, the investigator needs to create a record of what he or she sees at any particular point in time. This must be done in the same manner as handwritten notes. However, these records must provide a visual representation of the evidence collected. With Investigative Internet Research, the computer’s camera and mic, along with software that records screen activity, become the investigator’s notebook.

Typically, screenshots combined with written eyewitness reports, are used to record what an investigator observes in social media and other internet sites. However, screenshots and written reports do not provide a full representation of the research process or the evidence uncovered.

Twenty pages of social media content along with text detailing each screenshot is time consuming to produce and mind-numbing for a Judge or jury to endure. The Judge and jury need an eyewitness to tell them what happened and to illustrate why they should believe this evidence.

As with any eyewitness testimony, two corroborating witnesses are much better than one. The second eyewitness improves the credibility of the evidence presented in the courtroom. The consistency of the eyewitness testimony needs to be established through documentation as would be done with traditional witness statements given at different times to police before trial.

Follow the Script

Wherever possible, rehearse the visual, logical, and reproducible nature of the witness testimony to produce a clean copy of the investigators’ witness testimony. Don’t be afraid to script the testimony. Don’t be afraid to admit scripting the recorded testimony. Explain, if asked, that the recorded collection process is just a representation of what you did without any irrelevant material or wasted time. Explain that the recorded collection process is what really happened as it happened.

Visual

The hallmark of a good report is that it looks organised and complete without being over crowded with text and other material. The recorded testimony of the investigators must also be organised and complete without any extraneous content. Sometimes, accomplishing this requires scripting and rehearsal.

The investigator’s recorded process of collection must present the page as he saw it and the viewer must see and hear the investigator as he goes through the collection process. Just because you did this before and scripted the presentation of your collection process does not make the recorded content any less valid.

Understandable

Above all else, be logical. The collection process must proceed in a straight line from a clearly explained starting point to the next logical point. Continue in like fashion until you reach a logical conclusion.

Explain the logic and connections in the accompanying report. Your report will probably need elements from PowerPoint, screen shots, images, graphs, etc. to accomplish this. Use visual aids to make connections and illustrate logic!

Explain how you got there. Explain what you saw. Explain the importance of what you found. Explain material that meets the elements of the offence or supports the continuation of the offence in some way.

Reproducible

The viewer must see and hear the second investigator doing the same thing as the first investigator. The viewer must see the second investigator collect the same material as the first one. Doing this will require some scripting and rehearsal.

Raw Evidence

Some situations happen too fast to allow scripting and rehearsal. In that case, you will have to use the raw recording of the IIR that captured the evidence. Even if you are creating a scripted and rhearsed presentation of the collected evidence, you should have a recording of the original IIR collection effort.

New Bing Image Search

Images that appear on a web site offer many insights into the people who created the site. They tell you if they have the money to buy copyrighted content, or that they took the time to create their own imagery to get across their message. The imagery may also tell you that they don’t respect copyright law. The use of the same image on several sites may indicate a relationship between the sites that use the image.

Bing now offers an image search facility that allows you to paste the specific image URL into the search box at Bing.com/images.  If you have a picture that you want to match, then you may upload it directly to Bing.com/Images and Bing will search for matches. To match an image, submit a URL, or upload an image, just click on image match.

When you come across an image on a site you find in the Bing Web results, go to Bing Image search and clear the search box. That will make the Image Match link appear next to the search box. When using this, the best approach is to have Bing Web open in one tab and Bing Images in another. As you click on Web results, they will open in a new tab between Bing Web and Bing Images. To isolate the images you wish to search, in Firefox, right click the image and click on view image. This will take you to the image itself and its unique URL. This makes it easier for Bing to isolate the image it is trying to match.