October 13, 2015
What Social Media Activity Tells a Trained Forensic Examiner
For better or for worse, social media has become a driving force in many aspects of our lives. It helps individuals stay in touch with friends, relatives, former classmates and other acquaintances. It also helps business drive users to websites, advertise and (hopefully) generate revenue. Heck, even this little ole blog gets posted across multiple social media platforms to help generate “buzz” for a startup digital forensic consulting business. But what value does that social media activity have when conducting investigations? What can the social media data tell a trained digital forensic examiner?
This subject is yet another where I’ll emphasize the value of possessing honed investigative skills in addition to being a practicing, competent, trained forensic examiner.
The basis of how to conduct investigations involving social media, web activity or other electronically stored information (ESI) or even simply basic online investigations, comes through training and experience.
Through the Internet Crimes Against Children (ICAC) Task Force
, I was trained how to effectively track down people and gather intelligence online, mostly without their knowledge.
This served me quite well in law enforcement and now serves me well in private investigations. But taking that training a step further into the findings of a digital forensic examination, we can incorporate that training and experience to dig even deeper to find out what the user(s) may be doing online.
As an example, we’ll use the current “flagship” of social media, Facebook. Facebook has revolutionized how people stay in touch and they are constantly evolving the offerings they put forth. What was once an online yearbook for college students has now become a multi-billion dollar mega online conglomerate of services. Over time, users have gained the ability to search for other users, chat with other users, send links, videos, pictures and now even voice messages. And the best part is, most or all of this data is available to us when we get ahold of your computer and/or mobile device. Because Facebook is so ubiquitous across the user spectrum, almost everyone has an account, which means there’s social media evidence almost everywhere.
And the great thing about social media is, it’s tailor-made for us by us. We choose who we want to be “friends” with. We decide who to communicate with and for what purpose(s). We seek out and “follow” or “like” different social causes, businesses, political candidates, entertainers… the number and scope of what we can tell the social media world about ourselves is virtually boundless. Most social media users don’t give much thought to the fact that they are sacrificing personal information security when they follow these things, too.
So when we conduct a digital forensic investigation, we’re looking for clues about all of these things.
If the case involves a subject suspected of infidelity, perhaps they were using Facebook messenger to send messages to their paramour instead of regular text or email.
And even if they were somewhat clever and never became “friends” with the other party on Facebook, the account information for the other user is recoverable and will lead right back to that person almost instantly.
In the case of a law enforcement agent investigating someone suspected of having terrorist ties, perhaps they “liked” or followed anarchist, hate or radical religious groups.
With tools that specialize in extracting and reporting this information like Magnet Forensics Internet Evidence Finder
, the forensic evidence in these cases becomes vital to painting the picture of the truth.
The best thing for us in the digital age is, if there’s any digital evidence of it, we’ll probably find it.
And while Facebook is a good example, the potential for valuable evidence doesn’t end there. Twitter, Tindr, Snap Chat, Linked In… they all provide valuable pieces of information by way of personal and/or professional interests, potential romantic relationships, life events and random online rants (which happen more often than you might think). One final point that should not be overlooked is the responsibility of the investigator and/or examiner to stay abreast of the changes in social media. Like with most things in the digital age, social media is ever-changing. It’s a competitive market and their challenge is to gain new users while still maintaining a certain level of service and user expectation, lest they become MySpace. But the investigators and forensic examiners have to stay up with these changes to be able to consistently deliver quality service. Is it time-consuming? You bet! But it’s also extremely important to successful, accurate investigations.
Regardless of the platform, social media really does intertwine into all of our lives. Because of that, it becomes a virtual mountain of valuable personal information that a digital forensic examiner and investigator can use to help find the truth. Now go search for it!
Patrick J. Siewert, SCERS, BCERT, LCE
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia. In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history. A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.