Wednesday, July 31, 2013

Tips & Tricks: Three Easy Ways to Maximize Your Training Experience

Over the past few months, the team has been taking advantage of conferences happening around the state. At the center of all of these conferences were knowledgeable experts speaking and providing training. However, upon examining the materials our team brought back, we found the training was not always up-to-date and usually did not cover new, relevant practices or sources of information. Everything changes quickly on the Internet, whether it is changes in privacy law, new best practices, or the popularity of social media platforms. As investigators and researchers, it is important we budget our time and ensure we are spending our funds wisely to keep abreast of these changes.

Here are some quick easy tips on how to make the most of your training experience.

Vet the Trainer

Beware of self-proclaimed experts. Many individuals actually work in areas tangentially related to the subject of the training. Learning the perspective of the trainer can greatly inform you about what to expect to learn from a training session. In order to ensure the trainer has working knowledge of the subject, research their biographies appearing on websites, news sources, and social media profiles. You can also use information present on conference websites and in related training files (see below) to see if trainers cover material from an angle that matches your needs. Additionally, these sources can give you an idea of when the trainer worked in this field, whether or not they are using up-to-date information and techniques, and if they routinely update materials or simply recycle the same information.

Get Free Materials Using Internet Searches

Many trainers and conferences post documents and videos online which are readily available for use. All you have to do is leverage Internet-based searches to your advantage. Good places to start looking for information are on websites of companies and individuals which provide training, conference websites, and document and video sharing websites. However, sometimes the information is not always easy to find. As training materials are most often posted in .pdf, .ppt, and .pptx formats, using a filetype search on Google can often make all of the difference. While free materials are not always the best materials, finding this information before you purchase training sessions can save you time and money by allowing you to explore your options and vet trainers.

Plan and Engage

The true key to getting the most out of your training experience is planning and preparation. Before you schedule your training regimen, you have to set your goals and measurable outcomes. There are many questions you should ask yourself before you register:

  • What skills do you want to work during the training period?
  • How will this training help you enhance these skills?
  • Are there others in your office that could also benefit from this kind of training?
  • What is your expense budget?
  • Do you want in-person or webinar training?
  • What questions might you have for the trainer on this subject?

Once you find the answers to these questions, you will have a better idea of how you and others in your organization can benefit from training. To enhance your experience at the training session, be attentive, take notes, form questions as issues arise, and ask those questions to the trainer during the session.


In business, you cannot afford to waste time or money. We can use the same skills utilized during investigations to vet out the other areas of business we encounter on a routine basis. All business intelligence is built upon a solid foundation of relevant, up-to-date knowledge and clear objectives. Who you select to teach you these skills can make all of the difference to your long-term success.

Wednesday, July 24, 2013

Using Analysis to Curtail False Positives

Some of us ran into false positives while recently travelling. One person on our team was in the airport and set off the body scanner machine. He was sweaty from carrying a backpack through the line, so his scan showed a heat source emanating from his back. This prompted security to examine him to ensure was nothing hidden under his clothing. Without this analysis, he could have been put through a much lengthier security procedure because of his initial false positive.

Investigators seek to corroborate facts with other supporting facts or artifacts to validate or verify source data. When we talk about our services, many people want to know how we combat false positives. They want assurance the data we provide is legitimate and relevant to our investigations. In order to avoid false positives, we employ a few techniques to examine data.

Big Data vs. Smart Data

First and foremost, we employ data analysis. Currently, there is a large trend towards capturing big data for intelligence and business purposes. Most of our investigations deal with the big data pools originating from social media. During the primary stages of our work, we capture large amounts of data about the subject of interest. However, instead of taking big data at face value, we work in the business of “smart data” by using our data FUSION approach.

Our analysts scale the mountains of data to extract only the relevant pieces of data for analysis. As we discussed last week, this method has helped us in many investigations, especially while vetting employees. When we look at a subject and identify potentially relevant information, we dig deeper to see if something is an isolated incident, part of a larger pattern, or a false positive.

It is also extremely pertinent to vet information during event monitoring. For a training exercise, members of our team conducted real-time monitoring of Game 5 of the NBA Eastern Conference Semifinals. During the course of our monitoring, we uncovered a retweeted post of someone claiming they would kill themselves if the Heat lost.

Normally, this would be a high level threat to an event, so we vetted the post to ensure it was not a false positive. Upon completion of some cursory Internet-based research, we discovered there was no cause for concern. This post was simply a meme of something that was previously posted on Instagram. (Note: This post has since been removed by the original poster.)

Look Beyond the Person of Interest

We often think of data sources as originating from the person of interest. However, not everyone has a substantial Internet-based footprint, potentially because they have implemented privacy settings to hide information. To avoid missing pertinent information, we have to examine individuals other than the subject. In cases such as these, we have to identify content curated by their friends and family.  

During an employee vetting investigation, our subject used privacy settings to restrict access to his content. Previously, this employee had passed his background investigation with flying colors. On his application the employee stated he did not use drugs, and he passed a drug test. However, his friend posted a picture of “purple drank,” including the bottle of codeine cough syrup, and tagged the employee in the tweet. (Above is a screenshot we captured of a similar post.) This tweet indicated the possibility of a false positive during the initial application process and flagged the subject for further investigation into his habits.

Photos are Key

As we just discussed, photos can be key to unlocking an investigation. However, it is not possible to analyze photos using traditional big data means. Organizations often rely on textual analysis to flag content, but the text surrounding photos can be unrepresentative of the photo itself or use terms which are not currently being monitored. This means we have to look at the photos themselves to analyze content. Currently, there are no photo analysis programs which can conduct comprehensive contextual and photographic analysis for investigators. Analysts still have to use their skills to conduct an assessment of photographic evidence to ensure there are no false positives.


It is in everyone’s best interest for investigators to be thorough during investigations and report accurate findings. It is our responsibility to fully vet pertinent information before presenting it to our clients. Whenever a piece of potentially important information cannot be verified without further investigation, we must report it as a possibility instead of a fact. We give our customers more than just raw data; we give them analyzed information pertinent for decision making. Our investigations have real world consequences, and it is our duty to ensure we conduct and report them in an ethical manner.

Wednesday, July 17, 2013

The Importance of Employee Vetting and Continuous Evaluation

In the past few months, employee vetting has been at the center of the debates regarding two major public relations nightmares.

One is the case of Edward Snowden, the Booze Allen employee who exposed the NSA’s PRISM program. Some have claimed Snowden provided false information on his resume yet somehow still successfully passed his background check. Gaining access to the information available in this position is what both prompted Edward Snowden to apply for the position and allowed him to expose the government’s dealings in dark data. In response, legislators are attempting to overhaul the background check and security clearance process.

The other is the current murder investigation focusing on former New England Patriot Aaron Hernandez. When Hernandez played at the University of Florida, he began displaying a propensity for violence and even took a photo of himself with a glock. Over the past few years, Hernandez has been connected to many violent encounters which have ultimately been publicized in light of the current investigation. In response to the investigation, the New England Patriots released Hernandez and lost approximately $250,000 on a jersey swap program that allowed fans to swap out their Hernandez jerseys for another player’s. It also spurred EA to remove Hernandez from two upcoming game releases.

In both cases, officials and commentators often cite the failure to properly assess the employee’s background and character prior to employing them as one of the major causes for these incidents. These incidents have brought bad publicity to both organizations which could ultimately prove to be costly and fundamentally damage their reputations. To avoid making this mistake, it is important that organizations embrace a holistic approach to employee vetting that goes beyond standard background check objectives.

Traditional Background Checks Aren’t Enough

Most organizations employ a standardized method of employee vetting. Companies traditionally use premade application forms and a prepackaged public records background checks to complete their evaluation of candidates. However, as we havepreviously covered, public records data can often be inaccurate or out of date. Similarly, these premade application forms may no longer capture the information vital to the needs of an organization. Standardized methods do not provide a comprehensive means of evaluation, especially for visible and sensitive positions which require a deeper dive into the daily lives of individuals.

Recently, our analysts worked two cases which clearly demonstrate this point. We were asked by a client to investigate two individuals who were hired for security-based positions. These positions required individuals to have a clean criminal record, be drug free, and refrain from having connections to potentially harmful influences, such as gangs. Both of these employees indicated refraining from substance abuse in their applications, passed their drug tests, and showed no history of legal troubles in their public records searches. However, their social media footprints revealed a much different story. One individual had a history of posting stashes of drugs and money on his social media accounts as well as discussing his marijuana smoking habits. The other had a brother who was affiliated with a local gang; his brother posted photos of himself both smoking marijuana and standing in a field of marijuana. These social media investigations revealed that both employees posed potential security threats.

Continuous Evaluation is Necessary

Once employees are on the job, organizations cannot afford to go without continuous evaluation. The circumstances in employees’ lives can change. New financial hardships may arise which make them more susceptible to bribery. Individuals can make new connections to individuals and organizations which put them at risk. People can get into legal trouble during the course of employment. No matter what new circumstances may arise, periodic reinvestigations, similar to those done for security clearances, are necessary to ensure compliance with company regulations and policies. These evaluations can help head off any potential incidents before they manifest themselves.

The Value Added

When organizations conduct tailored, thorough employee vetting investigations and continuous evaluation, they can ensure they are doing their due diligence. This can help them control their image by finding obvious sources of data which exist in social media. Social media data can identify red flags during the pre-screening process which can help organizations avoid marring their reputations by curtailing public relations debacles. In a world in which inordinate amounts of information are available to the public, it is important for employers to ensure they access the intelligence vital to mitigating organizational risk.

Wednesday, July 10, 2013

Building Your Tool Chest: Facebook's Graph Search

Building Your Tool Chest is a series devoted to the review and analysis of tools that assist with social media and open source research and analytics. 

For the past few months, a few of us at CES have been beta testing Facebook’s Graph Search feature. On July 8, 2013, Facebook announced the feature will soon be available to all Facebook users who have selected US English as their language. In order to prepare for the new search features, it is important to understand that Graph Search works quite differently than the current Facebook search feature.

Flexible Queries

Graph Search allows users to create flexible, complex queries for information. Instead of the current system in which users have to search for a term and then sort the data, users can now string together the relevant pieces of information to narrow search results. For instance, if you wanted to locate a jewelry store in Saint Augustine, Florida, you would simply type “Jewelry Stores in Saint Augustine, Florida.” The returned results only include jewelry stores which are located in Saint Augustine. The ease of using Graph Search allows us researchers to perform queries at a faster rate because we no longer have to take the extra step to run filters, and we can make more complicated searches than ever before. (See the Facebook Graph Search Cheat Sheet below.) However, not all search terms are easy to work with, and search results can be misleading.

Data Issues

Just because Graph Search says it returned all relevant search results, it does not necessarily mean all relevant results were accessible and/or properly categorized. There are a few major issues with search results in Facebook. First and foremost, users can choose to opt out of search results; this would exclude these users from the results even if they meet the criteria. Second, many users have privacy settings that prevent the system from returning their information in search results. Third, Facebook users do not necessarily complete their profile nor input their data in a uniform way. For instance, one person our St. Augustine office technically lived in New York, New York, but she identified her location on Facebook as her neighborhood, Harlem, New York, which would excluded her from New York, New York results. Finally, not all data fields or types of information are currently searchable, including posts. If the data you are searching for is embedded in posts, you will miss that information in your search.


Facebook’s Graph Search is a great tool. In the office, many of us used to complain about the difficulty we had searching for information inside of Facebook. Aside from the missing post search feature, the site has become much easier to use for locating information. Although Graph Search has some issues and requires users to learn the language before they can effectively search the system, it is ultimately a step forward for searching inside of Facebook.

In order to help you use Graph Search, we created a quick Graph Search Cheat Sheet.

Wednesday, July 3, 2013

Case Study: Protesting the G8

The 39th Annual G8 Summit was held on June 17-18, 2013 at the Lough Erne Golf Resort in Enniskillen, Northern Ireland. Traditionally, the G8 Summit attracts protests and civil disobedience. As it was in Northern Ireland this year, we expected increased activity leading up to the Summit. In order to test our event monitoring analytics, we decided to monitor social media chatter about the G8 Summit beginning three weeks before the event and lasting throughout the end of the Summit to detect any acts of civil disobedience that may occur. For the purpose of simplicity, we will focus on a group of events that occurred on June 11, 2013.

Identifying Protest Organizers and Locations

One of the first sources of information we identified was an anti-G8 group calling themselves StopG8. Their website was a rich source of information about protests scheduled for the week leading up to the Summit. StopG8 listed key events and maintained a complete calendar of activities. One of the most important items found on the website was a map of protests aimed at the West End of London on June 11, 2013, complete with a manifesto against financial greed and corruption. This event was commonly referred to as the Carnival Against Capitalism and was tagged as #J11 on social media. The map of these demonstrations became one of the most widespread images leading up to the G8 Summit. Using this information about #J11 and associated activities, we were able to identify individuals who were attending these protests.

Identifying and Monitoring Participants

Once we identified the organizing force behind the protests and the language associated with these events, we were able to construct a network of individuals interacting with one another on social media. Network mapping allowed us to begin tracking participants and monitoring their activities throughout the duration of the protests. Using social media posts from protesters and journalists, we were able to harvest raw data from the ground. A good source of raw footage and commentary throughout #J11 was journalist Jules Mattsson.

The raw source data from Mr. Mattsson provided real-time footage of the activity occurring at #J11. Using this data, we were able to see events as they unfolded and track the movements of participants as they moved throughout London. Our analysts were then equipped with emerging intelligence to analyze the changing landscape of #J11.

Identifying Changing Circumstances

Earlier in our research, we identified information about the Convergence Centre where people could stay during the protests. This location was meant to be a safe house for individuals participating in the events leading up to the G8 Summit. However, it was raided on #J11. 

After the raid, individuals needed to find new locations to stay at for the night. StopG8 provided new contact information for protesters to use to find new lodging accommodations.

Analysis of emerging social media data allowed our analysts to stay current on the rapidly unfolding circumstances surrounding #J11. After vetting information for authenticity, our team was equipped with the information necessary to provide real-time intelligence.


Although there was a mountain of big data to scale regarding activities related to the G8 Summit, it was readily available for analysis. Organizers and protesters routinely harness the power of social media to communicate with one another and expand their networks and sphere of influence. Social media has the power to identify pieces of raw data which identify locations, individuals, networks, and activities important to emerging events. It is up to us as analysts to identify these rich data sources and use them as part of our investigative and intelligence solutions.

About CES PRISM Blog

My photo
The CES PRISM blog is the place where CES shares the newest developments in social media sites and tools, data analytics, eDiscovery, investigations, and intelligence. We will also share workflow tips and tricks, case studies, and the developmental progress of our open source social media research and analysis tool, PRISM. Our goal is to open a dialogue with the community which allows all of us to learn together.