Third Eye Forensic detects employee fraud in POS systems, financial records, procurement logs, and operational data. We don't use off-the-shelf software — we build custom forensic tooling against your actual data, analyze it entirely offline, and deliver evidence packages that hold up under legal scrutiny.
Every engagement starts with your actual data — whatever format, whatever system. We build the tooling to read it, the detection logic to analyze it, and the evidence package to act on it.
You suspect fraud. We take your transactional data — POS journals, accounting exports, procurement records, payroll logs — build custom parsing and analysis tools, and deliver a documented evidence package identifying who, how, how much, and how long.
Recurring analysis of your transaction data against behavioral baselines. Catches emerging patterns before they become six-figure losses — and acts as a visible deterrent when employees know their data is being watched.
For law firms and accounting firms handling fraud cases. We provide expert data analysis, methodology documentation written for non-technical audiences, and findings structured for evidentiary standards — on whatever dataset the case involves.
The schemes that cost the most are designed to look like normal operations. They don't trip alarms — but they can't hide from statistical analysis across thousands of records. These patterns apply wherever structured transactional data exists.
Transactions processed but never recorded. Detected through payment method ratios, timing gaps, and revenue patterns that deviate from statistical baselines across sustained periods. Common in POS environments.
Legitimate-looking reversals that follow suspicious patterns. Elevated void-to-order ratios, refunds without corresponding complaints, or write-offs concentrated on specific employees or accounts.
One person operating under multiple credentials, unauthorized use of supervisor logins, or shared accounts masking individual responsibility. Detected through login sequence and terminal-level behavioral analysis.
Gaps, overlaps, and irregular sequences in transactional timelines. Held-open tickets, backdated entries, off-hours processing, or activity patterns inconsistent with normal operations.
Duplicate invoices, vendor kickbacks, fictitious suppliers, inflated expense claims, or round-number patterns in purchasing data. Baseline deviation analysis surfaces anomalies that spot checks miss.
Correlated behavior across multiple identities — synchronized timing, coordinated login switches, split transactions, or complementary patterns suggesting organized rather than opportunistic fraud.
We work with the data your systems already generate — whatever format they store it in. No new hardware. No software installation on your network. No cloud accounts.
We assess your data sources, systems, and the nature of the concern. You'll know what we need, what we'll look for, and what the engagement will cost before any data changes hands.
You provide copies of your data — electronic journals, database exports, transaction logs, accounting records. Everything stays offline: on your hardware, or on ours under a signed data processing agreement.
We build forensic tooling tailored to your data format — parsing at the binary or record level, reconstructing every relevant event, and running detection algorithms tuned to the specific patterns the engagement demands. Nothing off-the-shelf.
You receive a forensic report, supporting data workbooks, methodology documentation for legal review, and file integrity verification. All local data is then permanently destroyed with signed documentation.
Our flagship engagement. A Quebec restaurant owner suspected cash was going missing. Cameras showed nothing. The POS reports looked normal. We built custom tools to read the raw transaction files — and the data told a different story.
A single employee was processing cash sales without recording them in the POS system. To cover the gap, they held tickets open on the terminal for extended periods — sometimes 45 minutes on a register that normally cycled every 4 — then closed them with a card payment. They also operated under at least five borrowed co-worker logins to distribute activity and avoid pattern detection by shift managers.
We parsed two years of raw POS electronic journal files — over 8,000 daily transaction logs — and built a complete picture of every order, payment, void, and login event. Four statistical signals converged on the same employee: a cash acceptance rate roughly half the store average, thousands of abnormal timing gaps followed by card payments, 866 documented login switches between the suspect and co-worker accounts on the same terminal, and elevated void activity concentrated on their shifts.
The evidence package identified over 7,400 flagged events across the analysis period, with a conservative floor estimate of $119,000 CAD in suppressed cash. The owner received a complete forensic report, transaction-level evidence workbooks, and methodology documentation structured for legal proceedings.
Every engagement produces a structured evidence package tailored to the scope of the investigation. Deliverables are designed to support three audiences: the business owner making operational decisions, legal counsel evaluating a case, and law enforcement building a file.
Specific contents vary by engagement, but every package includes documentation of methodology, verification of source data integrity, and plain-language explanations of all findings.
Primary findings — identified suspects, scheme description, timeline of activity, quantified losses, and recommended next steps.
Transaction-level data behind every finding — flagged events, behavioral logs, statistical comparisons — sortable, filterable, and independently verifiable.
Plain-English explanation of every analytical method used. Written for legal review, not technicians. Supports reproducibility and cross-examination.
Cryptographic hashes of every source file analyzed. Proves the data was not altered during the investigation and establishes chain of custody.
Signed documentation confirming all derived data — databases, working files, intermediate outputs — has been permanently deleted at engagement close.
We built our entire technical architecture around one principle: your transaction data should never exist on a system you don't control, except under strict contractual terms with guaranteed destruction.
All analysis runs on a local machine — yours or ours, under a signed data processing agreement. No cloud storage, no SaaS platforms, no third-party databases. Your POS files are parsed and analyzed by tools that run entirely offline.
We use AI to help design and build our custom analysis tools and to interpret aggregated statistical outputs. The AI never sees your raw data. It works with summaries — "this employee's cash rate is 19% vs. store average 38%" — never individual transactions, customer records, or payment details. Your data is processed entirely by purpose-built offline tools.
At engagement close, all derived data is permanently deleted: databases, working files, intermediate outputs. You receive a signed destruction certificate. The cryptographic hashes in your evidence package let you independently verify that source data was not modified during analysis.
This isn't a policy bolted onto a cloud platform. The system was designed from the ground up so that data exposure is structurally impossible — not just contractually prohibited. There is no server to breach because there is no server.
No. AI helps us write analysis code and interpret summary-level statistics. Your raw transaction data is processed entirely by offline tools on a local machine. The AI never sees individual orders, amounts, payment details, or customer information.
Any structured transactional data — POS electronic journals, accounting system exports, procurement and purchasing records, payroll logs, expense reports, inventory systems. If it has timestamps, amounts, and identities, our methodology applies. We build custom tooling for each engagement, so format isn't a barrier.
Traditional audits sample records. We analyze all of them. A suppressed transaction doesn't appear in any report or sample — but the timing gap, the login anomaly, and the statistical deviation it creates are all detectable when you process every record in the dataset. We also look for patterns that only emerge across months or years of activity.
Our evidence packages are structured for legal proceedings: cryptographic hashes prove data integrity, methodology documentation explains findings in plain language, and every conclusion is reproducible from source files. We recommend engaging your attorney early in the process.
Typically 1–2 weeks from data receipt to evidence package delivery, depending on the volume of data and scope of the engagement. A preliminary assessment can often flag major concerns within 48 hours.
That's a good outcome. A clean report gives you documented assurance that transaction patterns are consistent with expectations. Many clients use this as an annual check — a deterrent as much as a detection tool. Employees who know the data is being analyzed behave differently.
Yes. We provide litigation support — data analysis, expert methodology documentation, and findings structured for evidentiary standards. We work under your direction and deliver materials suitable for court filings, mediations, or settlement negotiations.
Contractually: our data processing agreement specifies destruction timelines and procedures. Architecturally: there's no cloud server where data could persist. Practically: you receive a signed destruction certificate. And the hash manifest in your evidence package lets you verify nothing was altered or retained.
Confidential consultation. No data required for the initial conversation.
Contact Us