Over two hundred years ago, Sir Walter Scott warned that deception creates a tangled web. Today, that warning reads less like poetry and more like a precise description of how digital systems actually work.
In a column published in Today’s Managing Partner, iDS CEO & Founder Dan Regard explores one of the most consequential shifts in modern investigations: as the technology stack has grown more complex, the act of concealment has become exponentially harder to pull off — and far easier to detect.
The Technology Stack as Witness
The logic behind most attempts to hide digital misconduct is deceptively simple: delete the file, clear the message, wipe the obvious trace, and move on. In a simpler world — where evidence lived in fewer places — that logic sometimes held. Not anymore.
A single digital act today can leave traces across a person’s device, operating system, application logs, indexes, sync folders, cloud platforms, backup systems, mobile phones, collaboration tools, network infrastructure, and third-party records that the actor may know about but cannot access or alter. Regard introduces the concept of the technology stack — the full set of hardware, software, systems, and services engaged when someone performs a digital act — to explain why even a routine email can touch far more systems than most users ever consider.
The actor who tries to conceal one event is often forced to chase its echoes across systems they don’t fully understand. The obvious artifacts may be erased while surrounding traces remain. A file may be replaced while the index still remembers it. A thumb drive may be removed, but the operating system continues to show it was used.
Concealment as Its Own Evidence
What makes Regard’s argument particularly compelling for legal teams is this: in many cases, the attempt to conceal creates new evidence rather than eliminating old evidence. In one case he describes, an actor replaced a file with an alternative version and took steps to erase the traces of that replacement — but failed to remove all instances where the system had recorded the activity. The result was not just proof that the file had been changed. It was proof that someone had tried to hide it. That distinction, Regard notes, shifts the issue from a technical anomaly to a question of intent.
Four Views That Turn Noise Into Meaning
At the heart of Regard’s investigative approach is a four-panel framework that guides how iDS examines any digital environment:
- What is there that should be there?
- What is there that should not be there?
- What is not there that should not be there?
- What is not there that should be there?
Together, these four views transform technical clutter into evidentiary meaning — allowing investigators to see not only what happened, but what someone hoped would never be seen.
The Asymmetry Advantage
Regard also highlights a dimension that often goes overlooked: not every relevant data source is under the actor’s control. Carrier signal towers, cloud provider IP logs, third-party transaction records — knowing these exist is not the same as being able to alter them. That asymmetry is enormously powerful in litigation. Some of the most valuable records are precisely the ones beyond the reach of the person with the greatest incentive to rewrite the story.
To connect with an iDS expert, visit idsinc.com.
iDS provides consultative data solutions to corporations and law firms around the world, giving them a decisive advantage – both in and out of the courtroom. iDS’s subject matter experts and data strategists specialize in finding solutions to complex data problems, ensuring data can be leveraged as an asset, not a liability. To learn more, visit idsinc.com.
Having trouble with a technical term used in this post? Check out our Data Investigators Glossary to crack the code.