Social Media Forensics: Investigative Process For Law Enforcement Agencies

-

Social media Forensics: Investigative Process For Law Enforcement Agencies

by David Mugisha  (Gujarat Forensic Science University)
                            

Introduction

Various social networking sites (SNSs), widely referred to as social media, provide services such as email, blogging, instant messaging and photo sharing for social and commercial interactions. SNSs are facilitating new forms of social interaction, dialogue, exchange and collaboration. They allow millions of users and organisations worldwide to exchange ideas, post updates and comments or participate in activities and events, while sharing their wider interests.
At the same time, such a phenomenon has led to an upsurge in significant criminal activities by perpetrators who are becoming increasingly sophisticated in their attempts to deploy technology to circumvent detection. Law enforcement agencies often face serious challenges in relation to data acquisition. Therefore, this article aims to analyse the significance of SNSs and describes the steps of the digital forensic investigation process that must be taken to acquire social media evidence that is both authentic and forensically sound.

1. Social media

What’s the first thing that pops into your head when you think about “social media?”For us, it’s Facebook. This colossus attracts over 1.3 billion people every day. However, social networking sites like Facebook only represent one of the various types of social media platform. Different types of social media are discussed bellow.

1.1. Social networking sites

Most of us are familiar with social networking sites like Facebook, Twitter, and LinkedIn. These platforms help us connect with friends, family, and brands. They encourage knowledge-sharing and are all about personal, human-to-human interaction.
A social networking site is a Jill of all trades. Users can share thoughts, curate content, upload photos and videos, form groups based on interests, and participate in lively discussions. They’re built around the user and everything that’s important to them and their social circles.

1.2. Social review sites

What’s one of the first things you do when planning a trip or buying a new product? If you’re anything like us, you’ll head straight to the reviews.
Review sites like Yelp and TripAdvisor display reviews from community members for all sorts of locations and experiences. This eliminates a lot of the guesswork that goes into booking a restaurant or hotel. Not sure it’s the right thing for you? Check out the reviews and you’ll know.

1.3.Image sharing sites

Visual content like images, infographics, and illustrations capture our hearts, eyes and imaginations. Social media platforms like Instagram, Imgur, and Snapchat are designed to amplify the power of image sharing.Users create, curate, and share unique images that spark conversation and speak for themselves.

1.4. Video hosting sites

YouTube revolutionized the way we watch, create, and think about video. It transformed the medium into something accessible. Recent improvements in tech and connectivity helped video go the rest of the way.
Video hosting platforms like YouTube and Vimeo help creators put together content and share it to a platform optimized for streaming. This accessibility makes video a super important medium. 

1.5. Community blogs

Sometimes an image or post isn’t complex enough for the message you’ve got to share, but not everyone on the internet wants to run a blog from a self-hosted website. That’s a lot of work.Shared blogging platforms like Medium and Tumblr give people a space to express their thoughts and help connect them with readers.
These community blog sites provide an audience while allowing plenty of room for customization and self expression.

1.6. Discussion sites

While most of us have seen many a heated discussion happen on Facebook, discussion sites like Reddit and Quora are specifically designed to spark a conversation. Anyone is free to ask a question or make a statement, and this attracts people with shared interests and curiosities. However, unlike Facebook and Instagram, users tend to give out less identifiable information.

1.7. Sharing economy networks

Sites like AirBnB and Rover aren’t just a cool place to find cheap holiday rentals or a pet sitter. Sharing economy networks bring people who’ve got something they want to share together with the people who need it. These communities provide opportunities that won’t exist otherwise by pooling resources on a large scale that wouldn’t be possible without tech.

2. How Social Media Has Changed the Face of Investigations

As society approaches the so-called “social media revolution,” the use of online social media sites has been integrated into everyday affairs. After examining the widespread activity and membership of social sites, it can be concluded that users have merged social media into their daily lives. In effect, social media has become a major part of our functioning society.
 Crime is a natural consequence of any functioning society; when communities are formed, parts of that functioning society will have criminal aspects. Since social media communities have become a part of daily life, criminal endeavors have naturally been incorporated into people’s daily lives as well. It can be understood that social media not only changes how law enforcement investigates criminal activity, but it also changes the professional standards of the organization through its official use capabilities. the following listings are methods that every law enforcement investigator should utilize in the course of an investigation.

3. How Social Media Investigation Is Being Utilized by Law Enforcement

3.1.Identifying Persons of Interest

With the understanding that a great majority of the American population is using social media in some method or another, it is implied that criminals and suspects in question will more than likely have a social media account such as Facebook, Twitter, MySpace or even YouTube and actively maintain such an account. With that assumption, law enforcement can actively monitor such social media accounts, given that the information is made public and there are no legal constraints in viewing or monitoring such social media presence.

 In addition to uncovering posts, Tweets, pictures or other probative evidence, law enforcement investigators can also identify associates affiliated with persons of interest (POIs). From an intelligence perspective, this can prove to be highly effective in monitoring and breaking up organized crime networks like drug trafficking and prostitution that commonly use social media avenues to promote their criminal activity.

3.2.Identifying Location of Criminal Activity

 With the slow increase in popularity of global positioning systems (GPS) technology and the availability of such technology on mobile devices such as Android and iPhones, social media has leveraged location-based resources that have been integrated into the site itself. This process, known as geolocation, allows users to tag location-based data in a variety of social media applications.
In addition to identifying the location of criminal activity, investigators can use geolocation data to identify and monitor a particular person of interest’s whereabouts. This may prove effective in the solving of missing person’s cases, fugitives from justice, and even locating kidnapped or missing children (IACP, 2011). Geolocation data may also prove useful to detect patterns in criminal behavior.
Police agencies can use such data to possibly catch such criminals in the act by proactively patrolling such areas of interest, or even identifying patterns or hot spots of particular criminals or criminal networks.

3.3.Gathering Photographs or Statements to Corroborate Evidence

 Often called “fruits of the crime” by those in the legal and criminal justice system, corroborative evidence can sometimes be the make-orbreak evidence that determines the validity of a particular criminal case. In the case of social media, both status updates and photographs can sometimes prove the mind-set of a particular criminal and/or assist in retracing the tracks of a suspect to a particular crime. This can be done in many ways and a variety of methods. To exemplify, photographs can place a suspect at a scene in a given period in time. Photographs posted to social media sites can also link suspects to victims or prove the existence of a fact. In addition, postings to social media sites might be corroborated to a particular criminal act.
User-uploaded photographs and videos may also prove to be valuable pieces of evidence in a particular investigation. Criminals commonly use social media sites like Facebook and YouTube to upload incriminating photographs and videos of criminal misdeeds.

3.4.Identifying Criminal Activity

Although a broad blanket statement in the sense of the word, law enforcement routinely utilizes social media to identify and convict criminal activity that may show up on sites such as Facebook, Twitter and YouTube.

3.5.Cybercasing

 Another effective use of social media technologies for law enforcement officials is that of cybercasing. Cybercasing, by definition, has traditionally been reserved as a definition for cybercriminals; it involves using online and location-based data and services to determine when a home is unoccupied with a view to mount real-world attacks (Friedland and Sommer, 2010). As social media sites continue to propagate and archive user-uploaded content on a continuous basis, it is important for law enforcement investigators to realize that a potential wealth of information exists in the casing of such sites. Many prostitutes use social media tools to solicit business and easily communicate with potential customers. It is important for law enforcement to recognize the existence of such activity and routinely cybercase such sites for the presence of criminal activity.

3.6. Identifying a point of interest (POIs)

One of the major tasks of any detective or investigator in a given agency is that of identifying POIs in a given investigation. In the days of old, interconnections and relationships between criminals and criminal enterprises were drafted in a notebook or graphing paper, and sometimes took days if not weeks to find relationships between POIs and their relationships with criminal enterprises. Today’s social media has changed the face of finding these relationships and has made it quite simple. Investigators can easily identify Facebook acquaintances with the click of a button.
In addition, there are various pieces of software, such as Lococitato’s Social Media Mapping software. The Facebook, YouTube, Twitter and MySpace Visualizers allow investigators to construct friend and networks based on Facebook user’s public profiles and can even detect public links to private profiles (Facebook, Twitter, YouTube Visualizer, 2012). This allows a clickable, animated, visual map to be created which shows the relationships between users of these social media web sites. In networks (especially those criminal enterprises and networks that spread multistate and even multinational), understanding the construction of such criminal networks and connections can prove to be an extremely valuable asset, especially when it comes to deconstructing these enterprises and networks. Not only can federal authorities greatly benefit from such analysis but local municipalities can use this resource to deter crime as well. Therefore, much care must be taken to ensure that this evidence and subsequent analysis is performed legally, effectively and quickly.

4. Forensic Investigative Process for Retrieving Social Media Evidence


4.1. Collection and Analysis of Social Media Evidence

 How and Where it Is Stored In order to effectively investigate crimes involving social media, it is imperative that law enforcement understand “how” social media is stored, “where” such information is stored and found and “how” to obtain such information using forensically sound procedures. Social media requires a different mind-set to traditional investigative and current forensic methodologies.
This is in addition to the standard, well-established and understood digital forensic processes in which the physical machine (the computer or device) and associated components can be physically seized and reviewed (Lillard, Garrison, Schiller and Steele, 2010). For all intents and purposes, social media evidence is usually found in one of two places: on the machine or device in residual form and on the network/Internet (stored on the social media site itself).

 Each of these locations presents individual and unique challenges to the investigator due to the nature of the data and how it must be interpreted. The following section will attempt to explain the location of such data, how to interpret such data, and the challenges of interpreting data left behind and/or stored by social media.Social Media Artifacts on the Machine or Device As explained earlier in this section, artifacts of probative evidentiary value can be left behind by users of social media when accessing such sites on PCs and other devices such as mobile phones and tablets. An artifact is a form of trace data (evidence) that is left behind by a particular social media application on a PC or device when an individual accesses such application.

Traditionally, social media applications are accessed through an Internet browser (such as Internet Explorer, Firefox, Google Chrome or Safari) and each of these Internet browsers “cache” user data. In some cases, this is also referred to as Temporary Internet Files. Generally, browsers “cache” data to help improve how fast data is opened while browsing the Internet. In most cases, each time a web page is opened, it is sent to your browser’s temporary cache on the computer hard drive. If that page is accessed again and has not been modified, the browser will open the page from the previously saved cache instead of downloading the page again. This saves the browser much time insomuch as not having to request the data again and saves the amount of data that needs to be downloaded.

A PC that has been legally seized can contain artifacts of social media in these aforementioned cache files. In some cases, the cache may be unreadable and require use of a specialized forensic software tool to access and read these cache files. Software programs such as Magnet Forensics “Internet Evidence Finder – IEF” (Internet Evidence Finder – IEF) (www.magnetforensics.com) finds existing cache and deleted data from Internet-related communications left behind in the browser cache on a computer hard drive. It then decodes this cached information into a readable form for the investigator to use.

4.2. Metadata and Social Media

 The Hidden Evidence that Lies Beneath In addition to cached data by the Internet browser on a seized PC, social media postings may contain metadata, which is simply defined as “data about data.” Metadata is merely embedded information that provides additional information about a particular file, web page, video or image (Bargmeyer and Gillman, 1998). In many cases, this metadata is hidden from the user and is mainly used for underlying processing functions.

In the case of Twitter, what normally is only shown as 140 characters to the creator and readers of Twitter posts actually contains a plethora of underlying metadata such as a tweet’s unique ID, tweet creation date, the screenname and user ID of the tweet author, and even the timezone and the author’s URL (Krickorian, 2012). All of these artifacts can play a huge role to investigators not only in establishing the ID of the author of a particular Twitter “tweet,” but also in providing information for search warrant applications to the particular social media service providers.

In addition, Facebook can cache particular metadata pertaining to a particular user or friend’s profile. Each Facebook user, upon creation of a Facebook account, is assigned a unique profile ID number, which is normally hidden from the user or only displayed in the address bar. In addition, artifacts such as Facebook chats can retain metadata such as message sent time, message ID (which is assigned to each unique Facebook message) and who it was sent from.

4.3.Social Media Artifacts in the “Cloud”

Cloud computing is use of computing resources that are delivered as a service over a network (typically the Internet) (Lillard et al., 2010). Cloud computing entrusts remote services with a user’s data, software and computation, and stores such resources on remote servers that are often owned by the service provider.

Social media, for all intents and purposes, is a form of cloud computing; many users use sites like Facebook to archive and store photographs, events, and timelines (Yu, 2012). In order to maintain this interface, sites like Facebook must database this information on their own servers, and make it readily available to users to access (Helenek, Brunty, Fenger & Vance, 2012). It is important for law enforcement investigators to understand that such cloud data is maintained and can be accessed through the proper legal channels.

 Most social media sites have a dedicated legal team and also maintain guidelines for law enforcement upon asking for information regarding particular users and data related to a particular account. Facebook law enforcement guidelines can be found at http://www.facebook.com/ safety/groups/law/guidelines/ while Twitter guidelines can be found at http://support.twitter.com/articles/41949-guidelines-for-law-enforcement#.
 These sites provide investigators general and specific guidelines and what should be included in legal requests such as preservation orders, court orders, subpoenas and search warrants.
A proper understanding of what to request from social media providers and the proper legal and technical verbiage and information that is to be provided is extremely valuable to law enforcement agents tasked with social media investigations; in many cases this understanding will not only maximize the evidence that is received back from social media service providers but also “weed out” any irrelevant evidence that might be the result of an improper request.

4.4. Knowing the Legal Tools of the Trade: The Essential Step to Social Media Investigation

When collecting social media evidence, law enforcement officials must be aware of the legal tools that exist and aid in the acquisition of social media evidence. Tools such as preservation orders, court orders, subpoenas and search warrants often provide within legally prescribed means the data that might be of relevance to a particular investigation. 

Although there is much debate and concern over what data law enforcement can legally seize through such documents, social media service providers such as Facebook and Twitter have provided legal assistance and law enforcement liaisons to assist in asking for accurate and legal requests to be processed quickly and efficiently. Although there are hundreds of social media providers out there, there are resources that are publically available to law enforcement investigators in order to obtain contact information for such providers. SEARCH, The National Consortium for Justice Information and Statistics (www.search.org ), has compiled and actively maintains a list of Internet Service Providers (ISPs) and the legal contact information for these providers. 

This information can be found at  http://search.org/programs/hightech/isp/ and is invaluable in quickly contacting a particular social media ISP to issue subpoenas, court orders and search warrants.
 In addition, social media evidence can be the primary evidence that will allow judges to issue court ordered documents such as search warrants. In order to justify a particular search warrant, law enforcement investigators must establish probable cause. Since social media can sometimes be publically available, this evidence, such as videos or even Facebook pages themselves, can legally be used as the probable cause for a search warrant application.
As privacy controls and the laws regarding the legal seizure of such data become more stringent, so do the requirements of what can be obtained by a social media driven search warrant (Brian Mund,2017). It is also important for investigators to possess some level of know-how in effectively drafting legal documents that will be accepted by social media service providers such as YouTube, Facebook and Twitter. All too often, the legal counsel of these service providers will reject requests by law enforcement and other authorities because the legal verbiage is incorrect or it does not contain the desired text. This creates an issue with the investigation as the evidence contained on these sites is extremely volatile and subject to change at any time. Therefore, it is important for investigators to become well-versed on the effective drafting of such documents (Judge Donna Stroud,2015).

References

·         Forensic Investigation of any FaceBook Profile by Abdul Salam
https://www.hackingarticles.in/forensic-investigation-of-any-facebook-profile/
·         Forensic Investigation of Social Media and Instant Messaging Services in Firefox OS,2016  by Mohd Najwadi Yusoff, Ali Dehghantanha,Ramlan Mahmod
·         Contemporary Digital Forensic Investigations Of Cloud And Mobile Applications, 2017
·         Facebook foreniscs
https://www.webpreserver.com/facebook-forensics/
·         An introduction to social media
https://www.icaew.com/-/media/corporate/files/technical/information-technology/technology/social-media.ashx

·         Social Media: A Heaven For Cyber Criminals

 https://blog.cyberint.com/social-media-a-heaven-for-cyber-criminals

·         Social Media as a Vector for Cyber Crime April 7, 2015 by Sarah Ackerman, Kyle Schutte
·          Magnet Forensics Releases Internet Evidence Finder v6.4 https://www.magnetforensics.com/news/magnet-forensics-releases-internet-evidence-finder-v6-4/
·         Introduction to Social Media Investigation by Jennifer Golbeck
·         CONTEMPORARY DIGITAL FORENSIC INVESTIGATIONS OF CLOUD AND MOBILE APPLICATIONS By Ali Dehghantanha




Comments

Post a Comment

Popular posts from this blog

Introduction To Big Data Forensics

-
Image
Introduction Big Data forensics is a new type of forensics, just as Big Data is a new way of solving the challenges presented by large, complex data. Thanks to the growth in data and the increased value of storing more data and analyzing it fast—Big Data solutions have become more common and more prominently positioned within organizations. As such, the value of Big Data systems has grown, often storing data used to drive organizational strategy, identify sales, and many different modes of electronic communication. The forensic value of such data is obvious: if the data is useful to an organization, then the data is valuable to an investigation of that organization. The information in a Big Data system is not only inherently valuable, but the data is most likely organized and analyzed in such a way to identify how the organization treated the data. Big Data forensics is the forensic collection and analysis of Big Data systems. Traditional computer forensics typically foc...
Read more

CYBER SECURITY: Improving Cyber Defense Through Coherent Joint Red Team and Blue Team

-
Image
CYBER SECURITY:   Improving Cyber Defense Through Coherent Joint Red Team and Blue Team by David Mugisha,  Student of  Ms.Digital Forensics and Information Security (Gujarat Forensic Sciences University) Abstract Over the years, the investments in security moved from nice to have to must have, and now organizations around the globe are realizing how important it is to continually invest in security. This investment will ensure that the company stays competitive in the market. Failure to properly secure their assets could lead to irreparable damage, and in some circumstances could lead to bankruptcy. Due to the current threat landscape, investing only in protection isn't enough. Organizations must enhance their overall security posture. This means that the investments in protection, detection, and response must be aligned. Due to the emerging threats and cyber security challenges, it is necessary to change the methodology from prevent breach to ass...
Read more

Digital Forensics: Investigation VS Security

-
Image
Digital Forensics: Investigation VS Security  by David Mugisha,  Student of  Ms.Digital Forensics and Information Security (Gujarat Forensic Sciences University) Abstract : The past decade has seen previously unimagined advances in technology, and although those developments have benefited individuals and businesses alike, they have also become tools for fraudsters and cyber criminals to steal money and data, and avoid detection. Hackers use technology to hide their illicit activities and to move funds across jurisdictions and around the globe. Their operations are complex and they have significant resources to help them evade detection. This means that those tasked with investigating cyber criminal activity have had to keep pace. We are seeing a new breed of investigators, the digital forensic practitioner, Cyber Security professionals who traces these criminals and their activities. As with other types of evidence, the courts make no presumption tha...
Read more