Guest post: Whodunnit? Sleuthing Skills for the Digital Age

By Jon Chan, FTI Technology

Any fan of detective stories knows that investigations always follow a process. Detectives pick up and track a trail, listen to their instincts and let the evidence lead them to the next clue…until they crack the case. Conversely, in the practice of legal discovery, traditional processes have long relied on finding facts through linear document review or search terms. While these methods are very different from how a detective might normally approach a case, they made sense when lawyers were dealing only with hard copy documents or searching the inboxes of specific, known custodians. Now that the modern data landscape is completely upending the traditional legal discovery paradigm and rendering past workflows ineffective, there’s an opportunity to return to investigations basics.

While the growth in data volumes and varieties has presented hurdles in e-discovery and investigations, in the big picture, it’s also opening new doors. By embracing the rich, vast and diverse field of information that can now be discovered, legal teams can begin to approach their investigations much in the same way that a detective would — by letting the information speak for itself and guide the way toward the truth.

So, how can lawyers act as detectives in their matters? What alternatives are available today that allow teams to follow a digital trail in a dynamic (vs. linear) fashion? As an example, consider a hypothetical whodunnit: leadership at a large, global corporation suspects that a departing executive has stolen sensitive intellectual property and is sharing it with a competitor. The company must quickly find out if the suspicions are valid, and if so, what specific information was stolen, how and whether the employee had any accomplices.

A detective in this scenario would know to focus on the suspect’s activities as they related to specific individuals or small groups, rather than their activities within larger groups. Someone stealing IP is not likely to broadcast these activities, but rather engage in them with probably one or two other select people, most likely outside of their organisation. They may send attachments to personal email or online file sharing services. Digitally, looking for this type of behaviour can be replicated by looking at communications across a variety of channels, including text messages, chat, call logs and virtual meetings, as well as by leveraging data artefacts to determine whether the suspect was using ephemeral or encrypted messaging (which could signal an attempt to hide certain messages).

Data enrichment can uncover additional details that a detective would want to know, such as the typical word count of messages and whether there had been any outliers to that (e.g., someone stealing IP may simply send attachments without text in the body of a message). The types of attachments that were typically sent would also be of interest, as would be any activity or messages during odd hours. Patterns or divergence from patterns in the data could  provide clues for where to look next. Just like a detective may rank different leads, a digital investigator using data enrichment can build algorithms to score the importance of various datapoints and patterns to prioritize review, then even use machine learning to build capabilities to automate that process and allow the data to start telling a story of what happened.

If a detective found evidence that confirmed the suspected IP thief had indeed taken an unusual volume of documents outside of the organisation or had communicated with people outside his usual network, the next step would be to find out what was in those documents or what the sentiment was of those conversations. Using computer vision technology, digital detectives can detect documents, logos, locations, text and other facets within pictures or visual attachments (they can likewise filter out images that they know are not substantive to the matter). This capability is a boon in IP investigations in particular, in which sensitive schematics or other confidential visual content may be embedded within an image file. Similarly, language can be evaluated to identify sentiment, personal information and other facets within the data.

By inferring from these details and enriching knowledge of a matter with them, legal teams can extract and use more metadata and insights that will provide critical evidence and/or important breadcrumbs to follow and use technology to recreate the old-fashioned ‘pins and string on a board’ to see the full picture of the facts as they relate to each other. As in any great detective story, the evidence may lead to a surprising twist or completely unexpected finding that spurs a new, separate investigation. This happens often in high stakes investigations dealing with IP theft, whistleblower allegations, fraud and other violations — and digital sleuthing with data enrichment can provide more actionable, contextual insights much faster than traditional e-discovery workflows.

Today’s data environment will increasingly demand legal teams to embrace new approaches. While these concepts are cutting edge, because the analytics capabilities and the data sources are cutting edge, they also bring back the fundamentals. Ultimately, they enable legal teams to leverage the same practices that have always been central to solving a good, old fashioned mystery.

Jon Chan is a senior managing director and partner at FTI Consulting. He is a computer forensics and eDiscovery professional and Relativity Certified Administrator. Jon has managed numerous complex reviews both domestically and globally.


We don’t charge for guest posts, which appear purely on merit. To submit an idea please contact