Case Studies & Practice Exercises
## CASE STUDIES
### Case Study 1: The Conflicting Police Reports
BACKGROUND:
Missing person case with multiple police reports filed over two weeks.
DOCUMENTS:
- Initial report (Day 1)
- Follow-up report (Day 3)
- Supplemental report (Day 7)
- Final summary (Day 14)
DOCUMENT ANALYSIS REVEALED:
INITIAL REPORT (Day 1):
- Subject last seen leaving work at 5:00 PM
- Failed to arrive home (expected 6:00 PM)
- No contact with family or friends
- Vehicle found in work parking lot
- Personal belongings in vehicle
FOLLOW-UP REPORT (Day 3):
- Subject actually left work at 5:30 PM (badge scan)
- Witness saw subject at gas station 5:45 PM
- Credit card used at 6:15 PM (different location)
- Timeline now extends 75 minutes
- Vehicle location unexplained
SUPPLEMENTAL REPORT (Day 7):
- Gas station video confirms subject present 5:50 PM
- Subject appeared alone and normal
- Credit card transaction was fraudulent (not subject)
- Phone last pinged at 6:03 PM
- Phone location different from credit card location
FINAL SUMMARY (Day 14):
- Consolidated timeline created
- Initial report times were estimates, not facts
- Actual last confirmed sighting: gas station 5:50 PM
- Phone went dead 6:03 PM
- 13-minute window identified as critical
LESSONS LEARNED:
INITIAL REPORTS ARE PRELIMINARY:
- Based on limited information
- Contain estimates and assumptions
- Updated as investigation proceeds
- Should not be treated as definitive
IMPORTANCE OF READING ALL REPORTS:
- Timeline evolved significantly
- Critical details emerged later
- Contradictions were resolved
- Full picture only visible across all documents
VERIFICATION IS ESSENTIAL:
- "Last seen 5:00 PM" was wrong
- Badge scan provided actual time
- Video confirmed witness account
- Electronic records more reliable than memory
DOCUMENT EVERY CHANGE:
- Track how information evolves
- Note when and why changes occurred
- Document sources for corrections
- Create audit trail
---
### Case Study 2: The Altered Will
BACKGROUND:
Family dispute over inheritance. Will authenticity questioned.
DOCUMENT EXAMINATION:
VISUAL INSPECTION:
- Will dated 2015, typed document
- Signature appeared genuine
- Two witness signatures present
- Notary seal visible
RED FLAGS DISCOVERED:
INK ANALYSIS:
- Paragraph 3 used different ink color (slight difference)
- Different pen pressure in paragraph 3
- Ink feathering different in that section
FONT EXAMINATION:
- Paragraph 3 font slightly different size
- Letter spacing inconsistent
- Alignment off by 2mm
PAPER EXAMINATION:
- Paragraph 3 paper slightly whiter
- Different paper texture in that section
- Cut marks visible under magnification
CONCLUSION:
Paragraph 3 had been removed and replaced. Original paragraph left
assets to charity. Replacement paragraph left assets to specific relative.
VERIFICATION:
- Attorney's office had copy of original
- Notary had record of original wording
- Original paragraph 3 recovered
- Alteration confirmed as forgery
LESSONS LEARNED:
EXAMINE PHYSICAL DOCUMENT CAREFULLY:
- Don't rely only on digital scans
- Look for physical inconsistencies
- Check paper, ink, fonts
- Use magnification when available
COMPARE TO OTHER VERSIONS:
- Attorney copies
- Notary records
- Previous versions
- Related documents
DOCUMENT ANOMALIES:
- Note everything unusual
- Photo inconsistencies
- Measure and document precisely
- Get expert analysis when warranted
RED FLAGS WARRANT INVESTIGATION:
- Any inconsistency is worth noting
- Small details can reveal big problems
- Trust your observations
- Recommend expert forensic examination
---
### Case Study 3: The Social Media Timeline
BACKGROUND:
Alibi based on social media posts claiming person was out of town.
CLAIMED TIMELINE:
- Day 1: Posted from Airport "Heading to Miami!"
- Day 2: Posted beach photo "Beautiful day in Florida"
- Day 3: Posted restaurant photo "Best Cuban food ever!"
- Day 4: Posted from airport "Heading home, great trip!"
DOCUMENT ANALYSIS:
METADATA EXAMINATION:
- Day 1 post: No GPS data (posted via web, not phone)
- Day 2 photo: EXIF data showed photo taken 6 months earlier
- Day 3 photo: Reverse image search found restaurant in local city
- Day 4 post: No GPS data
CONTENT ANALYSIS:
- Beach photo: Analyzed weather, shadows, clothing
- Weather in Miami that day: rainy and 60 degrees
- Photo showed sunny and warm conditions
- Matched weather from 6 months earlier
- Restaurant photo: Menu visible in background
- Menu items not offered at Miami location
- Matched local restaurant's menu exactly
CROSS-REFERENCING:
- Credit card records: No charges in Florida
- Phone records: All calls from local cell towers
- Airline records: No tickets purchased
- Hotel records: No reservations
OUTCOME:
All social media posts were fabricated. Photos were old or from
different locations. Person never left local area. Alibi demolished.
LESSONS LEARNED:
SOCIAL MEDIA CAN BE FABRICATED:
- Easy to post old photos
- Can claim to be anywhere
- Timestamps can be misleading
- Always verify with metadata
CHECK METADATA:
- GPS location if available
- Photo creation date
- Device information
- Edit history
REVERSE IMAGE SEARCH:
- Find original source
- Identify actual location
- Discover when actually taken
- Expose recycled photos
CROSS-REFERENCE WITH RECORDS:
- Phone records show real location
- Credit cards show actual spending
- Travel records show real movements
- Social media alone proves nothing
---
### Case Study 4: The Medical Record Discrepancy
BACKGROUND:
Injury claim disputed based on medical record inconsistencies.
DOCUMENTS REVIEWED:
- Emergency room record
- Ambulance report
- Follow-up doctor visits
- Insurance claims
- Pharmacy records
DISCREPANCIES FOUND:
ER RECORD vs AMBULANCE REPORT:
- ER: "Patient arrived ambulatory, walking without assistance"
- Ambulance: "Patient unable to walk, transported via stretcher"
- Contradiction: Major discrepancy in injury severity
INJURY DESCRIPTION INCONSISTENCY:
- ER: "Left knee injury"
- Follow-up Day 3: "Right knee injury"
- Follow-up Day 7: "Both knees injured"
- Progressive injury claim doesn't match initial presentation
TIMELINE ANALYSIS:
- Incident: March 15, 2:00 PM
- ER visit: March 15, 6:00 PM
- Ambulance timestamp: March 15, 5:45 PM
- Problem: How did patient get to ER if ambulance arrived after?
INVESTIGATION REVEALED:
AMBULANCE REPORT ERROR:
- Report was for different patient
- Similar name caused filing error
- ER record was correct patient
- Ambulance report should not have been in file
INJURY PROGRESSION:
- Initial injury was left knee only
- Right knee injured during fall at home (Day 2)
- Both knees became symptomatic
- Medical records actually consistent when reviewed chronologically
LESSONS LEARNED:
VERIFY DOCUMENT BELONGS TO CASE:
- Check patient names carefully
- Verify dates and locations
- Ensure document matches subject
- File errors happen
READ ENTIRE SERIES:
- One document may seem contradictory
- Full series may explain evolution
- Context matters
- Chronological review essential
CONTACT PROVIDERS FOR CLARIFICATION:
- Ask about apparent inconsistencies
- Get corrections to errors
- Obtain missing records
- Verify interpretations
MEDICAL TERMINOLOGY:
- Understand medical terms before interpreting
- "Ambulatory" means "able to walk"
- Consult medical dictionaries
- Ask experts when uncertain
---
## PRACTICE EXERCISES
### Exercise 1: Police Report Analysis
SCENARIO:
You receive a police incident report. Practice systematic analysis.
YOUR TASKS:
1. INITIAL ASSESSMENT (5 minutes):
- What type of incident is reported?
- Who are the key parties involved?
- When and where did it occur?
- What is the officer's basic conclusion?
2. FACT EXTRACTION (20 minutes):
- Create list of all names mentioned
- Extract all dates and times
- Note all locations referenced
- Identify what evidence was collected
- List all witness statements summarized
3. TIMELINE CREATION (15 minutes):
- Build chronological timeline from report
- Note which facts are confirmed vs. reported
- Identify any timeline gaps
- Mark inconsistencies
4. CRITICAL ANALYSIS (20 minutes):
- What questions does this report raise?
- What information is missing?
- Are there any contradictions?
- What follow-up is needed?
- How reliable is this report?
5. DOCUMENTATION (10 minutes):
- Create document summary
- Add to master index
- Note key facts for database
- Identify related documents needed
SKILLS PRACTICED:
- Systematic document review
- Fact extraction
- Timeline construction
- Critical thinking
- Documentation
---
### Exercise 2: Contradiction Detection
SCENARIO:
Three witness statements about the same event. Find contradictions.
WITNESS A STATEMENT:
"I saw John at the party around 9:00 PM. He was talking with Sarah
near the kitchen. He seemed upset about something. He left about
30 minutes later, around 9:30. I didn't see where he went."
WITNESS B STATEMENT:
"John arrived at the party at 8:45 PM. I remember because I checked
my watch. He went straight to talk to Sarah in the living room.
They talked for maybe 15 minutes, then he left. This was before
10:00 PM, probably around 9:15 or 9:20."
WITNESS C STATEMENT:
"I was at the party all evening. John showed up late, maybe 9:30
or 10:00. He and Sarah had an argument in the kitchen. It got
pretty loud. He stormed out maybe 20 minutes later. Sarah was
crying after he left."
YOUR TASKS:
1. CREATE COMPARISON CHART:
- List each claim
- Show what each witness says
- Identify agreements
- Mark contradictions
2. CATEGORIZE CONTRADICTIONS:
- Time conflicts
- Location conflicts
- Behavior description conflicts
- Sequence conflicts
3. ASSESS SIGNIFICANCE:
- Which contradictions matter most?
- Which could be explained by perspective?
- Which are irreconcilable?
- What additional evidence would resolve them?
4. DEVELOP QUESTIONS:
- What would you ask each witness?
- What documents might help?
- What physical evidence would verify?
SKILLS PRACTICED:
- Comparative analysis
- Contradiction identification
- Significance assessment
- Question development
---
### Exercise 3: Financial Record Analysis
SCENARIO:
Review bank statement for missing person case.
BANK STATEMENT SHOWS (March 2019):
DEPOSITS:
- 3/1: Paycheck $2,847.32
- 3/15: Paycheck $2,847.32
WITHDRAWALS:
- 3/2: Rent check $1,200.00
- 3/5: ATM withdrawal $100.00 (Local branch)
- 3/8: Grocery store $87.43
- 3/10: Gas station $45.00
- 3/12: ATM withdrawal $200.00 (Local branch)
- 3/13: Restaurant $63.22
- 3/14: ATM withdrawal $500.00 (Different city, 100 miles away)
- 3/15: No activity
- 3/16: ATM withdrawal $500.00 (Same city as 3/14)
- 3/17-3/31: No activity
ADDITIONAL INFORMATION:
- Subject reported missing on March 18
- Last seen leaving work March 15, 5:00 PM
- Subject lived alone
- Subject's car found at work on March 18
YOUR TASKS:
1. PATTERN ANALYSIS:
- What is normal spending pattern?
- What is unusual?
- What changed and when?
2. TIMELINE CORRELATION:
- How does this match known timeline?
- What does ATM activity suggest?
- What's significant about location change?
3. SCENARIO DEVELOPMENT:
- What theories do these transactions support?
- What theories do they contradict?
- What's the most likely explanation?
4. ADDITIONAL INVESTIGATION:
- What other records would you want?
- What would you verify?
- Who would you interview?
SKILLS PRACTICED:
- Financial record analysis
- Pattern recognition
- Timeline correlation
- Theory development
---
### Exercise 4: Email Authentication
SCENARIO:
Anonymous email claims to have information about case. Determine if legitimate.
EMAIL DETAILS:
- From: concernedcitizen2019@emailprovider.com
- To: investigationteam@example.com
- Date: March 20, 2019, 11:47 PM
- Subject: "Information about the Johnson case"
- Body: Claims to have seen subject on March 16 at specific location
YOUR AUTHENTICATION TASKS:
1. HEADER ANALYSIS:
If you had full headers, what would you check?
- IP address origin
- Server route
- Authentication records
- Time zone consistency
2. CONTENT ANALYSIS:
- Does email contain verifiable facts?
- Does sender demonstrate actual knowledge?
- Are details consistent with known facts?
- Any red flags in language or claims?
3. FOLLOW-UP STRATEGY:
- How would you respond?
- What questions would you ask?
- What verification would you request?
- How would you protect your investigation?
4. RISK ASSESSMENT:
- Could this be a hoax?
- Could this be perpetrator?
- Could this be legitimate witness?
- What precautions should you take?
SKILLS PRACTICED:
- Email authentication
- Critical evaluation
- Risk assessment
- Strategic response planning
## CASE STUDIES
### Case Study 1: The Conflicting Police Reports
BACKGROUND:
Missing person case with multiple police reports filed over two weeks.
DOCUMENTS:
- Initial report (Day 1)
- Follow-up report (Day 3)
- Supplemental report (Day 7)
- Final summary (Day 14)
DOCUMENT ANALYSIS REVEALED:
INITIAL REPORT (Day 1):
- Subject last seen leaving work at 5:00 PM
- Failed to arrive home (expected 6:00 PM)
- No contact with family or friends
- Vehicle found in work parking lot
- Personal belongings in vehicle
FOLLOW-UP REPORT (Day 3):
- Subject actually left work at 5:30 PM (badge scan)
- Witness saw subject at gas station 5:45 PM
- Credit card used at 6:15 PM (different location)
- Timeline now extends 75 minutes
- Vehicle location unexplained
SUPPLEMENTAL REPORT (Day 7):
- Gas station video confirms subject present 5:50 PM
- Subject appeared alone and normal
- Credit card transaction was fraudulent (not subject)
- Phone last pinged at 6:03 PM
- Phone location different from credit card location
FINAL SUMMARY (Day 14):
- Consolidated timeline created
- Initial report times were estimates, not facts
- Actual last confirmed sighting: gas station 5:50 PM
- Phone went dead 6:03 PM
- 13-minute window identified as critical
LESSONS LEARNED:
INITIAL REPORTS ARE PRELIMINARY:
- Based on limited information
- Contain estimates and assumptions
- Updated as investigation proceeds
- Should not be treated as definitive
IMPORTANCE OF READING ALL REPORTS:
- Timeline evolved significantly
- Critical details emerged later
- Contradictions were resolved
- Full picture only visible across all documents
VERIFICATION IS ESSENTIAL:
- "Last seen 5:00 PM" was wrong
- Badge scan provided actual time
- Video confirmed witness account
- Electronic records more reliable than memory
DOCUMENT EVERY CHANGE:
- Track how information evolves
- Note when and why changes occurred
- Document sources for corrections
- Create audit trail
---
### Case Study 2: The Altered Will
BACKGROUND:
Family dispute over inheritance. Will authenticity questioned.
DOCUMENT EXAMINATION:
VISUAL INSPECTION:
- Will dated 2015, typed document
- Signature appeared genuine
- Two witness signatures present
- Notary seal visible
RED FLAGS DISCOVERED:
INK ANALYSIS:
- Paragraph 3 used different ink color (slight difference)
- Different pen pressure in paragraph 3
- Ink feathering different in that section
FONT EXAMINATION:
- Paragraph 3 font slightly different size
- Letter spacing inconsistent
- Alignment off by 2mm
PAPER EXAMINATION:
- Paragraph 3 paper slightly whiter
- Different paper texture in that section
- Cut marks visible under magnification
CONCLUSION:
Paragraph 3 had been removed and replaced. Original paragraph left
assets to charity. Replacement paragraph left assets to specific relative.
VERIFICATION:
- Attorney's office had copy of original
- Notary had record of original wording
- Original paragraph 3 recovered
- Alteration confirmed as forgery
LESSONS LEARNED:
EXAMINE PHYSICAL DOCUMENT CAREFULLY:
- Don't rely only on digital scans
- Look for physical inconsistencies
- Check paper, ink, fonts
- Use magnification when available
COMPARE TO OTHER VERSIONS:
- Attorney copies
- Notary records
- Previous versions
- Related documents
DOCUMENT ANOMALIES:
- Note everything unusual
- Photo inconsistencies
- Measure and document precisely
- Get expert analysis when warranted
RED FLAGS WARRANT INVESTIGATION:
- Any inconsistency is worth noting
- Small details can reveal big problems
- Trust your observations
- Recommend expert forensic examination
---
### Case Study 3: The Social Media Timeline
BACKGROUND:
Alibi based on social media posts claiming person was out of town.
CLAIMED TIMELINE:
- Day 1: Posted from Airport "Heading to Miami!"
- Day 2: Posted beach photo "Beautiful day in Florida"
- Day 3: Posted restaurant photo "Best Cuban food ever!"
- Day 4: Posted from airport "Heading home, great trip!"
DOCUMENT ANALYSIS:
METADATA EXAMINATION:
- Day 1 post: No GPS data (posted via web, not phone)
- Day 2 photo: EXIF data showed photo taken 6 months earlier
- Day 3 photo: Reverse image search found restaurant in local city
- Day 4 post: No GPS data
CONTENT ANALYSIS:
- Beach photo: Analyzed weather, shadows, clothing
- Weather in Miami that day: rainy and 60 degrees
- Photo showed sunny and warm conditions
- Matched weather from 6 months earlier
- Restaurant photo: Menu visible in background
- Menu items not offered at Miami location
- Matched local restaurant's menu exactly
CROSS-REFERENCING:
- Credit card records: No charges in Florida
- Phone records: All calls from local cell towers
- Airline records: No tickets purchased
- Hotel records: No reservations
OUTCOME:
All social media posts were fabricated. Photos were old or from
different locations. Person never left local area. Alibi demolished.
LESSONS LEARNED:
SOCIAL MEDIA CAN BE FABRICATED:
- Easy to post old photos
- Can claim to be anywhere
- Timestamps can be misleading
- Always verify with metadata
CHECK METADATA:
- GPS location if available
- Photo creation date
- Device information
- Edit history
REVERSE IMAGE SEARCH:
- Find original source
- Identify actual location
- Discover when actually taken
- Expose recycled photos
CROSS-REFERENCE WITH RECORDS:
- Phone records show real location
- Credit cards show actual spending
- Travel records show real movements
- Social media alone proves nothing
---
### Case Study 4: The Medical Record Discrepancy
BACKGROUND:
Injury claim disputed based on medical record inconsistencies.
DOCUMENTS REVIEWED:
- Emergency room record
- Ambulance report
- Follow-up doctor visits
- Insurance claims
- Pharmacy records
DISCREPANCIES FOUND:
ER RECORD vs AMBULANCE REPORT:
- ER: "Patient arrived ambulatory, walking without assistance"
- Ambulance: "Patient unable to walk, transported via stretcher"
- Contradiction: Major discrepancy in injury severity
INJURY DESCRIPTION INCONSISTENCY:
- ER: "Left knee injury"
- Follow-up Day 3: "Right knee injury"
- Follow-up Day 7: "Both knees injured"
- Progressive injury claim doesn't match initial presentation
TIMELINE ANALYSIS:
- Incident: March 15, 2:00 PM
- ER visit: March 15, 6:00 PM
- Ambulance timestamp: March 15, 5:45 PM
- Problem: How did patient get to ER if ambulance arrived after?
INVESTIGATION REVEALED:
AMBULANCE REPORT ERROR:
- Report was for different patient
- Similar name caused filing error
- ER record was correct patient
- Ambulance report should not have been in file
INJURY PROGRESSION:
- Initial injury was left knee only
- Right knee injured during fall at home (Day 2)
- Both knees became symptomatic
- Medical records actually consistent when reviewed chronologically
LESSONS LEARNED:
VERIFY DOCUMENT BELONGS TO CASE:
- Check patient names carefully
- Verify dates and locations
- Ensure document matches subject
- File errors happen
READ ENTIRE SERIES:
- One document may seem contradictory
- Full series may explain evolution
- Context matters
- Chronological review essential
CONTACT PROVIDERS FOR CLARIFICATION:
- Ask about apparent inconsistencies
- Get corrections to errors
- Obtain missing records
- Verify interpretations
MEDICAL TERMINOLOGY:
- Understand medical terms before interpreting
- "Ambulatory" means "able to walk"
- Consult medical dictionaries
- Ask experts when uncertain
---
## PRACTICE EXERCISES
### Exercise 1: Police Report Analysis
SCENARIO:
You receive a police incident report. Practice systematic analysis.
YOUR TASKS:
1. INITIAL ASSESSMENT (5 minutes):
- What type of incident is reported?
- Who are the key parties involved?
- When and where did it occur?
- What is the officer's basic conclusion?
2. FACT EXTRACTION (20 minutes):
- Create list of all names mentioned
- Extract all dates and times
- Note all locations referenced
- Identify what evidence was collected
- List all witness statements summarized
3. TIMELINE CREATION (15 minutes):
- Build chronological timeline from report
- Note which facts are confirmed vs. reported
- Identify any timeline gaps
- Mark inconsistencies
4. CRITICAL ANALYSIS (20 minutes):
- What questions does this report raise?
- What information is missing?
- Are there any contradictions?
- What follow-up is needed?
- How reliable is this report?
5. DOCUMENTATION (10 minutes):
- Create document summary
- Add to master index
- Note key facts for database
- Identify related documents needed
SKILLS PRACTICED:
- Systematic document review
- Fact extraction
- Timeline construction
- Critical thinking
- Documentation
---
### Exercise 2: Contradiction Detection
SCENARIO:
Three witness statements about the same event. Find contradictions.
WITNESS A STATEMENT:
"I saw John at the party around 9:00 PM. He was talking with Sarah
near the kitchen. He seemed upset about something. He left about
30 minutes later, around 9:30. I didn't see where he went."
WITNESS B STATEMENT:
"John arrived at the party at 8:45 PM. I remember because I checked
my watch. He went straight to talk to Sarah in the living room.
They talked for maybe 15 minutes, then he left. This was before
10:00 PM, probably around 9:15 or 9:20."
WITNESS C STATEMENT:
"I was at the party all evening. John showed up late, maybe 9:30
or 10:00. He and Sarah had an argument in the kitchen. It got
pretty loud. He stormed out maybe 20 minutes later. Sarah was
crying after he left."
YOUR TASKS:
1. CREATE COMPARISON CHART:
- List each claim
- Show what each witness says
- Identify agreements
- Mark contradictions
2. CATEGORIZE CONTRADICTIONS:
- Time conflicts
- Location conflicts
- Behavior description conflicts
- Sequence conflicts
3. ASSESS SIGNIFICANCE:
- Which contradictions matter most?
- Which could be explained by perspective?
- Which are irreconcilable?
- What additional evidence would resolve them?
4. DEVELOP QUESTIONS:
- What would you ask each witness?
- What documents might help?
- What physical evidence would verify?
SKILLS PRACTICED:
- Comparative analysis
- Contradiction identification
- Significance assessment
- Question development
---
### Exercise 3: Financial Record Analysis
SCENARIO:
Review bank statement for missing person case.
BANK STATEMENT SHOWS (March 2019):
DEPOSITS:
- 3/1: Paycheck $2,847.32
- 3/15: Paycheck $2,847.32
WITHDRAWALS:
- 3/2: Rent check $1,200.00
- 3/5: ATM withdrawal $100.00 (Local branch)
- 3/8: Grocery store $87.43
- 3/10: Gas station $45.00
- 3/12: ATM withdrawal $200.00 (Local branch)
- 3/13: Restaurant $63.22
- 3/14: ATM withdrawal $500.00 (Different city, 100 miles away)
- 3/15: No activity
- 3/16: ATM withdrawal $500.00 (Same city as 3/14)
- 3/17-3/31: No activity
ADDITIONAL INFORMATION:
- Subject reported missing on March 18
- Last seen leaving work March 15, 5:00 PM
- Subject lived alone
- Subject's car found at work on March 18
YOUR TASKS:
1. PATTERN ANALYSIS:
- What is normal spending pattern?
- What is unusual?
- What changed and when?
2. TIMELINE CORRELATION:
- How does this match known timeline?
- What does ATM activity suggest?
- What's significant about location change?
3. SCENARIO DEVELOPMENT:
- What theories do these transactions support?
- What theories do they contradict?
- What's the most likely explanation?
4. ADDITIONAL INVESTIGATION:
- What other records would you want?
- What would you verify?
- Who would you interview?
SKILLS PRACTICED:
- Financial record analysis
- Pattern recognition
- Timeline correlation
- Theory development
---
### Exercise 4: Email Authentication
SCENARIO:
Anonymous email claims to have information about case. Determine if legitimate.
EMAIL DETAILS:
- From: concernedcitizen2019@emailprovider.com
- To: investigationteam@example.com
- Date: March 20, 2019, 11:47 PM
- Subject: "Information about the Johnson case"
- Body: Claims to have seen subject on March 16 at specific location
YOUR AUTHENTICATION TASKS:
1. HEADER ANALYSIS:
If you had full headers, what would you check?
- IP address origin
- Server route
- Authentication records
- Time zone consistency
2. CONTENT ANALYSIS:
- Does email contain verifiable facts?
- Does sender demonstrate actual knowledge?
- Are details consistent with known facts?
- Any red flags in language or claims?
3. FOLLOW-UP STRATEGY:
- How would you respond?
- What questions would you ask?
- What verification would you request?
- How would you protect your investigation?
4. RISK ASSESSMENT:
- Could this be a hoax?
- Could this be perpetrator?
- Could this be legitimate witness?
- What precautions should you take?
SKILLS PRACTICED:
- Email authentication
- Critical evaluation
- Risk assessment
- Strategic response planning
