The Hidden Patterns: Why Real-Time Exam Forensics Is No Longer Optional

The Hidden Patterns: Why Real-Time Exam Forensics Is No Longer Optional
Neha Nougai

Neha Nougai

Senior Marketing Consultant

LinkedIn Profile

September 30, 2025

All Posts

You’ve probably had that nagging feeling. Something doesn’t quite add up in your post-exam analysis. Perhaps it’s the candidate who struggled with basic questions but suddenly excelled on complex ones. Maybe it’s the cluster of identical wrong answers that seem too coincidental. You suspect something is happening, but proving it with individual exam reviews feels like searching for a needle in a haystack.

At the 2025 E-ATP conference in Dublin, Adarsh from Excelsoft addressed this exact challenge in his presentation on “Enhancing Online Exam Security with Real-Time Test Forensics." Drawing from experience delivering high-stakes exams globally, he outlined why traditional approaches are failing against increasingly sophisticated threats.

The uncomfortable truth is that traditional approaches to detecting exam malpractice are fighting yesterday’s battle with yesterday’s tools. Whilst we’re meticulously eyeballing individual results, sophisticated cheating networks are operating at scale, harvesting questions, coordinating responses, and exploiting the very human limitations that make us poor fraud detectors.

The Scale of What We’re Missing

Here’s what human examiners excel at: understanding subtlety, analysing context, applying experience, and distinguishing meaningful patterns. But we’re dreadful at sustained attention, maintaining precision across thousands of data points, staying consistent in our judgements, and being fully aware of everything happening simultaneously.

When you’re manually reviewing exam results, you might notice that candidate performed suspiciously well. But can you simultaneously compare their response times against thousands of other candidates, track their answer-change patterns, monitor their performance trajectory, and cross-reference similar behaviour clusters? Of course not, no human can.

This is precisely why organised exam fraud thrives. As Adarsh explained, “The threats have also professionalised. You have item harvesters. Now there’s a new job profile called item harvesters whose only job is to take these exams often just to harvest items, go about dumping them on brain dump websites, or sell them for money." These professionals know that individual exam reviews won’t catch sophisticated patterns, they’re banking on our human limitations.

The Power of Pattern Recognition at Scale

Real-time exam forensics transforms this dynamic by doing what computers do brilliantly: processing massive data streams simultaneously and identifying anomalies that would be invisible to manual review.

Consider response time analytics, the simplest forensic technique. When 95% of candidates answer a question in 10-12 seconds, but one candidate takes 300 seconds and another just 3 seconds, both are outliers worth investigating. The 300-second response suggests external assistance or item harvesting. The 3-second response indicates rapid guessing or pre-knowledge.

But here’s the crucial point: this pattern only emerges when you analyse thousands of responses simultaneously. Looking at one exam in isolation tells you nothing.

Even more revealing are answer-change statistics. Students naturally change responses during exams, it’s normal behaviour. But as Adarsh demonstrated, “What if that happens en masse? Suddenly, 35th minute into the exam, almost 100% of the students change their response to a particular question. That’s a clear sign of collusion or external assistance."

The most sophisticated technique, person-fit statistics, creates a performance ‘persona’ for each candidate in their first ten minutes. As Adarsh explained: “The exam started. The first 10 minutes of the exam, I exhibited the traits of a weak test taker. I got even the simplest questions wrong. Suddenly, after the 11th minute of the exam, suddenly something happened, and I started getting even the most advanced questions correct." This dramatic change could indicate impersonation or unauthorised assistance.

From Car Theft to Exam Theft

Think of the difference between discovering your car was stolen versus stopping a theft in progress. Traditional post-exam forensics is like only knowing your car was taken, you can document the crime, but the damage is done, questions are compromised, and legitimate candidates may have been disadvantaged.

Real-time forensics is like having an intelligent security system that recognises suspicious behaviour as it happens. When multiple detection methods corroborate, response time anomalies, gaze tracking showing a candidate looking away from screen, and performance changes all occurring simultaneously, you have defensible evidence to intervene immediately.

Building Defensible Cases, Not False Accusations

For awarding bodies, the fear of incorrectly challenging candidates is as significant as missing genuine malpractice. This is why effective forensic systems never act on single signals. As Adarsh emphasised: “You should never act on one signal. It should always be a corroboration of signals, multiple signals. One signal may be misleading. It is usually misleading."

Consider this scenario: At minute 11 of an exam, a candidate’s performance dramatically improves (person-fit anomaly), their gaze tracking shows them looking toward the corner of the room (behavioural anomaly), and their response times become unusually fast (response time anomaly). Three independent systems pointing to the same timeframe create a compelling, defensible case.

The technology employs conservative thresholds precisely to avoid false positives. These systems err on the side of caution, requiring multiple confirmatory signals before flagging potential issues. As Adarsh noted, effective real-time forensics requires four key principles for fairness: “Conservative thresholds… you should never act on one signal… accommodation control… continuous calibration… transparency, always humans in the loop. AI never makes any decision."

The Economics of Inaction

Many awarding bodies assume real-time forensics requires significant investment, but costs have dropped dramatically whilst threats have intensified. More importantly, what’s the cost of doing nothing?

Every compromised exam session potentially invalidates results for hundreds of legitimate candidates. Every harvested question reduces your item bank’s security. Every successful fraud attempt emboldens more sophisticated cheating networks. The reputational damage from high-profile malpractice cases can take years to recover from.

Meanwhile, the technology continues advancing. Modern systems can detect multiple faces in camera feeds, monitor system processes running on candidates’ machines, track IP address changes during exams, and even identify keystroke fingerprints unique to each individual.

The Time for Action

You already suspect something is happening. Your post-exam analysis likely shows patterns that make you uncomfortable. The difference between intuition and evidence is systematic analysis at scale.

The best time to start analysing for exam fraud was last year. The second-best time is now. There’s only so long you can ignore the evidence in front of you whilst hoping traditional methods will suffice.

Real-time exam forensics isn’t about replacing human judgement, it’s about giving human experts the data-driven insights they need to make informed decisions quickly and defensibly. As Adarsh concluded: “Security without equity would erode trust, and equity without security would erode value. It’s important to balance both of them."

The question isn’t whether sophisticated exam fraud is happening in your assessments. The question is whether you’ll detect it before it’s too late to act.

Watch the exclusive interview with Adarsh and Rakesh from the 2025 E-ATP conference

To access free Excelsoft resources visit us at https://www.excelsoftcorp.com/resourcehub/

Comments

guest

0 Comments
Inline Feedbacks
View all comments
Scroll to Top