• Categories

  • Pages

  • Archives

Subject Locates: Successful Ones v. Expensive Failures

Posted on July 31, 2012 by Lina Maini

One of the most common assignments we receive is for a subject locate.  Usually generated from attorneys, insurance companies, financial institutions (as, as you know, we do not work for individuals), we are often asked to locate:

- Adverse Witnesses

- Cooperative Witnesses

- Debtors

- Clients

- Heirs

- Etc.

The difference between a successful locate and an expensive failure is how much attention and care is given to a case.  Obvious, right?  But it has to be the right attention, which is a tight focus, and the proper care; to detail.

The starting point in a successful locate is to gather as much information from the originating requestor as possible:

Name: AKAs, Extensions (Jr., III, MD, Esq…), Maiden form, prior marriage form

Address: Last known contact date at this address, form of contact, (e.g. mail, phone… ), contact outcome, ( i.e. returned mail, no response, etc.).

Phone Number:  Last known phone number, cell, landline, Skype, other internet phone.

Personal identifiers: DOB, SSN, TIN, DL#, Medicare/caid recipient? School i.d.?

Contacts: Family, friends, employers, coworkers

Prior lawsuits: If known, to include form of involvement.

Civil records: Is/was the subject married, divorced? Has s/he declared bankruptcy or have judgments, liens… against him/her?

Criminal records:  Almost every state now allows for an inmate lookup.  (If a person is missing for a considerable period of time, there are only so many scenarios, short of a bizarre abduction, to account for this disappearance: a move, death or incarceration.)

A good investigator will then form a profile of the missing subject and conduct an address history search which will generally yield a pattern.  (We’ll get to that in the next para.)  The address history may not contain the subject’s current address. (All databases, from DMVs to privately held, fee-based information companies operate within the limitations of data input regularity.  The subject may not release his/her most current address to an agency.  P.O. box registration is no assurance of a current address either.  If it is a planned moved, one simply has to apply and receive the P.O. box prior to moving and generate forwarding from the old address.)

Having created the profile, the investigator now looks for the pattern.  Is the subject constantly relocating?  Staying within a certain geographical area?  Is s/he beholden to a mortgage?   Has s/he foreclosed?  An address history search will also almost always reveal family member information.

Once the profile and pattern have been formed and detected, the investigator must decide on a course of action. The approach will determine if the locate will be successful.   Each investigator has his/her own technique but there is a different methodology applied between “friendly” locates and those involving people who’ve intentionally chosen to stay or go off the grid.   A sharp investigator will know how to entice a friendly subject and not tip off an adverse one.   That knowledge comes with experience and skill and a great deal of curiosity.

As a final step, an investigator may have to physically check an address to verify the subject’s address.  By arriving to this point, all other methods of locating have been exhausted but valuable knowledge on the  subject gained. (The location should be thoroughly researched before heading out to the field.  Showing up on a private road on 2 acres of land in the middle of nowhere is usually not going to result in a productive session.  Suggestion: Google Earth.  There should also be an established strategy to observe the location, discreetly,  within a restricted time span of when the subject’s presence is most anticipated.  If covert observation is not possible, the game plan must be thought out prior to, and include at least Plans A, B and C. )   Below; lack of a plan:

Finally, if your investigator returns with an address, ask that it be “verified”.  If there is  no confirmation that the subject is at the reported location, and the requestor is not made aware of the nonverification, a costly situation for the requestor may result, financially and with regard to negotiation stance.   If  the locate results are not verifiable, (and that occurs, although that number should be in the single digits, percentage-wise, in a competent investigator’s record), the requester will at least have that knowledge with which to make decisions.

Our operatives: A step ahead.

As always, stay safe.

Related articles

Filed under: locate, subject locate, witness, witnesses | Tagged: , , , , , , , , , , , , , , , , | Leave a Comment »

Electronic Crime Scene Investigations; Evidence Collection. II/II

Posted on July 24, 2012 by Lina Maini

In Part I of our two-part Electronic Crime Scene Investigations series, we covered recognizing and securing an electronic crime scene.  In this post, we delve into the actual investigation itself.

First and foremost, now that you have isolated all persons with access from the crime scene, please ensure that they provide your investigator (whether it is an inside manager or a hired professional detective), with a release similar to the below.  (Please check with your local law enforcement on particular jurisdictional guidelines.)

CONSENT TO SEARCH ELECTRONIC MEDIA
I, __________________, hereby authorize __________________, who has identified himself / herself as a law enforcement officer, and any other person(s), including but not limited to a computer forensic examiner, he / she may designate to assist him / her, to remove, take possession of and / or conduct a complete search of the following: computer systems, electronic data storage devices, computer data
storage diskettes, DVDs, or any other electronic equipment capable of storing, retrieving, processing and / or accessing data.
The aforementioned equipment will be subject to data duplication / imaging and a forensic analysis for any data pertinent to the incident / criminal investigation.
I give this consent to search freely and voluntarily without fear, threat, coercion or promises of any kind and with full knowledge of my constitutional right to refuse to give my consent for the removal and / or search of the aforementioned equipment /data, which I hereby waive. I am also aware that if I wish to exercise this right of refusal at any time during the seizure and or search of the equipment / data, it will be respected.

This consent to search is given by me this ________ day of, __________________
20__________, at ____________ am / pm.

Location items taken from: ____________________________________________
Consenter Signature: ________________________________________________
Witness Signature: _________________________________________________
Witness Signature: _________________________________________________

Evidence Collection
Handling digital evidence correctly is essential to preserving the integrity of the physical device as well as the information or data it contains. Turning off the power to a computer or other electronic device may cause the information or data stored on it to be damaged or lost.
If you are not trained in handling digital evidence —
• Do not attempt to explore the contents of a computer or other electronic device or to
recover information from it.
• Do not alter the state of a computer or other electronic device.
• Do not press any keys or click the mouse.
• If the computer or device is off, leave it off.
• Do not move a computer or other electronic device that is powered on.
• Do not accept offers of help or technical assistance from unauthorized persons.
• DO request technical assistance from personnel with advanced equipment and training in digital evidence collection.  See http://www.ecpi-us.org/Technicalresources.html for a list of available resources.

Assess the Situation

Before seizing digital evidence, make sure you have the legal authority to do so. Improper access to information or data stored on electronic devices may violate provisions of federal laws.

After securing the scene and identifying the computer’s power status, follow the steps listed below for the situation most like your own. (If the final suggestion in each situation is “Proceed to if Computer Is On” or “Proceed to if Computer Is Off.”, those two sections are posted on the bottom on this article.)

Situation 1: Monitor is on. Program, application, work product, picture, e-mail or Internet site is displayed.

1. Photograph screen and record information displayed.
2. Proceed to “If the Computer Is ON”

Situation 2: Monitor is on. Screen saver or picture is visible.
1. Move mouse slightly without depressing buttons or rotating wheel if present.
2. Note any onscreen activity that causes a change in the display.
3. Photograph screen and record information displayed.
4. Proceed to “If the Computer Is ON”

Situation 3: Monitor is on. Display is blank.
1. Move mouse slightly without depressing buttons or rotating wheel if present.
2. Display changes to login screen, work product, or other visible display.
3. Note change in display.
4. Photograph screen and record information displayed.
5. Proceed to “If the Computer Is ON”

Situation 4a: Monitor is off. Display is blank.
1. If monitor’s power switch is in off position, turn monitor on.
2. Display changes to a login screen, work product or other visible display.
3. Note change in the display.
4. Photograph screen and record information displayed.
5. Proceed to “If the Computer Is ON”

Situation 4b: Monitor is off. Display is blank.
1. If monitor’s power switch is in off position, turn monitor on.
2. Display does not change. Screen remains blank.
3. Note that the display does not change.
4. Photograph blank screen.
5. Proceed to “If the Computer Is OFF”.

Situation 5: Monitor is on. Display is blank.
1. Move mouse slightly without depressing any buttons or rotating the wheel if present.
2. If display does not change, confirm that power is supplied to the monitor.
3. If display remains blank, check computer case for active lights and listen for fans spinning or other indications computer is on.
4. If computer case gives no indication that it is powered on, proceed to “If the Computer Is OFF”.

================================

If the Computer Is OFF
For desktop, tower and minicomputers follow these steps:
1. Document, photograph, and sketch all wires, cables, and devices connected to the computer.
2. Uniquely label and photograph the power supply cord and all cables, wires or USB drives attached to the computer and the connection each of these occupies on the computer.
3. Remove and secure the power supply cord from the back of the computer and from the wall outlet, power strip or battery backup device.
4. Disconnect and secure all cables, wires and USB drives from the computer and document the device or equipment connected at the opposite end.
5. Place tape over the floppy disk slot if present. Ensure that the CD or DVD drive trays are retracted into place and tape across the drive tray to prevent it from opening.
6. Place tape over the power switch.
7. Record the make, model, serial numbers and any user-applied markings or identifiers.
8. Record or log computer and all cords, cables, wires, devices and components according to agency procedures.
9. Carefully package all evidence collected to prevent damage or alteration during transportation and storage.

For laptop computers follow these steps:
1. Document, photograph and sketch all wires, cables and devices connected to the laptop.
2. Uniquely label and photograph all wires, cables and devices connected to the laptop and the connection each occupies.
3. Remove and secure the power supply and all batteries from the laptop computer.
4. Disconnect and secure all cables, wires, and USB drives from the laptop and document the equipment or device connected at the opposite end.
5. Place tape over the floppy disk slot if present. Ensure that the CD or DVD drive trays are retracted into place and tape across the drive tray to prevent it from opening.
6. Place tape over the power switch.
7. Record the make, model, serial numbers and any user-applied markings or identifiers.
8. Record or log the laptop computer and all cords, cables, wires, devices and components according to agency procedures.
9. Carefully package all evidence collected to prevent damage or alteration during transportation and storage.

If the Computer Is ON
Removing the power supply is generally the safest option. If evidence of a crime is visible on the computer display, however, request assistance from personnel with experience in volatile data capture and preservation (see http://www.ecpi-us.org/Technicalresources.html).

Immediate disconnection of power is recommended when —
• Information or activity on screen indicates that information or data is being deleted or overwritten.
• A destructive process appears to be in progress on the computer’s data storage device(s).
• The system is powered on in a typical Microsoft Windows® environment. Pulling the power supply cord from the back of the computer will preserve information about the last user account logged in, login time, most recently used documents, most
recently used commands, and other valuable information.

Immediate disconnection of power is NOT recommended when —
• Information or data of apparent evidentiary value is in plain view onscreen. Seek assistance from personnel with advanced training in digital evidence collection.
• Indications exist that any of the following are active or in use: Chat room(s), text documents, remote data storage, Instant Messaging (IM), child pornography, contraband, financial documents, data encryption and obvious illegal activities.
• The device is a mobile or smart phone. Leave mobile and smart phones in the power state in which they were found.

Improper shutdown of mainframe computers, servers or a group of networked computers may result in the loss of data, loss of evidence and potential civil liability. Secure the scene and request assistance from personnel with advanced training in digital evidence collection of large or complex computer systems (see http://www.ecpi-us.org/Technicalresources.html).

(We suggest you print Parts I and II of this series into a manual format.)

Our Operatives: A step ahead.

As always, stay safe.

Related articles

Filed under: Computer Security, crime, cyber crime, cyber investigations, data, equipment, evidence, investigation, security | Tagged: , , , , , , , , , | Leave a Comment »

Electronic Crime Scene Investigations; Assessing & Documenting the Situation. I/II

Posted on July 17, 2012 by Lina Maini

When a computer crime is suspected in the workplace, action must be taken immediately. We’ll take you through a step by step computer crime scene investigation; the same protocol that we security and information specialists conduct.

When securing and evaluating the scene:
• Do not alter the state of an electronic device. If a computer or an electronic device is off, leave it off.
• Remove all unauthorized persons from the area where evidence is to be collected.
• Identify, seize and secure all electronic devices, including personal (have the employee sign a release or note the type of device, if s/he refuses) or portable devices.
• Recognize potential digital evidence in telephones, digital video recorders, other office appliances and motor vehicles.

If the computer is on or the power state cannot be determined:
• Look and listen for indications that the computer is on — e.g., fans running, drives spinning and lit light-emitting diodes (LEDs).
• If you cannot determine the power state of the computer, observe the monitor to determine if it is on, off or in sleep mode.
• Check display screen for signs of data destruction.  Look out for words such as “delete,” “format,” “remove,” “copy,” “move,” “cut” or “wipe.”
• Look for indications that the computer is being accessed remotely and/or signs of ongoing com-
munications with other computers or users — e.g., Instant Messaging (IM) windows or chat rooms.
• Take note of all cameras and determine whether they are active.

Preliminary Interviews
•Separate and identify all adults of interest and record the location they occupied when you entered the scene. Obtain the following information from interviewee(s):
• Purpose of computers and devices.
• All users of the computers and devices.
• Type of Internet access and Internet service provider.
• Computer and Internet user information — e.g., login names, user account names and passwords, and Instant Message screen names.
• E-mail and Web mail (Web-based e-mail) accounts and Web pages.
• Account information for online social networking Web sites — e.g.,  Facebook, LinkedIn
• All security provisions, data access restrictions, destructive devices or software in use.
• Any automated applications in use.
• Any other relevant information.

Documenting the Scene
Your documentation should include:
• The type, location, position, condition and power status of the device.
• A record of all activity and processes visible on the display screen(s).
• A record of all physical connections to and from the computers and other devices.
• A record of any network and wireless components capable of linking devices to each other and the Internet.
• The type, condition and power status of the device’s Internet and network access.
• Video, photos, notes and sketches to assist in recreating/conveying the details of the scene.
(Some computer systems and electronic devices — and the information they contain — may be protected under applicable laws, agency policies or other factors, that may prohibit collection of these devices or components.  That’s when you call in a pro.  However, do include the location, condition and power state of these devices in your documentation.)

Movement of a running computer or electronic device may cause changes or damage to the computer or device or the digital evidence it contains. Computers and electronic devices should not be moved until it is determined that they are powered off.

In Part II/II we will get into the meat of Evidence Collection.  The instructions we will impart will not be generalizations but rather, actual, working directions.

Our Operatives: A step ahead.

As always, stay safe.

Related articles

Filed under: Computer Security, crime, cyber crime, invasion of privacy, investigation | Tagged: , , , , , , , | 2 Comments »

Shout Out To Our Contributor, Suzanne Reisig Olden!!

Posted on July 16, 2012 by Lina Maini

Image

Suzanne is now also writing for the uniquely and hotly opinionated www.clashdaily.com:

http://clashdaily.com/2012/07/have-a-conscience-who-cares/

 

Filed under: General Information | Leave a Comment »

Do the Due, Diligence

Posted on July 9, 2012 by Lina Maini

We recently encountered a challenging situation; 30 witnesses to verify and serve, 2 days before the trial date. There were a myriad of reasons why the attorney was unprepared for trial but several incidents did come to light during this hectic process that we are passing along:

1. Consult with your trial prep person well before trial.

Meeting with your trial prep firm allows the investigator to become aware of the case facts, and now gives him/her the time to review, formulate and then execute an operations plan.  (There will always be last minute filings, service, subject locates… that have to be performed.  An experienced trial prep firm has resources already in place for those unforeseen final events.)

2. Basic Paperwork and Activity To Have Completed Pre-Trial

- Special Power of Attorney.  This should be obtained from the injured client from the outset.  (In this recent case, the client lived several states away and was not readily able to come up and sign authorizations.)

- HIPAA authorizations.  If there is a hint that the records may contain medical information, in NYS,  a duly executed HIPAA authorization form must be attached to the subpoena request for testimony and or records.

- So Ordered Subpoenas.  Generally, among other criteria, if a city, state or federal agency is involved, a So Ordered Subpoena (signed by a judge) must be obtained at the trial court.

- Subject Locates - Don’t do these yourself online at the common locator sites most amateurs use to locate loved or lost ones (they may have chosen to be that way for a reason).  Have your investigator conduct comprehensive locates, especially in cases that have gone on for a while, in substitutions and in any situation where time is short.

Tip:  When dealing with EMS documents, note the shield numbers.  If the shield number is 6,000 or above (e.g. Shield# 7206 or 6024) this is a private ambulance that has responded.  Do not subpoena the FDNY at MetroTech for the Ambulance Call Report.  They won’t have it.  In the section underneath “Comments” on the ACR, there is a field for Hosp #.  The number in that field reveals the hospital associated with the responding ambulance.   (There may be one of two numbers written into this field; a 3 digit number is the trauma center designation and the number in parens is the FDNY hospital code assignment.  Almost all EMS personnel use the paren’d 2 digit FDNY code.)  See below for NY County Hospital Codes. (For other boroughs: shoot us an email, we’ll send you the links.)

Hospital Information

Hospital Name Disposition Code Hospital Name Disposition Code
Bellevue Hospital 712 (02) Beth Israel Medical Petrie Campus 713 (03)
Cabrini Medical 715 (63) Goldwater Memorial Hospital – Coler Site 714
Goldwater Memorial Hospital – Goldwater Site 720 Harlem Hospital 721 (07)
Hospital Joint Diseases Ortho. Inst. 735 Hospital For Special Surgery 723
North General Hospital 758 (09) Lenox Hill Hospital 728 (11)
Manhattan Eye, Ear & Throat Hospital 730 (05) Memorial Hospital – Cancer & Allied Diseases 731 (08)
Metropolitan Hospital 732 (12) Mount Sinai Hospital 734 (13)
New York Eye & Ear Infirmary 736 New York Presbyterian Hospital Weill Cornell 737 (14)
New York University Downtown Hospital 941 (01) New York University Hospitals 739 (15)
New York Presbyterian Hospital
Columbia Presbyterian Division		 742 (17) New York Presbyterian Hospital – Allen Pavillion 749 (16)
Rockefeller University Hospital 743 St. Clares Hospital & Health 746 (19)
St. Lukes-Roosevelt Hosp.
Roosevelt Hospital Division		 759 (18) St. Lukes-Roosevelt Hosp.
St. Luke’s Division		 745 (20)
St. Vincents Hospital & Medical of NY 748 (21) Veterans Administration Hospital 724 (10)
Beth Israel Medical Singer Division 718 (04)
  • (Number in Parenthesis indicates FDNY Hopital Number)
  • ‡ indicates trauma center designation

BNI Operatives: Street smart; Web savvy.

As always, stay safe.

Filed under: Trial Prep | Tagged: , , , , , , , , , , , , , , , , , , | 4 Comments »

Independence Day: History and Interesting Facts

Posted on July 3, 2012 by Lina Maini

happy fourth

Brief History and Fun Facts of Independence Day, U.S.A.:

During the American Revolution, the legal separation of the Thirteen Colonies from Great Britain occurred on July 2, 1776, when the Second Continental Congress voted to approve a resolution of independence that had been proposed in June by Richard Henry Lee of Virginia declaring the United States independent from Great Britain.

After voting for independence, Congress turned its attention to the Declaration of Independence, a statement explaining this decision, which had been prepared by a Committee of Five, with Thomas Jefferson as its principal author. Congress debated and revised the wording of the Declaration, finally approving it on July 4. A day earlier, John Adams had written to his wife Abigail:

The second day of July, 1776, will be the most memorable epoch in the history of America. I am apt to believe that it will be celebrated by succeeding generations as the great anniversary festival. It ought to be commemorated as the day of deliverance, by solemn acts of devotion to God Almighty. It ought to be solemnized with pomp and parade, with shows, games, sports, guns, bells, bonfires, and illuminations, from one end of this continent to the other, from this time forward forever more.

Adams’s prediction was off by two days. From the outset, Americans celebrated independence on July 4, the date shown on the much-publicized Declaration of Independence, rather than on July 2, the date the resolution of independence was approved in a closed session of Congress.[

Historians have long disputed whether Congress actually signed the Declaration of Independence on July 4, even though Thomas Jefferson, John Adams, and Benjamin Franklin all later wrote that they had signed it on that day. Most historians have concluded that the Declaration was signed nearly a month after its adoption, on August 2, 1776, and not on July 4 as is commonly believed.

In a remarkable coincidence, both John Adams and Thomas Jefferson, the only signers of the Declaration of Independence later to serve as Presidents of the United States, died on the same day: July 4, 1826, which was the 50th anniversary of the Declaration. Although not a signer of the Declaration of Independence, but another Founding Father who became a President, James Monroe, died on July 4, 1831, thus becoming the third president in a row who died on this memorable day. Calvin Coolidge, the 30th President, was born on July 4, 1872, and, so far, is the only President to have been born on Independence Day.  — from wikipedia.

Take a moment this 4th of July to ponder the risks our Founding Fathers and all patriots past and present have taken to ensure our liberty.  Carry those thoughts with you this November when we decide which candidate for President of the United States of America best represents those characteristics that this nation requires to maintain its

As always, stay safe.

Related articles

Filed under: General Information | Tagged: , , , , , , , , | Leave a Comment »

Follow

Get every new post delivered to your Inbox.

Join 190 other followers

%d bloggers like this: