Wednesday, July 24, 2013

Using Analysis to Curtail False Positives

Some of us ran into false positives while recently travelling. One person on our team was in the airport and set off the body scanner machine. He was sweaty from carrying a backpack through the line, so his scan showed a heat source emanating from his back. This prompted security to examine him to ensure was nothing hidden under his clothing. Without this analysis, he could have been put through a much lengthier security procedure because of his initial false positive.

Investigators seek to corroborate facts with other supporting facts or artifacts to validate or verify source data. When we talk about our services, many people want to know how we combat false positives. They want assurance the data we provide is legitimate and relevant to our investigations. In order to avoid false positives, we employ a few techniques to examine data.

Big Data vs. Smart Data

First and foremost, we employ data analysis. Currently, there is a large trend towards capturing big data for intelligence and business purposes. Most of our investigations deal with the big data pools originating from social media. During the primary stages of our work, we capture large amounts of data about the subject of interest. However, instead of taking big data at face value, we work in the business of “smart data” by using our data FUSION approach.

Our analysts scale the mountains of data to extract only the relevant pieces of data for analysis. As we discussed last week, this method has helped us in many investigations, especially while vetting employees. When we look at a subject and identify potentially relevant information, we dig deeper to see if something is an isolated incident, part of a larger pattern, or a false positive.

It is also extremely pertinent to vet information during event monitoring. For a training exercise, members of our team conducted real-time monitoring of Game 5 of the NBA Eastern Conference Semifinals. During the course of our monitoring, we uncovered a retweeted post of someone claiming they would kill themselves if the Heat lost.


Normally, this would be a high level threat to an event, so we vetted the post to ensure it was not a false positive. Upon completion of some cursory Internet-based research, we discovered there was no cause for concern. This post was simply a meme of something that was previously posted on Instagram. (Note: This post has since been removed by the original poster.)

Look Beyond the Person of Interest

We often think of data sources as originating from the person of interest. However, not everyone has a substantial Internet-based footprint, potentially because they have implemented privacy settings to hide information. To avoid missing pertinent information, we have to examine individuals other than the subject. In cases such as these, we have to identify content curated by their friends and family.  


During an employee vetting investigation, our subject used privacy settings to restrict access to his content. Previously, this employee had passed his background investigation with flying colors. On his application the employee stated he did not use drugs, and he passed a drug test. However, his friend posted a picture of “purple drank,” including the bottle of codeine cough syrup, and tagged the employee in the tweet. (Above is a screenshot we captured of a similar post.) This tweet indicated the possibility of a false positive during the initial application process and flagged the subject for further investigation into his habits.

Photos are Key

As we just discussed, photos can be key to unlocking an investigation. However, it is not possible to analyze photos using traditional big data means. Organizations often rely on textual analysis to flag content, but the text surrounding photos can be unrepresentative of the photo itself or use terms which are not currently being monitored. This means we have to look at the photos themselves to analyze content. Currently, there are no photo analysis programs which can conduct comprehensive contextual and photographic analysis for investigators. Analysts still have to use their skills to conduct an assessment of photographic evidence to ensure there are no false positives.

Conclusion


It is in everyone’s best interest for investigators to be thorough during investigations and report accurate findings. It is our responsibility to fully vet pertinent information before presenting it to our clients. Whenever a piece of potentially important information cannot be verified without further investigation, we must report it as a possibility instead of a fact. We give our customers more than just raw data; we give them analyzed information pertinent for decision making. Our investigations have real world consequences, and it is our duty to ensure we conduct and report them in an ethical manner.

About CES PRISM Blog

My photo
The CES PRISM blog is the place where CES shares the newest developments in social media sites and tools, data analytics, eDiscovery, investigations, and intelligence. We will also share workflow tips and tricks, case studies, and the developmental progress of our open source social media research and analysis tool, PRISM. Our goal is to open a dialogue with the community which allows all of us to learn together.