Stroz Friedberg was engaged in an e-forgery investigation in which a plaintiff based his lawsuit on a hard copy of a memorandum he claimed was written by his boss stating that the plaintiff was entitled to a bonus. The bonus language was not in the copy of the memorandum retained by the boss, who hired Stroz Friedberg to prove his version was authentic. The investigation focused on forensically examining the computer the boss used to write the memorandum. Key-word searches from the memorandum, including phrases from the bonus language yielded a version of the memorandum without the bonus language and gave no indication in either active or deleted files of the alleged bonus language. This was good news for the boss: it was clear that the version with the bonus language was never on his computer. Had the boss created the version with this language on that computer and then deleted the bonus language, some remnant would likely have been forensically recoverable. Stroz Friedberg also analyzed the metadata for the version of the memorandum resident on the boss’s computer, and the Created, Last Modified, Last Accessed and Last Printed dates did not suggest any tampering.
Stroz Friedberg’s methodology is to analyze data from a behavioral as well as technological perspective. Accordingly, we scrutinized the bonus language and noted discrepancies in the way certain words were abbreviated, and in the use of certain punctuation and spacing. The boss’s computer contained dozens of documents with metadata confirming that the boss had drafted the documents. Fortunately, there were also many documents on the boss’s computer with metadata showing they were authored by the plaintiff-employee. The latter were documents previously e-mailed or otherwise transferred from the plaintiff-employee to the boss. We profiled both sets of data for the above-described discrepancies and found that the quirks existed repeatedly in the plaintiff-employee’s documents and never in the boss’s. When inserting the fraudulent language, the plaintiff-employee simply could not suppress elements of his own, unique writing style. Case closed.
Which, as they say, reminds us of a (true) story. In a Brooklyn federal case, a man once robbed a bank by handing the teller a note that said, “This is a hole up.” Months later, the man was caught. Upon being apprehended, he was required to give handwriting examples by writing the following phrase ten times: “This is a hold up.” What did the hapless robber write? “This is a hole up. This is a hole up. This is a hole up. . . .” We rely on such behavioral “tells” in the data sometimes as much as our top-notch technical forensics.