How to Catch a Cheat

Let me guess... You're in a marriage that just doesn't seem like it has been up to par. You think maybe it is because of the stress of work, the kids, or some inexplicable changes in how your spouse is behaving. You've been aware something is wrong but you can't pin it down.... until... that first piece of randomly discovered evidence slaps you awake. Maybe it was a call you answered in the middle of the night, a piece of mail your spouse forgot to hide, a text message you read over their shoulder.. Whatever it was, it hits you like being slapped with a raw fish. Unbelievable, painful, stinky. In a snap, your mind is reeling and you have the emotional equivalent of cosmic gut-punch. What do you do now?

How to Go from Emotionally Devastated to Impartial Investigator

Okay, that's not going to happen. Accept that you will not be impartial but you need to figure out how to avoid obsessing. While you are digging for the truth in your most important personal relationship you need to realize that there are boundaries you need to set for yourself. Here is my list:

Boundaries

1. Don't hurt anyone. It doesn't matter how much they might deserve it, just don't do it.
2. Don't cheat your kids out of time with them because you want to go investigate/brood over your sorry life.
3. Don't be unproductive at work. Still earn your paycheck. Work stress can help displace family stress for 40 hours per week and that is wonderful!
4. Know when to fold 'em. If you're in too deep during your investigation, get out of the pool and come back later. Knowing when to walk away is an essential skill.
5. Have a lifeguard. My lifeguard was an ex-co-worker who lived 3,000 miles away and didn't know any of my friends. When ever things were too dark, too painful.. My lifeguard was there to talk me down from being a danger to myself or others.

Setting Expectations for Yourself

Also, figure out what you need to figure out.

1. There is no *WHY*? - only *WHAT*?. You will never find out why. Nothing you will find will explain the reason for infidelity to your satisfaction. You need to learn to let it go... "What" is defined as documenting facts about actions, dates, people, time. That is what is returned by all your efforts in an investigation.
2. Are you arming yourself for a legal battle? If so, STOP right now and talk to a lawyer. Investigating on your own can compromise you legally. It can remove the validity of what an investigator can bring to divorce hearings. Just imagine how quick the computer records would be thrown out of court when the judge hears you have been tampering with your spouse's computer!
3. Are you going to try to save the marriage? Or at least leave the door open to it? Then get into marriage counseling right now. A good marriage counselor can help you work through confrontations as well as persuade your spouse to be honest.

Computer Investigations

First Step - Baseline

In order to gain insight to your spouses behavior you should gain access to their computers, phones, cameras, and other electronic devices. Your goal at this time is to make a base-line copy of their files to investigate later.

Computers

Try to make a forensic copy of the hard drive. Include copying the free-space of the drive. You will need to store this on a device with at least as much capacity as the target hard drive + 20%. The most accessible software for this comes from OSForensics from Passmark Software, briefly discussed here.

If you are unable to do this process through time or material constraints, copy their important files. These are listed in their user profile on the computer. This includes everything under the path C:\Users\WindowsUserName\ for Win7 and C:\Documents and Settings\WindowsUserName\ for WinXP. Transfer these to a portable hard drive. Be sure to include Hidden and System files when you copy and paste!

These important files include the data in their Skype profile and browser history. I've discussed Skype before, as it is a very juicy subject, here and here. Browser data is juicy too, a more detailed discussion was posted int he subject here.

Save points/Restore points - these would be ideal to access. However, they do not back-up all of the files in the user's profile.

Phones

Access the phone logs on the device and export. Export contacts. Scan the internal memory for media (pictures, video). Remove the media card and use a recovery tool as explained in the 'Cameras and Other Media Devices" topic, below.

Note- It may be possible to access internal phone memory with a data recovery tool. Just link the phone to your own computer and run the recovery software on the device that shows in windows explorer. I believe this accesses both internal and removable memory but I have not tested it.

Cameras and Other Media Devices

Use a media rescue tool to recover data from the cameras, camcorders, GPS systems, and anything else a SD or Micro-SD card could fit into. I wrote about recovering data from devices here.

Second Step - Monitor

Install spyware if you are comfortable doing so. It is an easy process but has moral and legal ramifications. I have an in-depth introduction to spyware here.

You could also continue to take 'baseline snapshots' periodically. This would require you to access the target systems regularly and save a new copy of the important files each time. This is very time consuming.

Smoke them out. Not everyone is behaving badly all the time. You may need to say or do something to get your spouse to act inappropriately. It may just be as simple as going away for the weekend and letting them do what they would normally do. It may also be relating to some bit of info you have already found out... if you know one of your spouses friends cover for them while they are supposedly doing something different, message that friend and ask what they are up to - maybe even let them know you are suspicious. It will get back to your spouse and they may react by reaching out to their other significant others.

Third Step - Research

Wrangle every last piece of information you can out of the data you have. Here's some quick tips:

1. Recover deleted files as discussed here.
2. Look for the Thumbnails index, Thumbs.db Viewer as discussed here is a great tool.
3. Attack Skype as discussed here and here.
4. Raid browser data as discussed here.
5. Deeper delving

Fourth Step - Laying it Out

Now you have some data. You made it into information through research and connecting the dots. I wrote about structuring mass data here.

From here on out you are the investigator! Dig up clues, follow leads, document the facts. It would be a fun game if it were not for the reason you are doing it in the first place.

Here are some other helpful investigating tips..

Non-Computer Investigations

Not everything you can find useful will come from a phone or hard drive. Here are some non-computer tips for investigators:

1. Be the one who gets the mail every day. Look for bills, bank statements, credit card bills, collection notices, etc that suggest you spouse has another spending account.
2. Read all credit card statements and bank statements for ATM withdrawals, pay attention to dates and locations of charges
3. Order your and your spouse's credit reports from the three credit bureaus. This will show items such as credit card accounts, bank accounts, bank overdraft loans and other financial accounts your spouse may be using to pursue their activities.
4. Check the odometer on their vehicle. Note how far they drive to and from work on a daily basis and look for spikes in mileage if they have to 'work late'.

Behavioral Observations

Below are some examples of observing the behavior of your spouse to help develop avenues for further investigation:

1. Do the unexpected!
1. Before going out on an urgent errand, tell your spouse your car has a slowly leaking tire or is making a funny noise. Tell them you can't find your phone so they should let them borrow their phone just in case you need help on the road. Observe how reluctant they are to lend you their phone. 
2. Let your spouse know in advance that you are going on a business trip (or need to visit family). When time comes for your trip, head off but go to a movie. Come back home after a few hours and see if there is any panic from your spouse. You may want to consider an overnight stay when you head out and show up in the middle of the time you were supposed to be absent. 
3. Busting by romance. If your spouse if off on a trip or visiting family, you may want to pay them a surprise visit at their location. Bring your spouse their favorite take-out to their office when they are working late. Bring the kids over to the family your spouse is supposed to be visiting because they missed their mommy/daddy. The intent is to show up where they are supposed to be with all of the best intentions. 
4. If your spouse is at home while you work, head home for lunch sometime. Or stop by and get your healthcare insurance card prior to a doctor's appointment they were not aware of. Just show up unexpectedly at times to see if everything is kosher.
2. Identify suspicious behavior!
1. The bathroom is a sanctuary of privacy in any home. Does your spouse hole-up in there to take a bath frequently? Do they always take their phone or laptop with them? How pissed are they when you knock on the door unexpectedly?
2. If you think something fishy is going on, ask a lot of questions! If your spouse is suspicious about your intentions tell them that you just wanted to talk about their day like you both used to do. If your spouse went to a movie with their friends, ask who was there, how the movie was, what did they think of the movie plot, were there any twists, how did the bad guy get it, etc. then do your homework and see the movie to determine if your questioning got a lot of BS answers. 
3. Shut down your Internet router or modem saying it is due to a technical problem. Let them know you are working on it but it might take a day or two. Observe the level of panic in your spouse. If you suspect the phone is their primary means of communication, try causing an outage there. The intent is to disrupt their normal method of communication and see how bugged out they get. 
4. Observe when your spouse complains or pines about things. If winter weather is their top daily complaint and they always talk about Florida as a nice place to go/live, it may indicate something about their other person that bubbles through into their conversations and complaints about life. Many authors believe that the other person personifies resolution for untended needs your spouse may have in their life and that wayward spouses wrap much more into an affair partner than can be attributed to a normal person. The level of infatuation and escapism a wayward spouse has invested in the other person builds them up to the embodiment of the solution to all their ills. Just beware that your spouse's complaints and yearnings may, in fact, be describing aspects of the other person. And also this a very tentative connection so keep your ears open but don't jump too far to conclusions...
3. Don't trust anyone!
1. People you have been close to may have known about this for a long time and have kept information from you to protect your spouse. In my case, I was very close with my sister-in-law and spoke to her about my feelings of my impending divorce... my absolute depression, my thoughts of suicide, and I even made the comment 'this would be so much easier if my spouse had just cheated'. She said nothing.. I was very dumb to think she would have my best interests at heart if she had been covering for my spouse's infidelity.
2. Some people will care too much for you and take action on your behalf without your knowledge or consent. I never told my overprotective older brother of my spouse's infidelity. If I had, there would have been a family schism, revenge, violence, or worse. The last thing you need right now is someone justifying your anger and pushing bad decisions.
3. Loose lips sink ships. You are in the role of an investigator... gathering facts. The absolute last thing you need to do is confiding with someone who may, intentionally or not, tip off your spouse that you are suspicious. This may lead to the destruction of the very facts you have set out to collect.

I'm hopeful this article has helped you in deciding how (and if) you investigate your suspicions of infidelity. Stay strong and stick to the facts.

---DNS

Easily Recover Files from Phone or Tablets

The quickest and easiest way to check your hunch that your spouse is cheating is to investigate their mobile devices. Full data recovery from a phone or tablet is difficult but there are some methods which you can do yourself at home with little cost or technical expertise.

SD Card Recovery

Many phones use a Mini SD card for expanded memory. Cameras and camcorders also use expanded memory slots. Devices save data to either an internal memory or to the external memory card, sometimes both.

Data recovery from an memory card can be as simple as removing the memory card from the device, putting it in a card reader attached to your computer, and running a file recovery program.

Memory Card Readers

Many computers these days have a built in card reader. If your computer doesn't have a card reader, you can purchase a USB card reader almost anywhere for $5-$20 or so. Here are a few places where you can order online. 

File Recovery Software

The good people at CNet's Download.com have quite a few file recovery tools. However, there are some that aren't free. Limited trials may allow one to view the thumbnails of recovered images but the full licensed product is required for retrieval. The geek-elite at Lifehacker have provided their own guide for the best file recovery software. I highly recommend reading through their article before proceeding in your file recovery efforts.

The following software has been recommended by BSC blog readers:

• UndeleteMyFiles - Free
• Recuva - Free
• MiniTool Power Data Recovery - 1GB recovered free then $65 for a license

Other Uses for File Recovery Software

One benefit of the file recovery software is that it can be run on several types of devices. Make sure to check the memory cards of all of you mobile phones, cameras, camcorders, GPS devices, video game consoles, etc... A second use for the software is that it can be run on hard drives of computers and laptops. The recovery software is a versatile information gathering tool.

Trouble Ahead: Internal Memory

The hard part of data recovery from devices comes from the internal memory of the device. The big culprits here are the Apple iDevices and the Blackberry. Apple prevents the use of external memory in its iPhone and iPad devices by not supporting physical slots for memory expansion. Some Blackberries default to using internal memory. The Blackberry Curve series will only use the external memory slots for message storage, photo storage, contact storage if the user modifies the default settings in the menu. In most cellphones some data is even stored on the SIM card, but Blackberry doesn't even do that.

Big Trouble

Even forensic professionals have a difficult time reaching into internal memory on mobile devices. It's a complex problem with lots of layers.

In the first layer you have firmware. This is the basic operating software on the phone that boots it up. Not only does each manufacturer have their own firmware on the device but each model of device can have a different firmware as well.

The next layer is the operating system. The main contenders in operating system are Apple and Google. Apple is notorious for closed systems and actively prevents the open source community from developing utilities that would have helped our purposes. Google's Android is much more open and has more development community involvement. There may be some applications out there on the net which would help recover data.

The third layer is a twist on the second. Jailbreaking the iOS or Android operating system adds a further wrinkle. The Cydia jailbreak adds a new app store for the iOS system where third-party developers can sell software. As with any operating system modification, apps designed for the original configuration may or may not work on the jailbroken device. Additionally, apps added after the jailbreak may modify how data is stored or can be retrieved.

The icing on the crap-cake is that special equipment and decoding software may be needed. For my outdated early-2000's Blackberry, the kit would have been ridiculously expensive. For those of you with deep pockets, there's a list of links below.

If anyone out there knows about a good tool set for Android, Blackberry and iOS... Please share!

What can you do?

There are cellphone reading kits that police and professional private investigators use to access the internal memory of the device. These kits are ungodly expensive. My recommendation is to seek professional help if you absolutely need to see the internal memory on a device. Contact a private investigator in your area, ask your lawyer for a referral, check out the firm's reputation, see if they outsource the forensic work and check the reputation of the lab. Be prepared to pay - I was charged $750 for one phone.

Also, be prepared to get zippo off the device. That's right... I spent $750 for "no data" because the lab couldn't read internal memory off the phone (not the SIM or expansion memory - the internal data store). The lab had a good reputation and updated equipment. They just were not able to read the internal data. Luckily, they refunded my payment. Contractually they didn't have to refund anything so I do feel very lucky indeed.

Professional Tools:

• CelleBrite UFED
• Logicube CellXTract
• Paraben Device Seizure the only company advertising price, their cheapest kit is $1,750
• Micro Systemation XRY
• Susteen Secure View

Cell Phone Records

Don't forget to log into the online account for mobile phones. I used this access to download a couple of years worth of calls and text message records. The data is simple; date, time, number, duration, placed/received call, sent/received text, and sent/received mms.

You should look for a pattern. For example- your wayward spouse has been calling and texting a suspicious number every day for months and then has a few days with little or no texts or calls. If this aberration occurs at the same time your spouse was away on a business trip, visiting family, working over the weekend, etc. I think you have some very strong evidence for a rendezvous.

Spoofing a Cloud

I have been researching a new approach for forensics. This is based on the distributed memory principle of cloud computing. For example; Apple's iOS for iPad and iPhone is utilizing a 'live backup' to their iCloud service which basically runs a backup of apps, contacts, and data through the internet connection of the device. Somewhere, out in the net, is an encrypted copy of all of the device data. I'm looking into how one could access this information -- so stay tuned.

--- DNS