TalkText to a human — (888) 965-5150Investigators Available Now
Client LoginOrder Services Online
Encyphir Risk Management
← Back to Blog
3 min read

The Sub Rosa Investigation Process, Step by Step

Craig Biggs
Craig BiggsFounder & CEO
April 2, 2026
The Sub Rosa Investigation Process, Step by Step

Table of contents

Step 1: Intake and Pre-PlanStep 2: Pre-Surveillance OSINTStep 3: Location AssessmentStep 4: Execute the SurveillanceStep 5: Chain-of-Custody Video PreservationStep 6: Counter-Detection AwarenessStep 7: Narrative ReportStep 8: DeliveryCommon Process Failures

Categories

SurveillanceInsurance

A sub rosa investigation is not just "go follow the claimant around." Done properly, it follows a disciplined process from referral to report. Cutting corners costs you evidence that should have held up, or worse, creates a file that gets excluded from trial.

Step 1: Intake and Pre-Plan

A sub rosa investigation starts with a referral packet from the carrier or defense counsel. At minimum we need:

  • Subject name, DOB, current address
  • Physical description and recent photo (if available)
  • Vehicles registered or known to be driven
  • Claimed injury / condition and key functional restrictions
  • Employment status and occupation claimed
  • Any known medical, IME, or deposition dates as potential surveillance windows
  • Prior surveillance, if any, and what it produced
  • Social media and public information already reviewed

Without this intake, the investigator can end up sitting outside an address where the subject no longer lives.

Step 2: Pre-Surveillance OSINT

Before any field time, a good investigator runs OSINT on the subject: social media, public records, address confirmation, vehicle confirmation. Two things happen here:

  1. The subject's known patterns become visible (schedule, regular locations, social activity).
  2. The investigator avoids showing up at stale addresses or mis-identifying the subject.

Step 3: Location Assessment

For a residence-based stationary surveillance, the investigator assesses:

  • Sightlines to the residence and driveway
  • Vehicle placement options that are covert but practical
  • Neighborhood characteristics (gated, rural, HOA, apartment complex)
  • Likely times of day the subject leaves the residence

For mobile surveillance (claimant goes to work, to medical appointments, to gym, etc.), route analysis and secondary-location awareness are added to the plan.

Step 4: Execute the Surveillance

The standard day of sub rosa surveillance looks like this:

  • Investigator arrives early (often pre-dawn), in position before the subject is awake
  • Covert camera positioned for primary field of view
  • Sustained observation of the residence or target location
  • When the subject emerges, documentation begins (vehicle departures, physical actions at the residence, etc.)
  • If the subject leaves the residence, mobile surveillance begins
  • Locations the subject visits are documented, along with activity at those locations
  • Investigator breaks off when appropriate (subject returns home for the day, or situational factors require it)

A common tactical decision: single vs. multi-investigator. Multi-investigator surveillance allows continuity when:

  • The subject moves through traffic
  • The subject enters and exits locations by different routes
  • The subject operates in an environment that draws attention to a single vehicle (gated community, apartment complex, downtown)

Our surveillance types post covers the configurations.

Step 5: Chain-of-Custody Video Preservation

Every video clip is preserved in original format with the recording device's own time and date stamp. Nothing is re-encoded or edited. Where the file management system applies a secondary timestamp, that is documented separately. The result: video that survives authentication challenges at deposition and trial. See admissible surveillance video for the full treatment.

Step 6: Counter-Detection Awareness

The subject may show signs of awareness: deliberate counter-surveillance moves, phone calls while looking at the investigator's vehicle, circling the block, and similar behavior. The investigator notes it, adjusts tactics, and may break off entirely for the day. See counter-surveillance detection.

Step 7: Narrative Report

The report is built from the investigator's real-time activity log. Typical structure:

  • Case identifiers and dates of surveillance
  • Pre-surveillance preparation (addresses checked, OSINT findings)
  • Chronological narrative of each day's observations: times, locations, activities, vehicles
  • Summary of functional observations relevant to the claim
  • Exhibit list (video clips, photos, maps)
  • Investigator's signed declaration

Step 8: Delivery

Final deliverable typically includes:

  • Written narrative report
  • Video clips organized by date and time
  • Exhibit index
  • Invoice

The package is formatted for the carrier's SIU / claim file, or for defense counsel's trial file.

Common Process Failures

The most common failures we see in sub rosa files:

  • Insufficient pre-plan, leading to lost days at stale addresses
  • Unclear chain-of-custody on video clips
  • Narrative reports that summarize rather than chronologically document
  • No awareness of counter-detection attempts
  • Unverified subject identification

Our surveillance and activity check services run this process on every engagement. For a confidential consultation, contact Encyphir.

Related posts

Activity Check vs. Surveillance: Which Does Your Claim Need?

Activity Check vs. Surveillance: Which Does Your Claim Need?

Jeremy MasonJeremy Mason
Apr 4, 2026
Address and Residency Verification for Rate Evasion

Address and Residency Verification for Rate Evasion

Craig BiggsCraig Biggs
Apr 10, 2026
Admissible Surveillance Video: Chain of Custody and Authentication

Admissible Surveillance Video: Chain of Custody and Authentication

Craig BiggsCraig Biggs
Apr 9, 2026