The Scenario

Down on his luck, Joe, a supervisor at a large manufacturer, crafts a quick means of getting back on his feet. In his mind, he was not setting out to commit insurance fraud. In fact, even to this day, he does not view his actions as “scamming” the insurance company. Joe feels a sense of entitlement, as he has always diligently paid his premiums and has never made a claim – thus, he believes that it is time for him to become the benefactor of a payment from the insurance company. Isn’t he entitled to a payment from the insurance company after all these years? As a result, Joe falsely claims his right leg was injured while at work; performing simple tasks have now become too tedious and painful, so he represents he is unable to perform his day-to-day job until it heals. He submits all of the correct paperwork to his employer and his insurer in person while hobbling around on crutches, yet he chooses to have a night out on the town the same day as submitting the claim forms. While bar hopping, multiple photos of him are taken on his company-issued Android smartphone with crutches nowhere to be found, and the pictures are drunkenly posted publicly to social media. Some of his coworkers see the posts the following morning and alert their employer, who hires Vestige to make a forensic image of the smartphone and the SD card contained within. The employer also shares this information with its insurance company, knowing that the employee has filed a claim. Joe is tipped off by the inquiry and forthcoming request for his company phone, so immediately prior to Vestige’s arrival onsite to preserve the phone’s data, Joe deletes the photos. Vestige takes custody of the device, which was already powered on, and immediately places the phone into airplane mode to block the phone from connecting to a cellular network. The collection is performed at that time. Vestige also preserves the public social media posts for thoroughness.

Through forensic investigation, Vestige determines that the suspect photos were still available in the unallocated space of the SD card. Vestige also finds that the phone is backing up its photos to a Google Drive account (unbeknownst to Joe), and that evidence of the deleted photos resident in Google Drive is also present. Vestige obtains permission to preserve the Google Drive account, where the photos were still located, and examines them. Both sets of photos – the deleted pictures and those resident in the Google Drive account – contain internal metadata, such as the camera used to take the photos, GPS coordinates illustrating the exact location where they were taken, and the date and time which they were created. The internal metadata matches between both sets of pictures.

The photos are subsequently produced to the employer, who shares them with the insurance company. The insurer is thus able to prove in court that the supervisor’s “injury” was fraudulent.

The Result

The above scenario is, of course, a “perfect world” example, but highlights that many individuals do not know or understand the fingerprints that are left behind on digital evidence. Digital evidence is, of course, an excellent source of data that can be leveraged in insurance claim and fraud cases. Digital evidence may support the argument that fraud was committed, or it may also exonerate the claimant.

Vestige works with a variety of organizations in the insurance industry, including insurers, agencies, cooperatives, and Special Investigation Units — all of which who have learned the importance of requesting digital evidence as part of their claims process. Many even make producing digital media for forensic examination a condition of settling the claim. Vestige has witnessed such policies being used as an effective means of the insurance companies’ being able to have access to the devices on which the digital evidence is contained. Refusal to provide digital evidence, then, also has tended to make denial of the claim much easier.

Perhaps the most common insurance claim case type that I work at Vestige involves a fire that took place within an insured building. As part of those cases, I often receive a DVR video system that, in physical appearance, is literally fried – the case will be cracked or bent from exposure to extreme heat and often covered in soot. Despite the DVR unit’s physical condition, the hard drive located within the unit that stores the actual camera footage is often undamaged. However, if the hard drive is damaged, the footage is often still able to be recovered using parts from a “donor” hard drive. Once I have access to the videos, I am able to filter them for the time frame of interest, extract individual clips, and then enhance them or take still photos to make the footage easier to view. Of course, DVR footage may reveal what caused the fire to start, whether it be arson related or simply the forces of nature at work.

Computers and mobile devices often accompany the DVRs Vestige receives during the evidence intake phase for fire-related investigations. Examining those devices can show searches for “how to start a fire,” flammable chemicals, insurance claims, and other bits of information that an insurance company or fire investigator may find extremely useful.

Video and picture file authentication is another insurance-related case type that Vestige often encounters. In those types of cases, Vestige is able to use the internal metadata of the files in question to determine when, where, and how the videos or pictures were taken. There are a number of other analysis nuggets Vestige examines besides internal metadata, but if the files cannot be authenticated as original, the custodian may also have video or photo editing applications on the source device from which the files were extracted. Those programs may contain histories that illustrate what files were edited and when.

Vestige expects digital evidence to continue to play a prevalent role in claims made to the insurance industry, especially as an increasing number of individuals begin moving their lives into the cloud and sharing their life stories on social media. As the leader in the computer forensic industry, Vestige will continue to do what it has always done in every type of investigation – find the truth.
 
 
 By Gene Snyder, GCFA, EnCE, ACE, 
 Senior Forensic Analyst at Vestige
 
For more information CONTACT US 
 
 
 

Share This...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Leave a Reply

Be the First to Comment!

avatar
wpDiscuz