Discovery of electronically stored information by private investigators

The Costa Concordia cruise ship disaster will certainly result in multiple legal cases of various types. There will be a criminal trial of the captain and possibly other parties. There will be civil suits by victims and families against the cruise line, government agencies, and possibly third party vendors such as electronics manufacturers and equipment providers. Some enterprising claimants may involve service firms who provided training, employment services or consulting to the company, through vicarious liability.

The purposes of these cases are as follows:

  • Determine if there is criminal liability for any party.
  • Determine civil violations subject to fines or penalties.
  • Establish the amounts of financial losses due to damage to assets.
  • Establish the extent of loss of life and injury to passengers and crew.
  • Identify current and future exposure due to environmental damage (toxic spills, habitat damage, fishery decline.)
  • Calculate contributory negligence of various parties to each loss and damage claim.
  • Locate assets to satisfy each claim in various international jurisdictions.
  • Quantify any insurance coverage available to claimants

The scope and volume of investigations and discovery for these cases will be immense. Although the cases will be under the jurisdiction of international venues outside of the United States, investigators can use the event as a mental exercise to consider what ESI (Electronically Stored Information) sources would be beneficial to the various parties.

Let’s take a look at a few examples and why an investigator would find these valuable.

1. Email records regarding deviation from track – current event and prior cruises: First to discover if there was a deviation from the planned cruise route.
2. Cruise line live track monitoring archive: Determine if the route taken was being actively monitored by company headquarters in real time
3. Any communications regarding “island salute”: Was this activity an officially sanctioned event, are there comms which identify knowledge of others?
4. Email communications between “Russian acquaintance” and captain: Did the woman allegedly present in the bridge have an existing or prior relationship with the captain or crew?
5. Prior reports / complaints by subordinates: Have any crew members or colleagues provide information to the cruise line which should have alerted them to prior behavior or attitudes indicating recklessness, or a tendency to not follow procedures?
6. Training records of captain compared with other captains: How was this captain trained? Was his training regimen a standard career track or were there exceptions made?
7. Written best practices of cruise line with any recent changes: Do the procedures of the cruise line have a revision history? When were changes made and by whom? Who has accessed the document?
8. Indicators for life boat deployment: Are there mechanical sensors which log the time of each lifeboat deployment?
9. Background noises from coast guard comms: Pull the audio tape files for all radio traffic prior to and during the event and investigate not only the direct communications, but also background noise to triangulate the exact position of the hailer.
10. On board video of crew movement during event: Secure all surveillance tapes and note the movement of crew and passengers. Did crew members give correct safety instructions to passengers? Were any of the passengers who are deceased or injured out of harms way at some point, but later directed to a dangerous location? This could transform the claim from accident to negligence.
11. Captains movements: Create a timeline from log files of the captains movements throughout the cruise. Was is a regular practice to leave the bridge? Did he adhere to the posted watch schedule? Were those called to relieve him qualified?
12. Accessed logs to video and black box records: Did any crew or corporate executives access the video without authorization? Are there alterations?
13. Safety drill records and logs – forensics: Retrieve log files of required safety drills to ensure that they were performed in accordance with laws and industry standards by qualified personnel.
14. Life boat training record and logs: Are all crew members current on their training and continuing certification for safety and life boat operation?
15. Employment history of captain: Compared with other captains was his promotion and service history in line with contemporaries in his field? Was there any fast track of his career?
16. Psych. evaluations for captain: Are there indications of performance risk in any mental evaluations? Were they performed in accordance with industry standards?
17. Drug / alcohol testing results for captain: is the frequency of these concurrent with all other crew?
18. Personal guests and visitors on prior excursions: Do the visitors logs from prior cruises show a pattern of guests which may have been a distraction? Does the cruise line have an official policy on this?
18. Financial records of captain: Are there any recent signs of financial distress? Are there connections to the Russian acquaintance? Are there any inappropriate activities?
19. Driving history of captain: Did the vehicle operations of the captain indicate a reckless tendency?
20. Evidence of tampering with records or logs: Compare the layout and format of other logs to ensure that the documentation being provided is accurate and genuine
21. Radar track tapes from other ships: Match the radar records for this trip and prior excursions with those from other ships to determine if any other vessels navigate the area where the hazard existed.
22. Radar logs or video logs from shore stations: There may be evidence from electronic records located in facilities on-shore either on the mainland or on Giglio Island.
23. Position and operation of rudder, stabilizers, thrusters, and ballast: Download the mechanical operational data to identify the times when the rudder angle was deflected to steer towards the hazard, and if it was ever deflected back to the port side. Verify that all other settings were correct. Even if an incorrect setting did not contribute directly to the accident, it will be evidence that a proper chain of reporting was not established or effective.
24. Number of deviations from normal operations logged by this captain vs. others: Were deviations from normal operating procedures cataloged by the cruise line? Do historical records show that this captain has a higher probability of bending rules but was overlooked by the company?
25. Any changes to company manual or operating procedures: Did the company manual change to reflect industry improvements which were not trained to crew?
26. Cell records of passengers: Map out the times which indicate cell traffic from passengers, and the location of those individuals. It can create a picture of how knowledge of the accident was spread throughout the ship by observation and official notice.
27. PA records: Overlay the time stamped public address announcements with other activities to determine when and how the ships management team responded.
28. Personnel file and any recent changes or accesses: Look for anomalies or unexplained promotions of any crew who worked with the captain or on that boat, including transfers to other vessels.
29. Documentation provided to insurance company to elicit coverage: Subpoena all insurance forms to see what representations were made to the insurer as far as safety, training, operations, and procedures. Make sure they are in agreement with true facts.
30. Property records of captain: Are there interests in real estate which connect him to parties of interest?
31. Recent travel records of captain: has he traveled to locations which are of interest to the investigation?
32. Internet history of captains computer: Does the browsing or search log show results which have to do with his actions?
33. Phone calls and time stamps of comms with HQ: Obtain precise time logs of all communications with the company executives. It appears that some of the company defense will be that they were not notified of the scope of disaster promptly by the crew. Also obtain personal phone records of those shoreside employees in contact with the captain to help piece together exactly what was said.
34. Does this ship ever use a harbor pilot? If the ship is sometimes navigated by someone with local knowledge, the procedure for determining when this happens should be scrutinized. Do any other ships use a pilot in these waters?
35. Trip files history at cruise line: Who accessed them and what info was known? Does the trip file for this cruise contain any more or less information than prior cruises? Did execs have prior knowledge of 150 meter salute or any other non standard maneuver or procedure?
36. Collect corporate records to determine if any company / business mechanism was create solely to shield liability.
Obtain operational and training records from competing cruise lines to see if Carnival adheres to industry standards.
37. Clock times: Match the clock times from all sources to be sure that they are in sync. Valuable intel can be lost if two clocks are out of sync with each other. If the clock of one camera is a few minutes ahead of another computer, it makes it difficult to interpret results when overlaying data from the two sources. Throughout the analysis process continue to verify matching times using external references.
38. Insurance references: Do any third parties have coverage which may be available for subrogation?

Regardless of the outcome, all of the interested parties will have a great deal of ESI available if they know where to look. Some cases come down to the best collection of records under the discovery order, and who can analyze the most information out of it. Cases involving cruises within international waters are governed by a particularly restrictive 1974 international treaty known as the Athens Convention Relating to the Carriage of Passengers and their Luggage by Sea. Working cases under the Athens Convention places claimants at a disadvantage from the start, so using all available resources to their fullest potential may be more important in this case than any other. In fact, a resourceful attorney may look to ESI to get some claims outside the scope of Athens, and into a more favorable venue.

These are just a few dozen possible pursuits of an ESI professional investigator. Inside knowledge of the case and the industry will present many other opportunities. In the meantime, investigators can consider how these examples bring to mind similar opportunities in the cases they are currently working.

Gathering information from vehicle observation

A stationary vehicle can be a gold mine of informational intelligence just by walking around it. An observant investigator can obtain a great deal of information about the owner or driver. From each angle, here are just a few of the pieces of information which can be discovered through analysis of what is observed.



Front of vehicle:

Front plate –

A vanity plate can reveal name or profession

An HOA plate discloses residence/subdivision

A novelty plate can reveal what business or company the driver frequents or prefers,

A dusty outline indicates the plate was recently removed

The presence of previous renewal stickers can show how long the owner has had the registration

A plate frame can disclose which dealership the owner purchased the vehicle from or where it is serviced.

Windshield –

Parking stickers for schools, employers, sports venues, or airports reveal activities

Valid smog/emissions sticker shows the date and location of inspection, can indicate an area the driver frequents

EZ pass – toll device (get serial number), may be source of useful discovery information

Back of rear view mirror stickers – can be guard-gate entry credentials

Windshield replaced? Check for non-non factory glass

GPS installed, or mounting residue – Vehicle GPS devices are a good source of discoverable information

Military base access tags – Vehicle access stickers are technically no longer required, many remain on vehicles

School carpool identifier tag (what time and grade does it indicate, lives outside jusrisdiction?)

Cowl –

Receipts on dash show where the subject shops, and purchased items

Parking receipts – location, date, and duration of parking. May also be a location to pick up surveillance

Valet stubs (time/date/location) – valet attendants may be able to provide info on other parties with the subject

VIN# – In any case, take down the VIN# from the cowl. Depending upon the type of case, there may not be permitted use to run a plate, but there are public databases where VIN number lookups can disclose some useable info. You can even get some basic information from Carfax.

Get numbers off any sticker no matter how insignificant – serial numbers on stickers, tags, passes or devices may be useful to connecting credit card accounts, addresses, or users name at a later date

Wrappers & bags from merchants – Restaurant bags, store packages and product wrappers can help pinpount habits or connect purchases

Store cards – many individuals leave store loyalty cards in view for convenience.

Dashboard / sun visors –

Are there pictures of family attached to the dash or gauge panel?

Are there directions to a location placed within view?

Parking acces cards – Gate cards are often left in the visor or dash panel.

You can sometimes view a registration,  ID or insurance card with address in the sun visor pouch.

Passenger  side –

Existence of damage, repairs – evidence of repaint or overspray can lead to a body repair facility and turn up insurance information, other parties to an accident, or financial account records

Cigarette ash residue around the window indicates a smoker

Kid handprints /dog nose prints on side windows reveal family makeup

Vanity stickers – Subjects may have window stickers relating to hobbies, travel locations, or social interests visible

Check the tires for condition and to see if all 4 match. A new car with one mismatched tire can lead to a conversation about the circumstances

Side scuffs / wheel rash – Light damage to wheels or fenders can sometimes be matched to a fixed object where they park

Rocker panel marks from entry shows if a vehicle occupant regularly wears boots, or drages an object into the vehicle

AAA sticker – Auto club info can be obtained to check travel history or roadside assistance calls

Rear –

Get the plate number first, and if possible check that it matches the vehicle and driver

Plate decal nunber is important, in some states you can see if it belongs with that plate

Prior years and numbers – Many individuals leave prior years decals visible, which can show how long the vehicle may have been owned.

Plate frame lettering – compare the dealership name on the plate frame with any dealer names on emblems or stickers. If different it could indicate the vehicle was purchased as pre-owned. See below for a possible use of dealership info.

Rear window stickers – these are the same types of indications as described in side window stickers. Also helpful is the trendy group of stick figure character stickers which portray the family members, and pets.

Travel clubs, aircraft owners, hunter clubs, NRA, and even Apple iTunes stickers are common – these may not seem like a big deal but are excellent sources of personal preferences which can be used for social engineering, establishing rapport, or finding online forum activities and statements

Does the rear window have a defroster or not? It may indicate that the vehicle was purchased in a market with a different climate

Recently removed stickers leave a residue in the shape of the cutout, might be a lead

Are there aftermarket accessories which indicate financial status, activities, or vehicle use? Chrome rims, truck winch, tow hitch, wide angle mirrors, tinted windows, etc.

Debris or mud underneath the wheelwells can suggest use on alternate types of roads

Check to see if there is a key under the bumper. If you have the opportunity while you are at it, you might even see if there is already someone elses GPS tracking unit. Some types of cases increase the odds that more than one person it interested in your subject.

Package tray items might include receipts, toys, blankets, etc.

Drivers side –

On the drivers side, also look for cigarette ashes, handprints, and stickers as on the passenger side. Also check to see if there is a mark on the window for where it is rolled down to on a regular basis.

Inside –

Check the seat placement to see if the subject is tall or short, and record it so that you can see if it stays the same on subsequent checks of the car

The types of items in car are endless. You will likely see business cards, open daily planners, directions, credit card bills, financial statements, phone number lists, even checkbooks out in plain sight. In one case we were able to get the phone number of an associate because the subject left his cell phone on the seat and it had a “Missed Call” message on the screen from a named person we knew was an out of town colleague.

Does it appear other passengers use vehicle or not? If the passenger seat is covered with junk, the subject is probably driving by themself in that vehicle. Back seat positions can have the same indications.

Notes and business cards are often left on the console in easy reach and view of the driver, but also to outside observers

Phone numbers can be anywhere, even written on napkins. The numbers you see in a car are often those associated with recent activity, not old ones stores in a phone.

Check to see if Bluetooth is active in the vehicle. You can look on your own Bluetooth device to see if there is one showing up. You will not be able to connect but can see what type of device it is and what security it has. We know of a case where a private party was able to view the Bluetooth code on a radio when the vehicle was running and synced his device to the car without the clients knowledge.

If there is another type of handsfree device, check the security and details on it as well.

Dry cleaner packaging can be strewn on the floor. See the “Vendor tips” section below for ideas.

Aftermarket items such as a CB radio can be a source to legally monitor communications.

Is there a handicap pass or sticker?

If you can check the fuel gauge level or even odometer (on older vehicles) you can sometimes get an idea of how far the subject drives to work or home.

Droppings from trees or birds are indications of outside or garage parking.

“Next oil change sticker” gives the name of the facility where the subject brings the car for service. This may be a source of information through legal pre-texting or subpoena.

Why is something as minor as a mismatched tire important? A some later date you may wish to sit down with the subject for an interview, or an attorney may conduct a deposition. Asking about several random known events can keep the subject off balance and result in them being wary of being untruthful.  “If they know about stuff as minor as my tire repair, they must know about _______ so I’d better not lie….”

Anytime you are casually walking through a parking lot, notice what you can learn about the vehicles as you walk by. You will be astonished at the volume of personal information and identifying items left in plain view of a car.

Vendor tips – Any contacts found are sources of legal pretexting, location, interviews, e-discovery, financial records. For example, if you know the name of the dealership where the car was purchased, you may be able to get a significant amount of information from that business. The store would have a copy of the drivers license, insurance information, a full credit application, possibly pay stubs, copy of a personal check, signatures, and information on the last vehicle traded in. If there was a co-signer on the car loan that person may come in handy. There are several methods of getting the information from the dealer, but consider how much depth if information exists there.

Even a dry cleaner has information such as cell phone number, credit card numbers, and possibly email address. These can be matched with known information to discover deception or new accounts, and even unknown associates. What you can do with all of this information is limited only by your analysis skills and the type of case. A variety of intelligence such as this can be used for interview prep, witness examination, locating other parties, financial discovery, asset recovery, and much more.

Putting this information together with other observations, private database records, electronic data, and retrieved documents can create a robust profile on any subject and is the true skill of an expert investigator.

Good luck with your cases.


20 Non-standard locations to obtain electronically recorded information (ESI)

Beyond the typical email/bank records/phone records, the electronic engagement which most people are involved with is expanding exponentially. Here are a few non-standard locations to look at for additional intelligence on a subject. With the introduction of new technologies emerging, there may be dozens of new sources by the end of this year. Also use these ideas to creatively discover new sources.

1. Parking garage camera – You have the parking receipt/payment record, get the picture to see who was driving, who was in the car

2. Vehicle ECM – It is not like a black box data recorder, but it may disclose airbag deployment, fault codes, service intervals.

3. Grocery store shopper cards – Provides time and date of purchase to verify location, volume of items, alcohol, payment method (unknown account), cash back represented as expense, medications, disclose “late night” visits.

4. Itunes sync – cloud files, which computer was synced, and identify other devices.

5. Company voicemail – when it was checked, from what number, who called in, forwarded messages, and message copies of even deleted VM’s. Most modern systems store voicemail messages on server hard drives which are subject to the same backup routines as other data. Backup tapes may be available for a longer period of time than in company policy, ask the IT department. Also, login records of voicemail systems can sometimes include the caller ID from where the system was accessed, disclosing the location of the subject at the time.

6. Computer game messaging – time and duration of play, known competitors, what messages exchanged (romantic or threatening).

7. Email counter parties – Don’t just rely on the message history from the subjects account, you may be able to match up messages in the counter party accounts to discover those deleted by the subject when the opposite side of the conversation remains on the recipient machine.

8. Online discussion forums – Subject may have posted messages containing opinions or information of interest, or conflicting with their represented position. Discovery of forum identities of user names can also lead to other online personas used or email addresses

9. GPS – Portable or vehicle mounted GPS units frequently have a track history or “breadcrumbs” feature which traces prior movement. Addresses previously entered in for directions typically remain as well. This information can be discovered on iPhones and iPads.

10. Employment clock in – Time clock or virtual sign in sheets will document times when an employee was absent from the office or on leave.

11. Fedex & UPS accounts – Shipping history can reveal locations of colleagues or other addresses used. As always, analyze any payment to determine if the payment form or credit card used is previously known.

12. and other cloud storage – Forgotten files previously uploaded, and locate prior versions of documents.

13.  YouTube history – This history normally goes back farther than a browsing record. There may be videos posted by associates documenting actions or movement.

14. Casino loyalty card – If the subject gambles even casually, they are likely to max out their player card benefits. Casinos are most generous with comps based on player activity, and this history is kept for a long time.

15. CLUE report – A private database maintained by the insurance industry, it tracks any insurance claims on auto or homeowner policies. Casualty based insurance records typically will include many interesting details such as losses reported, other passengers in a vehicle, photos of a residence, and police reports. This would need ot be requested or subpoenaed from the insurance carrier.

16. Private surveillance cameras – If the subject takes a known route for work or recreation, a few sample photos from store cameras along the way can reveal other passengers in a vehicle, cell phone usage, or other historical activity without having to do manual surveillance. The skill in requesting these records from the business is key to successfully obtaining them.

17. Alternate sources of financial records – In most cases it would be beneficial to obtain tax returns, financial statements, or credit applications about a subject. Without having to resort to subpeona or illegal pretexting, an investigator can often get these documents from third parties who are in legal possession of them. A former spouse may have prior years tax returns. A former business partner will have financial statements. A prior landlord will have a credit application. Even the title company who processed a closing will have pay stub copies, mortgage application, check copies, and affidavits. Many of these parties will be more likely to provide them to an investigator if requested correctly, and there are fewer legal restrictions for their disclosure unlike the banking industry.

18. Appointment calendars – Use of online and electronic daily planning resources is very common. A subject may use Google Calendar or Outlook for tracking and managing appointments. These records will have dates, times, and phone numbers of other attendees. Even third party calendars can be investigated. If the subject is a member of a gym, sports club, or restaurant reservation system the scheduling history will be available.

19.  Photocopy machines – Most modern photocopy machines contain a hard drive which stores copies of all documents scanned or copied for a designated archive period

20. Skype – A subject attempting to conceal communications may use a VOIP system such as Skype. These devices can be hidden when not in use, or even exist only in software. Call history and chat logs remain for an extended period. Look for the programs on PC’s of payments for service on credit card statements.

Each of these sources may only provide a small portion of evidence. However, taken in their entirety the details can add up to a bigger picture or fill in the blanks from other areas of investigation.

Concealing capital and hiding assets

When an economy declines as has been the case for about the past 5 years, there are always more financial conflicts, lawsuits, bankruptcies, and unpaid debts. In many of these scenarios it is advantageous for a party to underreport or otherwise conceal assets so that they are not confiscated by creditors. Lawsuits, divorces, criminal cases, and business failures each has an element of concealment which some parties to the action takes part in.
Each of these is an opportunity for an investigator to assist a client or attorney in discovering hidden assets. The fact that the volume of these types of cases is increasing is fertile ground for litigation support. First, do not confuse asset discovery or recovery with debt collection. Collection agencies mostly rely on direct contact with the debtor to force them into voluntary compliance, possibly combined with some heavy handed attempts at grabbing obvious cash such as garnishing wages.
Asset recovery is much more of a precision operation. In most cases a large part of the efforts are performed covertly. Intelligence is gathered from official records, e-discovery, observation or surveillance, witness interviews, and analysis of documents. The investigative asset discovery investigator will follow a trail of funds as it flows through third parties or innocent entities when the debtor attempts to wash it clean. IN almost every case, there is a path to tracking the assets. When a debtor was a high profile or high income individual, they almost never deteriorate into poverty. Affluent and high  net worth people are accustomed to that lifestyle and find a way back to it, or near to it. Often times they remain in or close to the industry they knew in the good times. A common plan is for them to find an old colleague to work with as an advisor, consultant, or contractor in an attempt to keep much of their true income off the radar. This is ideal for the investgator since when this is discovered the colleague may have some liability for assisting the subject to conceal assets.
Of course placing assets in the names of friends and relatives is an instinctive move for attempting to hide assets. Putting the car in moms name would not be unheard of. No matter if it is car, yacht, aircraft, or tropical island, an asset held in the name of a nominee is of no value to the reluctant debtor unless they can use it. This is usually the best method of discovering the asset. The use of high value assets by the debtor which does not match their reported income is a red flag. Even if the title of vesting of the asset is not theirs, further inquiry is worthwhile. The true ownership often is discovered through hidden documentation connecting the debtor to the corporation or individual holding the asset. Another method is to determine the path of money which purchased the asset. Tracking down the wire transfer which bought the plane is a start, and then following the money backwards through accounts until it can be demonstrated to be connected to the debtor.
Don’t overlook the small payments in a case file. Payments for small repairs, replacement parts, parking, dock fees, fuel, insurance or taxes can tie a person to the beneficial ownership of an asset.
While asset recovery is usually a cat and mouse process, the investigator has several significant advantages.

1. Every step in concealing an asset is an event which creates documentation. This evidence cannot be erased. There are always third parties which have copies of documents. The seller, the bank, insurance companies, escrow agencies, and banks all have pieces of the puzzle which are durable.

2. Most individuals who attempt to conceal assets are not experts at it. Narcotics trafficers who need to hide money for a living have the most advanced technicques, and even they are usually defeated by professional investigations. The guy who is trying to hide $50,000 in a divorce case is doing it for the first time and is a relative amateur.

3. Time is on your side. Asset concealment is done once. The debtor typically does not want to keep improving the concealment, or try to “hide it better.” Each movement or action creates more records and more chances to get caught so they are avoided. The investigator has weeks, months, or even years to unwind an event which the subject may have had to plan and execute in a short time period.

4. Most of the typical concealment schemes are documented. You have a playbook of what to look for. No amount of complex planning can change the fact that it is simply a matter of moving money.

5. Actions are more completely recorded. IN the same way that there are many more security cameras covering every street corner, lobby, and business, there is more “surveillance” in the records world. Archiving and records retention is almost limitless snce the cost of storage is very low. Data storage is the norm in almost every area. Even the internet is being “backep up” on sites like The Wayback Machine. If the archived versions of every website are being kept, you can be sure that the records for a financial transaction, purchase, credit inquiry, insurance claim, flight plan, duty roster, or time clock is stored somewhere.

The analytic mind of a professional investigator applied to the largely untapped market for asset recovery is an excellent opportunity for business development in the investigative industry.